W3C home > Mailing lists > Public > public-webappsec@w3.org > May 2015

Re: Abusing HTTP status codes to deanonymize web users

From: Ahmed Elsobky <mreagle0x@gmail.com>
Date: Fri, 8 May 2015 16:00:28 +0200
Message-ID: <CAHj2gmNiHW942FyOgk5NfPQBBEK0-pRkLMOSFxCfmbo1rAfnng@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: WebAppSec WG <public-webappsec@w3.org>
2015-05-08 7:13 GMT+02:00 Anne van Kesteren <annevk@annevk.nl>:

> >Do you have a test case showing that <script> fires an error event
> >consistently for 4xx or 5xx status codes? I thought it would always
> >try to parse the result as a script and execute it
>

Sure, Here is a test-case for 500+ status codes:
<script src=http://apps.testinsane.com/rte/status/500/0
onerror="alert('fires onerror')"></script>

And this is a 4xx example:
<script src=http://apps.testinsane.com/rte/status/403/0
onerror="alert('fires onerror')"></script>

It's also worth noting that this has other implications rather than user
deanonymization and login detection..
Received on Friday, 8 May 2015 14:00:59 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:13 UTC