LegacyCollector

Home | Legacy Firefox Extensions | Content Policy | Contact

clearHTTPStatus

Author(s):



Malicious sites can automatically and silently determine if you are logged into some particular site of attacker's interest. Malicious sites can send cross sites request and use HTTP status code in the response to identify whether user is logged into the victim site or not.
For example, HTML SCRIPT tag fires "onload" event if HTTP response from a victim server contains a 200 HTTP status code. And fires "onerror" event if the HTTP response from victim server contains one of 403, 404, 406 or 500 HTTP status code.

This attack was discovered by Mike Cardwell.
https://grepular.com/Abusing_HTTP_Status_Codes_to_Expose_Private_Information
Above link provides good explanation of HTTP status code abuse with the help of examples.

The sole aim of this extension is to prevent an HTTP status code abuse to protect a user privacy. This extension works in background and does its job. It doesn't need any user interaction.

Download files:

clearhttpstatus-1.0.1-signed.1-signed-linux.xpi
clearhttpstatus-1.0.1-signed.1-signed-windows.xpi
clearhttpstatus-1.2.1-signed.1-signed.xpi
clearhttpstatus-1.3.1-signed.1-signed.xpi
clearhttpstatus-1.4.1-signed.1-signed.xpi
clearhttpstatus-1.4.1.1-signed.1-signed.xpi




This page is part of the LegacyCollector website.
Disclaimer: All material on this site is property of their respective owners and available under
open licenses to the best of our knowledge. If you are an author and would like anything removed,
then please write an e-mail to legacy [at] collector dot org.