Jeremiah discovered a creative technique for testing to see whether someone is logged in on a particular site. The approach is pretty simple - when you browse a web site, each page is often different depending upon whether you're currently logged in. This may not be the case for every page on the target site, but it's pretty easy to find at least one page where it is. This distinction is the basis of the technique.

Using <script src="">, you can cause a victim's browser to load a page and treat it as JavaScript. If the page isn't really JavaScript, an error is generated. If the page is different depending upon whether the victim is logged in, the error is also different. Pretty simple, right?

Here's an example:

1. <script src="http://amazon.com/"></script>

If you load a page with this <script> tag, you'll see an error in the error console:

The first error is generated when I am logged in. The second is generated when I'm not. Although only the line numbers differ, that's enough to distinguish between the two.

This could be a nice technique to use in combination with CSRF, because an attack could test whether the victim is currently logged in on a particular site before trying to forge any requests. (It also gives the attacker better statistics for the attack's success rate.)

Try it out for yourself, and be sure to view the source to see how it works. It's easy to add more tests. Here's the one for Amazon:

1. 'http://amazon.com/': {
2.     'name': 'Amazon',
3.     'login_msg': 'missing } in XML expression',
4.     'login_line': '114',
5.     'logout_msg': 'missing } in XML expression',
6.     'logout_line': '113',
7. }

By the way, Zreel Puevfgznf!