Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/cure53/HTTPLeaks
HTTPLeaks - All possible ways, a website can leak HTTP requests
https://github.com/cure53/HTTPLeaks
Last synced: 2 months ago
JSON representation
HTTPLeaks - All possible ways, a website can leak HTTP requests
- Host: GitHub
- URL: https://github.com/cure53/HTTPLeaks
- Owner: cure53
- License: bsd-2-clause
- Created: 2015-04-17T14:48:15.000Z (over 9 years ago)
- Default Branch: main
- Last Pushed: 2024-09-19T12:59:43.000Z (4 months ago)
- Last Synced: 2024-10-14T10:58:36.569Z (3 months ago)
- Language: HTML
- Homepage:
- Size: 94.7 KB
- Stars: 1,976
- Watchers: 89
- Forks: 202
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- project-awesome - cure53/HTTPLeaks - HTTPLeaks - All possible ways, a website can leak HTTP requests (HTML)
- awesome-hacking-lists - cure53/HTTPLeaks - HTTPLeaks - All possible ways, a website can leak HTTP requests (HTML)
README
# HTTPLeaks
## What is this?
This project aims to enumerate all possible ways, a website can leak HTTP requests.
In one single HTML file. See the file `leak.html` ([raw text version](https://raw.githubusercontent.com/cure53/HTTPLeaks/main/leak.html)) in the root of this repository.## What is it for?
You can use this to test your browser for *CSP leaks*, your web-mailer for *HTTP leaks* and everything else that is *not* supposed to send HTTP requests to where the sun won't shine.
With "HTTP Leak", we are essentially referring to a situation, where a certain combination of HTML elements and attributes cause a request to an external resource to be fired - when it should not. Think, for example, of the body of an HTML mail where a HTTP Leak would tell someone out there that you just read that mail. Not always bad - but almost never good.
Or think about web proxies. Those tools try to show you a website from a different domain to offer what they call "anonymity". Of course they have to also rewrite all HTML elements and attributes that fetch resources via HTTP (or alike) and if they forget something, the so called "anonymity" is gone.
And, since no one really knows anymore what elements and attributes can request external resources, we decided to create this project to keep track on that.
## And now?
The HTML will be extended as soon as we learn about a new leak, pull requests with additional exotic sources for HTTP leaks are very welcome! Further welcome are ideas of how else this content could be presented (JSON, HTML, XML, ...).
## Acknowledgements
Thanks [@hasegawayosuke](https://twitter.com/hasegawayosuke), [@masa141421356](https://twitter.com/masa141421356), [@mramydnei](https://twitter.com/mramydnei), [@avlidienbrunn ](https://twitter.com/avlidienbrunn ), [@orenhafif](https://twitter.com/orenhafif), [@freddyb](https://twitter.com/freddyb), [@tehjh](https://twitter.com/tehjh), [@webtonull](https://twitter.com/webtonull), @intchloe, @Boldewyn and many others for adding content and smaller fixes here and there!