A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Subscribestar or Patreon

Search Irongeek.com:

Affiliates:
Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle


Of CORS it's Exploitable! What's Possible with Cross-Origin Resource Sharing? - Rebecca Deck (Circle City Con 2019 Videos) (Hacking Illustrated Series InfoSec Tutorial Videos)

Of CORS it's Exploitable! What's Possible with Cross-Origin Resource Sharing?
Rebecca Deck

@ranger_cha
Circle City Con 2019

Cross-origin resource sharing (CORS) is extremely common on modern web apps, but scanning tools are terrible at analyzing CORS policy. If testers really understand CORS policy, a damaging exploit is often not far away. Is it possible to force a user to do something significant? Does using a GUID offer any protection? Does the authentication mechanism really protect against cross-origin attacks? Is it really risky to allow all origins? Do pre-flight requests always help? CORS requests get tricky very quickly and scanning tools do not have a good understanding of the intricacies that surface during actual application testing. A quick and dirty JavaScript exploit will put the issue to rest and eliminate hours of theoretical debate. This presentation covers how CORS works and how to find misconfigurations. Dozens of actual applications are distilled into examples demonstrate CORS protections and JavaScript code to bypass them. A basic knowledge of CORS and JavaScript will be helpful to understand the exploit code, but no special background is necessary to grasp the basics of CORS configuration.

Rebecca Deck is a senior application security consultant for DirectDefense where she performs security testing on web, mobile, and client-side applications. Rebecca previously worked as a security engineer, incident responder, software developer, and soldier. Rebecca's current work focuses on identifying software vulnerabilities, writing exploits, improving application testing methodologies, and better integrating software security in the software development life cycle.

Back to Circle City Con 2019 Videos list

15 most recent posts on Irongeek.com:


    If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

    Copyright 2019, IronGeek
    Louisville / Kentuckiana Information Security Enthusiast