Cross-Origin Resource Sharing (CORS) is a complex and commonly misunderstood concept that is often implemented wrong for the right reasons. In this talk we will explain the Same-Origin Policy (SOP) and CORS in an easy to understand way. We will then discuss poor implementations of CORS and the resulting issues. We'll continue by releasing research done on a number of development frameworks exposing poorly designed CORS libraries that default to the most dangerous behavior. We'll then demonstrate why all of this matters by conducting a distributed attack against the most common CORS configuration using audience participation and a new tool. Finally, we'll discuss the safest ways to implement CORS. The custom tools used during the talk will be released along with the presentation.

Tim Tomes is an Application Security Professional with over a decade of experience in the information security industry. From software development to full-scope penetration testing, Tim has worked in multiple disciplines as both a manager and technician for the United States Military and private industry. Kevin Cody is a Principal Application Security Consultant with experience working at several Fortune 500 enterprises. Although his particular expertise is geared toward hacking Web and Mobile applications, he is also experienced in the entire gamut from mainframes to embedded systems.

@lanmaster53, @kevcody

Back to Derbycon 2019 video list