James Kettle - Exploiting CORS Misconfigurations for Bitcoins and Bounties - AppSecUSA 2016
Recorded at AppSecUSA 2016 in Washington, DC
https://2016.appsecusa.org/
Exploiting CORS Misconfigurations for Bitcoins and Bounties
Hear the story of how a specification’s innocent intentions toward security and simplicity mingled with Real World Code and ultimately spawned hosts of unfortunately exploitable systems.
Cross-Origin Resource Sharing (CORS) is a mechanism for relaxing the Same Origin Policy to enable communication between websites via browsers. It’s already widely understood that certain CORS configurations are dangerous. In this presentation, I'll skim over the old knowledge then coax out and share with you an array of under-appreciated but dangerous subtleties and implications buried in the CORS specification. I'll illustrate each of these with recent attacks on real websites, showing how I could have used them to steal bitcoins from two different exchanges, partially bypass Google's use of HTTPS, and requisition API keys from numerous others. I'll also show how CORS blunders can provide an invaluable link in crafting exploit chains to pivot across protocols, exploit the unexploitable via server and client-side cache poisoning, and even escalate certain open redirects into vulnerabilities that are actually notable.
In between looking at websites with harmful misconfigurations that range from depressingly predictable to utterly unfathomable, I'll reflect on where the CORS specification and implementations collaborated to save developers from themselves, and where the good intentions didn't work out so well. From this, I’ll propose several potential solutions and mitigations aimed at specification authors, browser vendors, developers and pentesters with varying degrees of optimism.
James Kettle
Head of Research, PortSwigger Web Security
James Kettle is head of research at PortSwigger Web Security, where he designs and refines vulnerability detection techniques for Burp Suite's scanner. Recent work has focused on techniques to detect unknown classes of vulnerabilities, and the new Burp Collaborator system for identifying and exploiting asynchronous blind code injection.
-
Managed by the official OWASP Media Project https://www.owasp.org/index.php/OWASP_Media_Project
Видео James Kettle - Exploiting CORS Misconfigurations for Bitcoins and Bounties - AppSecUSA 2016 канала OWASP Foundation
https://2016.appsecusa.org/
Exploiting CORS Misconfigurations for Bitcoins and Bounties
Hear the story of how a specification’s innocent intentions toward security and simplicity mingled with Real World Code and ultimately spawned hosts of unfortunately exploitable systems.
Cross-Origin Resource Sharing (CORS) is a mechanism for relaxing the Same Origin Policy to enable communication between websites via browsers. It’s already widely understood that certain CORS configurations are dangerous. In this presentation, I'll skim over the old knowledge then coax out and share with you an array of under-appreciated but dangerous subtleties and implications buried in the CORS specification. I'll illustrate each of these with recent attacks on real websites, showing how I could have used them to steal bitcoins from two different exchanges, partially bypass Google's use of HTTPS, and requisition API keys from numerous others. I'll also show how CORS blunders can provide an invaluable link in crafting exploit chains to pivot across protocols, exploit the unexploitable via server and client-side cache poisoning, and even escalate certain open redirects into vulnerabilities that are actually notable.
In between looking at websites with harmful misconfigurations that range from depressingly predictable to utterly unfathomable, I'll reflect on where the CORS specification and implementations collaborated to save developers from themselves, and where the good intentions didn't work out so well. From this, I’ll propose several potential solutions and mitigations aimed at specification authors, browser vendors, developers and pentesters with varying degrees of optimism.
James Kettle
Head of Research, PortSwigger Web Security
James Kettle is head of research at PortSwigger Web Security, where he designs and refines vulnerability detection techniques for Burp Suite's scanner. Recent work has focused on techniques to detect unknown classes of vulnerabilities, and the new Burp Collaborator system for identifying and exploiting asynchronous blind code injection.
-
Managed by the official OWASP Media Project https://www.owasp.org/index.php/OWASP_Media_Project
Видео James Kettle - Exploiting CORS Misconfigurations for Bitcoins and Bounties - AppSecUSA 2016 канала OWASP Foundation
Показать
Комментарии отсутствуют
Информация о видео
Другие видео канала
![Keynote: 22 Years of Application Security – Where did it get us? - Alyssa Miller](https://i.ytimg.com/vi/QI3afyQ5gQ0/default.jpg)
![Keynote: Global AppSec: Beyond Boundaries - Brook S.E. Schoenfield](https://i.ytimg.com/vi/U89xqd29qnM/default.jpg)
![Global AppSec Dublin: Squeezing The Last Drop Out Of OWASP Juice Shop - Bjoern Kimminich](https://i.ytimg.com/vi/m1f2fPC8hLU/default.jpg)
![2022 Global AppSec San Francisco: Simon Bennetts Keynote](https://i.ytimg.com/vi/t77aKVJQKzY/default.jpg)
![Global AppSec Dublin: Opening Remarks - Grant Ongers](https://i.ytimg.com/vi/v8SeSkmYxXU/default.jpg)
![Global AppSec Dublin: A Taste Of Privacy Threat Modeling by Kim Wuyts](https://i.ytimg.com/vi/0HMxksszzDI/default.jpg)
![Global AppSec Dublin: Attacking And Protecting Artificial Intelligence - Rob Van Der Veer](https://i.ytimg.com/vi/ABmWHnFrMqI/default.jpg)
![Global AppSec Dublin: Introducing Threat Modelling To Established Teams - Sarah-Jane Madden](https://i.ytimg.com/vi/1Zkta9i1CYQ/default.jpg)
![Gobal AppSec Dublin: Server Side Prototype Pollution - Gareth Heyes](https://i.ytimg.com/vi/8I_OaKOoGWU/default.jpg)
![Global AppSec Dublin: Credential Sharing As A Service: The Dark Side Of No Code - Michael Bargury](https://i.ytimg.com/vi/AD0R4qyrh3g/default.jpg)
![Global AppSec Dublin: [T]OTPs Are Not As Secure As You Might Believe - Santiago Kantorowicz](https://i.ytimg.com/vi/K3myOx4HI90/default.jpg)
![Global AppSec Dublin: JavaScript Realms: The Blank Spot In Web App Runtime Security - Gal Weizman](https://i.ytimg.com/vi/l2l_qnEhx3M/default.jpg)
![Global AppSec Dublin: Threat Modeling In And For Your Organization - Izar Tarandach](https://i.ytimg.com/vi/8nuuc5ny7bg/default.jpg)
![Gobal AppSec Dublin: Trusting Software: Runtime Protection Is The Third Alternative - Jeff Williams](https://i.ytimg.com/vi/sRE3f_2ECfs/default.jpg)
![Global AppSec Dublin: GitHub Actions: Vulnerabilities, Attacks, And Counter-Measures - Magno Logan](https://i.ytimg.com/vi/gxCvV35yXmU/default.jpg)
![Global AppSec Dublin: Narrow – SCA Reachability Analysis Without The Effort - Josiah Bruner](https://i.ytimg.com/vi/wdHfPTtG9vQ/default.jpg)
![Global AppSec Dublin: Passwordless Future: Using WebAuthn And Passkeys In Practice - Clemens Hübner](https://i.ytimg.com/vi/_L9pbpkX-Ps/default.jpg)
![Global AppSec Dublin: Shifting Security Everywhere - Tanya Janca](https://i.ytimg.com/vi/ei3Subi59Kg/default.jpg)
![Global AppSec Dublin: Ten DevSecOps Culture Failures - Chris Romero](https://i.ytimg.com/vi/E03Iy2CD8AU/default.jpg)
![Global AppSec Dublin: More /w Less ScreenTime: An Application Security Toolchain - Spyros Gasteratos](https://i.ytimg.com/vi/i9j7n0WDBO0/default.jpg)
![Global AppSec Dublin: Preventing Subdomain Takeover /w OWASP Domain Protect - Paul Schwarzenberger](https://i.ytimg.com/vi/fLrRLmKZTvE/default.jpg)