AppSec USA 2016 has ended
Friday, October 14 • 10:45am - 11:45am
Exploiting CORS Misconfigurations for Bitcoins and Bounties

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Hear the story of how a specification’s innocent intentions toward security and simplicity mingled with Real World Code and ultimately spawned hosts of unfortunately exploitable systems.

Cross-Origin Resource Sharing (CORS) is a mechanism for relaxing the Same Origin Policy to enable communication between websites via browsers. It’s already widely understood that certain CORS configurations are dangerous. In this presentation, I'll skim over the old knowledge then coax out and share with you an array of under-appreciated but dangerous subtleties and implications buried in the CORS specification. I'll illustrate each of these with recent attacks on real websites, showing how I could have used them to steal bitcoins from two different exchanges, partially bypass Google's use of HTTPS, and requisition API keys from numerous others. I'll also show how CORS blunders can provide an invaluable link in crafting exploit chains to pivot across protocols, exploit the unexploitable via server and client-side cache poisoning, and even escalate certain open redirects into vulnerabilities that are actually notable.

In between looking at websites with harmful misconfigurations that range from depressingly predictable to utterly unfathomable, I'll reflect on where the CORS specification and implementations collaborated to save developers from themselves, and where the good intentions didn't work out so well. From this, I’ll propose several potential solutions and mitigations aimed at specification authors, browser vendors, developers and pentesters with varying degrees of optimism.

avatar for James Kettle

James Kettle

Director of Research, PortSwigger Web Security
James Kettle is Director of Research at PortSwigger Web Security, where he designs and refines vulnerability detection techniques for Burp Suite's scanner. Recent work has focused on using web cache poisoning to turn caches into exploit delivery systems. James has extensive experience... Read More →

Friday October 14, 2016 10:45am - 11:45am EDT
Grand South Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001