AppSec USA 2016 has ended
Back To Schedule
Friday, October 14 • 2:15pm - 3:15pm
Misconfigured CORS and why web application security is not getting easier.

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Web Application Security is actually really hard to enter into the "big-leagues" with a mature security program like facebook, google, and the like. These orgs are very mature and oftentimes roll out the newest, lastest, greatest security features.

Part of entering in to the big leagues usually requires the implementation of advanced browser security features and HTTP Response headers.

I want to tell a personal story about finding a massive vulnerability in about 1000 out of the Alexa top 1million sites that caused sites to basically turn off SAMEORIGIN policy. 
- How I thought to try my exploit
- Who was vulnerable
- Details of the exploit

I want to talk about the difficultly understanding the details of the CORS headers that caused the issue. Lots of things to understand.

I want to then talk about individual security technologies and their operational issues associated with them.
- CORS etc etc etc.

There's a lot of operational issues to cover.

Finally I want to make a plea to stick to the basics before you try to roll these things out. Most sites don't get any utility from these features and they only cause problems.

avatar for Evan Johnson

Evan Johnson

Security, Cloudflare
An engineer at heart, Evan works at Cloudflare with all of the software engineering teams on the systems and products they are building. the first security engineer hired at Cloudflare, and also worked at LastPass as a software engineer, and was the first security hire at Segment... Read More →

Friday October 14, 2016 2:15pm - 3:15pm EDT
Grand South Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001