Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic
Friday, October 14 • 2:15pm - 3:15pm
Misconfigured CORS and why web application security is not getting easier.

Sign up or log in to save this to your schedule and see who's attending!

Web Application Security is actually really hard to enter into the "big-leagues" with a mature security program like facebook, google, and the like. These orgs are very mature and oftentimes roll out the newest, lastest, greatest security features.

Part of entering in to the big leagues usually requires the implementation of advanced browser security features and HTTP Response headers.

I want to tell a personal story about finding a massive vulnerability in about 1000 out of the Alexa top 1million sites that caused sites to basically turn off SAMEORIGIN policy. 
- How I thought to try my exploit
- Who was vulnerable
- Details of the exploit

I want to talk about the difficultly understanding the details of the CORS headers that caused the issue. Lots of things to understand.

I want to then talk about individual security technologies and their operational issues associated with them.
- CSP
- HPKP
- HSTS
- SRI
- CORS etc etc etc.

There's a lot of operational issues to cover.

Finally I want to make a plea to stick to the basics before you try to roll these things out. Most sites don't get any utility from these features and they only cause problems.

Speakers
avatar for Evan Johnson

Evan Johnson

Security Systems Engineer, CloudFlare
I'm Evan Johnson. I work at CloudFlare and previously worked at LastPass. I developed a password manager in my spare time called passgo, https://github.com/ejcx/passgo. On twitter he is @ejcx_


Friday October 14, 2016 2:15pm - 3:15pm
Grand South Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001

Attendees (56)