Exploiting CORS Misconfigurations for Bitcoins and Bounties - AppSec EU 2017

Explore the intricacies of Cross-Origin Resource Sharing (CORS) misconfigurations and their potential for exploitation in this 37-minute conference talk from AppSec EU 2017. Delve into under-appreciated subtleties within the CORS specification, illustrated through real-world attacks on websites. Learn how these vulnerabilities could be leveraged to steal bitcoins from exchanges, partially bypass Google's HTTPS implementation, and obtain API keys from various sources. Discover how CORS misconfigurations can be pivotal in crafting exploit chains across protocols, exploiting seemingly unexploitable vulnerabilities through cache poisoning, and escalating open redirects into notable security issues. Gain insights into core concepts, wildcards, origin reflection, and various attack vectors, while also exploring lessons for pentesters, developers, and browser manufacturers. Conclude with key takeaways and resources for further reading on this critical web security topic.