Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

YouTube

Exploiting CORS Misconfigurations for Bitcoins and Bounties - AppSec EU 2017

OWASP Foundation via YouTube

Overview

Explore the intricacies of Cross-Origin Resource Sharing (CORS) misconfigurations and their potential for exploitation in this 37-minute conference talk from AppSec EU 2017. Delve into under-appreciated subtleties within the CORS specification, illustrated through real-world attacks on websites. Learn how these vulnerabilities could be leveraged to steal bitcoins from exchanges, partially bypass Google's HTTPS implementation, and obtain API keys from various sources. Discover how CORS misconfigurations can be pivotal in crafting exploit chains across protocols, exploiting seemingly unexploitable vulnerabilities through cache poisoning, and escalating open redirects into notable security issues. Gain insights into core concepts, wildcards, origin reflection, and various attack vectors, while also exploring lessons for pentesters, developers, and browser manufacturers. Conclude with key takeaways and resources for further reading on this critical web security topic.

Syllabus

Intro
A MORAL STORY
OVERVIEW
CORE CONCEPT
WILDCARDS
SOLUTION
ORIGIN REFLECTION
STARTSWITH
ENDSWITH
NULL ORIGIN
exHTTPS
SUBDOMAINS
TUNNELLING
CACHE POISONING: CLIENT-SIDE
CACHE POISONING: SERVER-SIDE
PENTESTER LESSONS
SPEC LESSONS
BROWSER LESSONS • Multiple origins
DEVELOPER LESSONS
TAKE-AWAYS
FURTHER READING

Taught by

OWASP Foundation

Reviews

Start your review of Exploiting CORS Misconfigurations for Bitcoins and Bounties - AppSec EU 2017

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.