Misconfigured CORS and why web appsec is not getting easier
Evan Johnson at AppSec USA 2016
Web Application Security is actually really hard to enter into the "big-leagues" with a mature security program like facebook, google, and the like. These orgs are very mature and oftentimes roll out the newest, lastest, greatest security features.
Part of entering in to the big leagues usually requires the implementation of advanced browser security features and HTTP Response headers.
I want to tell a personal story about finding a massive vulnerability in about 1000 out of the Alexa top 1million sites that caused sites to basically turn off SAMEORIGIN policy.
- How I thought to try my exploit
- Who was vulnerable
- Details of the exploit
I want to talk about the difficultly understanding the details of the CORS headers that caused the issue. Lots of things to understand.
I want to then talk about individual security technologies and their operational issues associated with them.
- CSP
- HPKP
- HSTS
- SRI
- CORS etc etc etc.
There's a lot of operational issues to cover.
Finally I want to make a plea to stick to the basics before you try to roll these things out. Most sites don't get any utility from these features and they only cause problems.
Evan Johnson
Security Systems Engineer, CloudFlare
I'm Evan Johnson. I work at CloudFlare and previously worked at LastPass. I developed a password manager in my spare time called passgo, https://github.com/ejcx/passgo. On twitter he is @ejcx_
Part of entering in to the big leagues usually requires the implementation of advanced browser security features and HTTP Response headers.
I want to tell a personal story about finding a massive vulnerability in about 1000 out of the Alexa top 1million sites that caused sites to basically turn off SAMEORIGIN policy.
- How I thought to try my exploit
- Who was vulnerable
- Details of the exploit
I want to talk about the difficultly understanding the details of the CORS headers that caused the issue. Lots of things to understand.
I want to then talk about individual security technologies and their operational issues associated with them.
- CSP
- HPKP
- HSTS
- SRI
- CORS etc etc etc.
There's a lot of operational issues to cover.
Finally I want to make a plea to stick to the basics before you try to roll these things out. Most sites don't get any utility from these features and they only cause problems.
Evan Johnson
Security Systems Engineer, CloudFlare
I'm Evan Johnson. I work at CloudFlare and previously worked at LastPass. I developed a password manager in my spare time called passgo, https://github.com/ejcx/passgo. On twitter he is @ejcx_