AppSec EU 2017 Exploiting CORS Misconfigurations For Bitcoins And Bounties by James Kettle

День тому

Cross-Origin Resource Sharing (CORS) is a mechanism for relaxing the Same Origin Policy to enable communication between websites via browsers. It's already widely understood that certain CORS configurations are dangerous. In this presentation, I'll skim over the old knowledge then coax out and share with you an array of under-appreciated but dangerous subtleties and implications buried in the CORS specification. I'll illustrate each of these with recent attacks on real websites, showing how I could have used them to steal bitcoins from two different exchanges, partially bypass Google's use of HTTPS, and requisition API keys from numerous others. I'll also show how CORS blunders can provide an invaluable link in crafting exploit chains to pivot across protocols, exploit the unexploitable via server and client-side cache poisoning, and even escalate certain open redirects into vulnerabilities that are actually notable.
-
Managed by the official OWASP Media Project www.owasp.org/index.php/OWASP...

КОМЕНТАРІ: 28

@haythamkt5607 2 місяці тому

The more I watch this man’s videos the more I respect him.

@tayfun6378 4 роки тому

I smiled when I heard James' voice! love you man!

@RyanDewhurst 7 років тому

Great presentation and information!

@pat049b 4 роки тому

Amazing work!

@saurav2281 6 років тому

Very well explained..

@ar-uh1dj 4 роки тому

Amazing presentation. Thumbs up

@nicoladellino8124 5 років тому

Nice video

@hackersguild8445 5 років тому

Great.:)

@syedumararfeen8146 6 років тому

Awesome

@yoshi5113 10 місяців тому

My favorite hacker

@smiley_1000 3 роки тому

This all seems more like an issue with the browser being all to happy to share secrets between sites rather than an issue with the sites themselves.

@8ytan 9 місяців тому

The browser by default does not allow cross-origin requests; these are all examples of sites specifically telling browsers that cross-origin requests should be allowed. The ability to permit certain cross-origin requests is incredibly useful and without it most services on the internet would break.

@tuandane82 8 місяців тому

@@8ytan Does the CORS exploit work against the Authorization header as well, or only pass the session cookie?

@8ytan 8 місяців тому

@@tuandane82 in theory if you're using an authorisation header containing an access token to authenticate, then misconfigured CORS isn't a huge concern because attempts to exploit the weak CORS policy will lack a valid token and therefore fail. That said, it's still good practice to think about what origins, methods etc. will reasonably need to access your service and configure the CORS headers accordingly.

@shubham_srt 4 місяці тому

@@tuandane82 as far as i know , yes it works

@shubham_srt 4 місяці тому

what if Cookies are set to lax but Access Control Allow Credentials is being sent as true. As Lax does not allow cookies to be set in XHR requests. how will the cookies be sent?

@somebody3014 Місяць тому

wondering about the same thing, did you find the answer?

@shubham_srt Місяць тому

@@somebody3014 Hey man, Lax settings are prioritised. Even if one condition is false, the cookies are not sent. So in my question cookies will not be sent as even Allow Credentials are true, Cookies are LAX (one true condition and one false) No cookies will be sent. Hope that clears the doubt.

@Shmancy_pants_69 3 роки тому

Could someone please explain to me 'the null' in this context and it what it means to not trust the null. thank you

@smiley_1000 3 роки тому

did you even watch the presentation?

@hirapirika7456 6 років тому

WILL BITCOIN GET ATTACKED ?? IN FUTURE OR EXPLOITS ?

@jattboe8617 4 роки тому

21:47

@pranjalruhela1103 10 місяців тому

Zomato didn't reply because they are an Indian company.

@shubham_srt 4 місяці тому

They have always replied to me within hours! Surprised to see James getting ghosted , kinda weird, but it was 2017, maybe suff was different back then