2024-08-31 –, Track 1
CORS misconfigurations are one of the most widely misunderstood topics in the web app testing space, largely due to common misconceptions about them. This talk will arm aspiring web app testers with the knowledge to identify and exploit CORS issues end-to-end and key mitigating controls to consider.
Cross Origin Resource Sharing (CORS) misconfigurations are perhaps one of the most widely misunderstood and over-reported web application vulnerabilities. They have received relatively little research compared to other client-side vulnerabilities, such as its cousin CSRF and XSS, with much of the information disparate and either inaccurate, incomplete, or outdated. This talk seeks to address these issues.
This talk will explore the fundamentals of what CORS is, the Same Origin Policy, how they work, and the issues that can arise due to misconfigured CORS policies on web applications. It will then explain the techniques that can be used to identify CORS misconfigurations and how they can be exploited in different scenarios to retrieve sensitive data from areas of an example simple web application, which would normally require a user to authenticate. The examples will be both positive (successful) and negative (unsuccessful) attempts to identify and exploit CORS misconfigurations, relating these to realistic examples of how they can be inaccurately identified and reported.
It also explains how mitigating controls, such as the HTTPOnly, Secure, and SameSite attributes, can effect how CORS issues can be tested for, end-to-end exploitation paths, and the potential future impact of changes to how third-party cookies are treated by modern web browsers. The talk will also reference practice labs that, at the time of the talk, are expected to be publicly released by this speaker, to support the aspiring web application tester in this topic and fill common knowledge gaps, all in one place. It will conclude with considerations for the blue team's side of the fence: considerations to take into account when writing CORS configurations to avoid these issues entirely and key controls to implement.
Cory is a senior penetration tester at KPMG. He has worked across the trade in testing infrastructure, web, desktop, and mobile applications, and cloud environments. He primarily focuses on the Defence & National Security space, but has worked with a range of clients in industries from banking to health & care, CNI, and NGOs. He became a penetration tester after reading War Studies at King's College London, during which he exchanged at Yonsei University, South Korea, where a budding love of all things tech began.
Having come from a non-traditional subject, he seeks to support the the entry of individuals from non-traditional backgrounds into the trade, the sharing of new techniques, and the professionalisation of the trade as a whole. Outside of the pentesting world, he volunteers as a school governor, does some sound design, and has developed a passion for teaching generally. He does most things armed with several mugs of coffee.