Riyaz Walikar discusses the Same Origin Policy (SOP) and Cross Origin Resource Sharing (CORS). SOP restricts how scripts from one origin can interact with resources from other origins for security. CORS allows relaxing SOP for legitimate cross-origin requests by using special HTTP headers. However, CORS implementations must be careful to avoid security issues like universal permissive policies, misplaced trust, CORS-based CSRF attacks, and caching or origin spoofing vulnerabilities.
Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the resource originated.
A web page may freely embed images, stylesheets, scripts, iframes, videos and some plugin content (such as Adobe Flash) from any other domain. However embedded web fonts and AJAX (XMLHttpRequest) requests have
traditionally been limited to accessing the same domain as the parent web page (as per the same-origin security policy). "Cross-domain" AJAX requests are forbidden by default because of their ability to perform
advanced requests (POST, PUT, DELETE and other types of HTTP requests, along with specifying custom HTTP headers) that introduce many cross-site scripting security issues.
CORS defines a way in which a browser and server can interact to determine safely whether or not to allow the cross-origin request. It allows for more freedom and functionality than purely
same-origin requests, but is more secure than simply allowing all cross-origin requests. It is a recommended standard of the W3C.
The slides here are part of my presentation at the Confraria0day meeting in March 2017. It is an introduction to the various HTTP security headers with some insights about them. It covers HSTS, HPKP, X-Frame-Options, Content Security Policy, X-XSS-Protection, X-Content-Type-Options, Referrer-Policy and Set-Cookie options.
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
Although web application firewall (WAF) solutions are very useful to prevent common or automated attacks, most of them are based on blacklist approaches and are still far from perfect. This talk illustrates a number of creative techniques to smuggle and reshape HTTP requests using the strange behaviour of web servers and features such as request encoding or HTTP pipelining. These methods can come in handy when testing a website behind a WAF and can help penetration testers and bug bounty hunters to avoid drama and pain! Knowing these techniques is also beneficial for the defence team in order to design appropriate mitigation techniques. Additionally, it shows why developers should not solely rely on WAFs as the defence mechanism.
Finally, an open source Burp Suite extension will be introduced that can be used to assess or bypass a WAF solution using some of the techniques discussed in this talk. The plan is to keep improving this extension with the help of the http.ninja project.
Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the resource originated.
A web page may freely embed images, stylesheets, scripts, iframes, videos and some plugin content (such as Adobe Flash) from any other domain. However embedded web fonts and AJAX (XMLHttpRequest) requests have
traditionally been limited to accessing the same domain as the parent web page (as per the same-origin security policy). "Cross-domain" AJAX requests are forbidden by default because of their ability to perform
advanced requests (POST, PUT, DELETE and other types of HTTP requests, along with specifying custom HTTP headers) that introduce many cross-site scripting security issues.
CORS defines a way in which a browser and server can interact to determine safely whether or not to allow the cross-origin request. It allows for more freedom and functionality than purely
same-origin requests, but is more secure than simply allowing all cross-origin requests. It is a recommended standard of the W3C.
The slides here are part of my presentation at the Confraria0day meeting in March 2017. It is an introduction to the various HTTP security headers with some insights about them. It covers HSTS, HPKP, X-Frame-Options, Content Security Policy, X-XSS-Protection, X-Content-Type-Options, Referrer-Policy and Set-Cookie options.
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
Although web application firewall (WAF) solutions are very useful to prevent common or automated attacks, most of them are based on blacklist approaches and are still far from perfect. This talk illustrates a number of creative techniques to smuggle and reshape HTTP requests using the strange behaviour of web servers and features such as request encoding or HTTP pipelining. These methods can come in handy when testing a website behind a WAF and can help penetration testers and bug bounty hunters to avoid drama and pain! Knowing these techniques is also beneficial for the defence team in order to design appropriate mitigation techniques. Additionally, it shows why developers should not solely rely on WAFs as the defence mechanism.
Finally, an open source Burp Suite extension will be introduced that can be used to assess or bypass a WAF solution using some of the techniques discussed in this talk. The plan is to keep improving this extension with the help of the http.ninja project.
General Waf detection and bypassing techniques. Main focus to demonstrate that how to take right approach to analyse the behaviour of web application firewall and then create test cases to bypass the same.
XSS is much more than just <script>alert(1)</script>. Thousands of unique vectors can be built and more complex payloads to evade filters and WAFs. In these slides, cool techniques to bypass them are described, from HTML to javascript. See also http://brutelogic.com.br/blog
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesFrans Rosén
In this talk, top ranked white-hat hacker Frans Rosén (@fransrosen) will focus on methodologies and results of attacking modern web technologies. He will do a deep-dive in postMessage, how vulnerable configurations in both AWS and Google Cloud allow attackers to take full control of your assets.
Listen to 60 minutes of new hacks, bug bounty stories and learnings that will make you realize that the protocols and policies you believed to be secure are most likely not.
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
While input validation vulnerabilities such as XSS and SQL injection have been intensively studied, a new class of injection vulnerabilities called HTTP Parameter Pollution (HPP) has not received as much attention. HPP attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach.
In the talk we present the first automated system for the detection of HPP vulnerabilities in real web applications. Our approach consists of injecting fuzzed parameters into the web application and a set of tests and heuristics to determine if the pages that are generated contain HPP vulnerabilities. We used this system to conduct a large-scale experiment by testing more than 5,000 popular websites and discovering unknown HPP flaws in many important and well-known sites such as Microsoft, Google, VMWare, Facebook, Symantec, Paypal and others. These sites have been all informed and many of them have acknowledged or fixed the problems. We will explain in details how to efficiently detect HPP bugs and how to prevent this novel class of injection vulnerabilities in future web applications.
This talk shares the various techniques I found whilst building the XSS cheat sheet. It contains auto executing vectors, AngularJS CSP bypasses and dangling markup attacks.
Cross Site Request Forgery (CSRF) Scripting ExplainedValency Networks
Key Points
What is Cross Site Request Forgery (CSRF)?
How Attack Can Happen?
Damages caused by CSRF?
Mitigations
What is Cross Site Request Forgery (CSRF)?
CSRF is an attack in which attacker forges the request as a trusted user. The request is essentially made to send unintended data to the site. A vulnerable web application assumes that the data is coming from a trusted user.
The root cause is – request coming from browser is trusted by server blindly, if CSRF protection is not implemented.
This “blind trust” lets attacker create a forged request, and make the victim perform that request.
How Attack Can Happen?
Attacker knows about target application, on which the attack is to be performed
Attacker forges request and sends it to victim who may be logged into the website by embedding that forged request into a hyperlink
Victim clicks on it, and unknowingly sends malicious request to website
Website accepts it and processes it. Thus the attacker is successful in performing the attack.
Damages caused by CSRF?
In Net-banking attacker can forge the request and send it to victim to steal money from Victim’s account
Personal health information can be stolen or modified in a hospital database
Attacker force victim to perform unwanted action which affect their profile
Mitigation Techniques
Can be mitigate by two ways
CSRF token (a cookie which is introduced in each form and validated by web app)
Captcha (implemented to ensure that the request is being performed by a human interaction)
This Express Js tutorial will walk you through what express js is, what we can do with it, features of express js and companies that are hiring express js developers. Express Js is a Node Js framework which helps to write the API’s very efficiently. It’s a awesome framework of node js which is helping Backend development so much and it provides wide set of features to develop both web and mobile applications it is used to build single page, multipage and hybrid web applications.
Web application security is the process of securing confidential data stored online from unauthorized access and modification. This is accomplished by enforcing stringent policy measures.
A web threat is any threat that uses the World Wide Web to facilitate cybercrime. Web threats use multiple types of malware and fraud, all of which utilize HTTP or HTTPS protocols, but may also employ other protocols and components, such as links in email or IM, or malware attachments or on servers that access the Web.
Cross site calls with javascript - the right way with CORSMichael Neale
Using CORS (cross origin resource sharing) you can easily and securely to cross site scripting in webapps - less servers and more integration from apis right in the browser
This was presented during Web Directions South, 2013, Sydney, Australia.
If you had to rank the best and worst moments of your JavaScript life, you’d probably rank reading “The Good Parts” up towards the top, and deep down at the bottom of the list would be the day that you found out that you couldn’t make cross-domain requests in the browser. This talk covers the hacks, tips, and tricks to leave the Same Origin Policy in the dust. So grab a cookie, pad your JSON, and learn how to communicate properly.
General Waf detection and bypassing techniques. Main focus to demonstrate that how to take right approach to analyse the behaviour of web application firewall and then create test cases to bypass the same.
XSS is much more than just <script>alert(1)</script>. Thousands of unique vectors can be built and more complex payloads to evade filters and WAFs. In these slides, cool techniques to bypass them are described, from HTML to javascript. See also http://brutelogic.com.br/blog
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesFrans Rosén
In this talk, top ranked white-hat hacker Frans Rosén (@fransrosen) will focus on methodologies and results of attacking modern web technologies. He will do a deep-dive in postMessage, how vulnerable configurations in both AWS and Google Cloud allow attackers to take full control of your assets.
Listen to 60 minutes of new hacks, bug bounty stories and learnings that will make you realize that the protocols and policies you believed to be secure are most likely not.
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
While input validation vulnerabilities such as XSS and SQL injection have been intensively studied, a new class of injection vulnerabilities called HTTP Parameter Pollution (HPP) has not received as much attention. HPP attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach.
In the talk we present the first automated system for the detection of HPP vulnerabilities in real web applications. Our approach consists of injecting fuzzed parameters into the web application and a set of tests and heuristics to determine if the pages that are generated contain HPP vulnerabilities. We used this system to conduct a large-scale experiment by testing more than 5,000 popular websites and discovering unknown HPP flaws in many important and well-known sites such as Microsoft, Google, VMWare, Facebook, Symantec, Paypal and others. These sites have been all informed and many of them have acknowledged or fixed the problems. We will explain in details how to efficiently detect HPP bugs and how to prevent this novel class of injection vulnerabilities in future web applications.
This talk shares the various techniques I found whilst building the XSS cheat sheet. It contains auto executing vectors, AngularJS CSP bypasses and dangling markup attacks.
Cross Site Request Forgery (CSRF) Scripting ExplainedValency Networks
Key Points
What is Cross Site Request Forgery (CSRF)?
How Attack Can Happen?
Damages caused by CSRF?
Mitigations
What is Cross Site Request Forgery (CSRF)?
CSRF is an attack in which attacker forges the request as a trusted user. The request is essentially made to send unintended data to the site. A vulnerable web application assumes that the data is coming from a trusted user.
The root cause is – request coming from browser is trusted by server blindly, if CSRF protection is not implemented.
This “blind trust” lets attacker create a forged request, and make the victim perform that request.
How Attack Can Happen?
Attacker knows about target application, on which the attack is to be performed
Attacker forges request and sends it to victim who may be logged into the website by embedding that forged request into a hyperlink
Victim clicks on it, and unknowingly sends malicious request to website
Website accepts it and processes it. Thus the attacker is successful in performing the attack.
Damages caused by CSRF?
In Net-banking attacker can forge the request and send it to victim to steal money from Victim’s account
Personal health information can be stolen or modified in a hospital database
Attacker force victim to perform unwanted action which affect their profile
Mitigation Techniques
Can be mitigate by two ways
CSRF token (a cookie which is introduced in each form and validated by web app)
Captcha (implemented to ensure that the request is being performed by a human interaction)
This Express Js tutorial will walk you through what express js is, what we can do with it, features of express js and companies that are hiring express js developers. Express Js is a Node Js framework which helps to write the API’s very efficiently. It’s a awesome framework of node js which is helping Backend development so much and it provides wide set of features to develop both web and mobile applications it is used to build single page, multipage and hybrid web applications.
Web application security is the process of securing confidential data stored online from unauthorized access and modification. This is accomplished by enforcing stringent policy measures.
A web threat is any threat that uses the World Wide Web to facilitate cybercrime. Web threats use multiple types of malware and fraud, all of which utilize HTTP or HTTPS protocols, but may also employ other protocols and components, such as links in email or IM, or malware attachments or on servers that access the Web.
Cross site calls with javascript - the right way with CORSMichael Neale
Using CORS (cross origin resource sharing) you can easily and securely to cross site scripting in webapps - less servers and more integration from apis right in the browser
This was presented during Web Directions South, 2013, Sydney, Australia.
If you had to rank the best and worst moments of your JavaScript life, you’d probably rank reading “The Good Parts” up towards the top, and deep down at the bottom of the list would be the day that you found out that you couldn’t make cross-domain requests in the browser. This talk covers the hacks, tips, and tricks to leave the Same Origin Policy in the dust. So grab a cookie, pad your JSON, and learn how to communicate properly.
BugRaptors perform Cookie testing to ensure the security of the website and application to be tested. Cookies are small information stored in text file on user’s hard drive by web server. BugRaptors perform cookie manipulation using various techniques.
Presented by Andrej Gasteovski at SkopjeTechMeetup 8.
Building a modern web (or mobile) application requires a lot of tools, frameworks and techniques. Java Hipster a.k.a. JHipster is a free and open-source Yeoman generator that can develop a modern web application using Spring Boot and AngularJS with tons of options in just a few clicks. We will see the full stack that JHipster is using, what can be done, pros and cons and a simple application generated by JHipster.
This talk is about how to secure your front-end + backend applications using a RESTful approach. As opposed to traditional and monolithic server-side applications (where the HTTP session is used), when your front-end application is running on a browser and not securely from the server, there are few things you need to consider. In this session Alvaro will explore standards like OAuth and JWT to achieve a stateless, token-based authentication and authorisation. He will explore the existing impl More specifically, the demonstration will be made using Spring Security REST, a popular Grails plugin written by Álvaro.
Authentication is normally a stateful service. Most of the implementations rely on the HTTP session, thus introducing state as the session is an in-memory data structure in the application server.
In the microservices era, most of the companies are developing such called RESTful services, where one of the principles is to create stateless systems. In such scenario, authentication should be stateless too.
There is a standard specification to secure web application and API's, that is being adopted massively by the industry: OAuth 2. The specification doesn't explicitly cover how to make a stateless implementation. And most of the existing ones depend on some sort of external storage (such as a DB) to store the tokens generated for a later validation.
Fortunately, there is another specification by the IETF called JSON Web Token, that can be combined with OAuth 2 to achieve a stateless authentication system.
In the session, Alvaro will explain the core concepts of OAuth 2, as well as JWT and how can them be used together to achieve the last 2 letters of REST: State Transfer.
Get Hip with JHipster: Spring Boot + AngularJS + Bootstrap - DOSUG February 2016Matt Raible
YouTube of this presentation's JHipster Demo: https://www.youtube.com/watch?v=ZGF4gEM4FuA
Building a modern web (or mobile) application requires a lot of tools, frameworks and techniques. This session shows how JHipster unites popular frameworks like AngularJS, Spring Boot and Bootstrap. Using Yeoman, a scaffolding tool for modern webapps, JHipster will generate a project for you and allow you to use Java 8, SQL or NoSQL databases, Spring profiles, Maven or Gradle, Grunt or Gulp.js, WebSockets and Browsersync. It also supports a number of different authentication mechanisms: classic session-based auth, OAuth 2.0, or JWT authentication.
For cloud deployments, JHipster includes out-of-the-box support for Cloud Foundry and Heroku.
REST API Security: OAuth 2.0, JWTs, and More!Stormpath
Les Hazlewood, Stormpath CTO, already showed you how to build a Beautiful REST+JSON API, but how do you secure your API? At Stormpath, we spent 18 months researching best practices. Join Les as he explains how to secure your REST API, the right way. We'll also host a live Q&A session at the end.
In this presentation, we're discussing whether we need API gateway or not on Micro-Services Architecture. We'll see pros and cons of several ways how clients access to services.
[Updated : 13 Jan 2015] Additional cons of API gateway is added, as commented by Hyunsik Kang(강현식), Coupang.
The presentation tells about performing cross domain ajax request. Subject included principles of preflight requests and limitations of cross origin resource sharing (CORS) policy. You will be able to find implementation examples for frontend (JavaScript, jQuery, AngularJS) and for backend (.Net, Ruby on Rails). Browser compatibility is covered in section ‘Limitation in IE 8,9‘ and there shown possible workarounds. And finally there are couple words about Content Security Policy – the latest approach in Web Application Security.
TEDx Manchester: AI & The Future of WorkVolker Hirsch
TEDx Manchester talk on artificial intelligence (AI) and how the ascent of AI and robotics impacts our future work environments.
The video of the talk is now also available here: https://youtu.be/dRw4d2Si8LA
What Is Cross-Origin Resource Sharing in Web Development.pdfMPrashanth13
Cross-origin resource sharing (CORS) is an important concept in web development that allows resources to be requested from another domain outside the domain from which the resource originated.
This webinar, presented by Security Innovation's own, Senior Security Instructor and Engineer, Kevin Poniatowski, examines HTML5 security in-depth and arms development teams with techniques they can apply immediately to proactively address security in their code.
Same-origin policy is an important security concept of the modern browser languages like JavaScript but becomes an obstacle for developers when building complex client-side apps. Over time there have been lots of ingenious workarounds using JSON-P, IFRAME and proxies. As of January 2013 the well known Cross Origin Resource Sharing (CORS) comes as proposed standard by W3C and has now native support by all major browsers.
Attendees will learn the best web application security practices used by major US government entities. The presentation will cover network configuration, caching, replication, common web application vulnerabilities, and how making these changes will result in better web site performance and user satisfaction. The five most common types of web application attacks will be explained, along with simple ways to prevent them.
CNIT 129S: Ch 3: Web Application TechnologiesSam Bowne
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Website: https://samsclass.info/129S/129S_F16.shtml
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Divyanshu
Browser exploitation| Reporting vulnerability in top browsers and finding CVE.
Session in Null Bangalore Meet 23 November 2019 Null/OWASP/G4H combined meetup
Thanks to respective researchers for their work.
CNIT 129S - Ch 3: Web Application TechnologiesSam Bowne
For a college course at CCSF taught by Sam Bowne.
https://samsclass.info/129S/129S_S18.shtml
Based on "The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws 2nd Edition", by Dafydd Stuttard , Marcus Pinto; ISBN-10: 1118026470
AWS Webcast - Best Practices for Content Delivery using Amazon CloudFrontAmazon Web Services
Amazon CloudFront offers a simple, cost-effective way to improve the performance, reliability and global reach of your entire website for both static content and the dynamic portions of your site that change for each end user. In this webinar, you will learn some best practices for using Amazon CloudFront to architect a highly reliable and high-performing website. You will also learn how you can use Amazon CloudFront to deliver content securely, how you can customize content based on device or geo, and learn how use can use CloudFront tools such as our reports and analytics to help you continuously optimize your content. If you are an AWS customer, you will also learn some best practices on how you can use Amazon CloudFront to improve delivery of static or dynamic content originating from AWS services such as Amazon S3, Elastic Load Balancing (ELB), or Amazon EC2.
Learning Objectives:
• Best practices for delivering your whole website on Amazon CloudFront
• Best practices to deliver content securely via Amazon CloudFront
• Best practices to deliver content from AWS services such as Amazon S3, Amazon EC2 and Elastic Load Balancing using Amazon CloudFront
Who Should Attend:
• All AWS (S3, EC2, or ELB) customers who have some data transfer to internet
• All Amazon CloudFront customers
Instructions for Submissions thorugh G- Classroom.pptxJheel Barad
This presentation provides a briefing on how to upload submissions and documents in Google Classroom. It was prepared as part of an orientation for new Sainik School in-service teacher trainees. As a training officer, my goal is to ensure that you are comfortable and proficient with this essential tool for managing assignments and fostering student engagement.
The French Revolution, which began in 1789, was a period of radical social and political upheaval in France. It marked the decline of absolute monarchies, the rise of secular and democratic republics, and the eventual rise of Napoleon Bonaparte. This revolutionary period is crucial in understanding the transition from feudalism to modernity in Europe.
For more information, visit-www.vavaclasses.com
This is a presentation by Dada Robert in a Your Skill Boost masterclass organised by the Excellence Foundation for South Sudan (EFSS) on Saturday, the 25th and Sunday, the 26th of May 2024.
He discussed the concept of quality improvement, emphasizing its applicability to various aspects of life, including personal, project, and program improvements. He defined quality as doing the right thing at the right time in the right way to achieve the best possible results and discussed the concept of the "gap" between what we know and what we do, and how this gap represents the areas we need to improve. He explained the scientific approach to quality improvement, which involves systematic performance analysis, testing and learning, and implementing change ideas. He also highlighted the importance of client focus and a team approach to quality improvement.
Model Attribute Check Company Auto PropertyCeline George
In Odoo, the multi-company feature allows you to manage multiple companies within a single Odoo database instance. Each company can have its own configurations while still sharing common resources such as products, customers, and suppliers.
The Indian economy is classified into different sectors to simplify the analysis and understanding of economic activities. For Class 10, it's essential to grasp the sectors of the Indian economy, understand their characteristics, and recognize their importance. This guide will provide detailed notes on the Sectors of the Indian Economy Class 10, using specific long-tail keywords to enhance comprehension.
For more information, visit-www.vavaclasses.com
Operation “Blue Star” is the only event in the history of Independent India where the state went into war with its own people. Even after about 40 years it is not clear if it was culmination of states anger over people of the region, a political game of power or start of dictatorial chapter in the democratic setup.
The people of Punjab felt alienated from main stream due to denial of their just demands during a long democratic struggle since independence. As it happen all over the word, it led to militant struggle with great loss of lives of military, police and civilian personnel. Killing of Indira Gandhi and massacre of innocent Sikhs in Delhi and other India cities was also associated with this movement.
2024.06.01 Introducing a competency framework for languag learning materials ...Sandy Millin
http://sandymillin.wordpress.com/iateflwebinar2024
Published classroom materials form the basis of syllabuses, drive teacher professional development, and have a potentially huge influence on learners, teachers and education systems. All teachers also create their own materials, whether a few sentences on a blackboard, a highly-structured fully-realised online course, or anything in between. Despite this, the knowledge and skills needed to create effective language learning materials are rarely part of teacher training, and are mostly learnt by trial and error.
Knowledge and skills frameworks, generally called competency frameworks, for ELT teachers, trainers and managers have existed for a few years now. However, until I created one for my MA dissertation, there wasn’t one drawing together what we need to know and do to be able to effectively produce language learning materials.
This webinar will introduce you to my framework, highlighting the key competencies I identified from my research. It will also show how anybody involved in language teaching (any language, not just English!), teacher training, managing schools or developing language learning materials can benefit from using the framework.
How to Create Map Views in the Odoo 17 ERPCeline George
The map views are useful for providing a geographical representation of data. They allow users to visualize and analyze the data in a more intuitive manner.
2. whoami
• WebAppSec Consultant, Penetration Tester, Bug Bounty
Hunter for Google, Facebook, Paypal, Mozilla and other
bounty programs
• One of the null Security Community Bangalore Chapter
Moderator
• Work at a Big4 and have conducted several Penetration Tests
all over the world.
• Spoken at several international security conferences
3. Imagine the Internet if
• fabekook.cn was able to read DOM values from facebook.com
from another browser tab
• gmaail.br was able to read your address book from
http://mail.google.com/mail/c/data/contactstore?type=4&ma
x=-1
• boinkofindia.com was able to read your account balance and
obtain a list of all your transactions from your internet
banking account while you are logged in.
6. What is SOP?
• SOP restricts how a document or script loaded
from one origin can interact with a resource
from another origin
• Earliest available implementation – Netscape
Navigator 2.0 (1996)
7. define: origin
URL Outcome Reason
http://store.company.com/dir2/other.html Success ----
http://store.company.com/dir/inner/another.html Success ----
https://store.company.com/secure.html Failure Different protocol
http://store.company.com:81/dir/etc.html Failure Different port
http://news.company.com/dir/other.html Failure Different host
Access made from: http://store.company.com/dir/page.html
8. Changing 'origins'
• Setting document.domain to a suffix of the
current domain.
• Setting document.domain to another domain
altogether isn’t allowed.
10. Cross Origin Network Access
• Origin is permitted to send data to another
origin but not read
• Interactions between origins are placed in three
categories:
– Cross origin writes (redirects, links, form action etc.)
– Cross origin embedding (html tag with src/hrefs)
– Cross origin reads (not allowed without CORS etc.)
11. Cross Origin Embedding
• JavaScript <script src="..."></script>.
• CSS with <link rel="stylesheet" href="...">.
• Images with <img>.
• Media files with <video> and <audio> tags.
• Plug-ins with <object>, <embed> and <applet>.
• Fonts with @font-face.
• Anything with <frame> and <iframe>.
12. Prevent Cross Origin Access
• To prevent Cross origin writes, use a CSRF token
• To prevent Cross origin embedding, ensure
resource is not interpreted as any of the formats
discussed earlier.
• To prevent Cross Origin reads of a resource, ensure
that it is non-embeddable.
• For iframes the X-Frame-Options header can be
used to control access to the page.
13. Cross Origin Resource Sharing
• W3C specification that allows cross domain
communication from the browser
• Works by adding new HTTP headers that
describe the set of origins that are permitted to
read across domains
14. 3 Pointers
• Browsers prevent data from being accessed
cross domain via the Same Origin Policy
• In case a page loads another domain via a
frame, X-Frame-Options can be used to control
access
• CORS is used to relax the Same Origin Policy for
legitimate and trusted requests.
16. Allowing Cross origin resource sharing since March 2004
Riyaz Walikar | @riyazwalikar | www.riyazwalikar.com
17. What is CORS?
• W3C working draft that defines how the browser
and server must communicate when accessing
sources across origins
• Implemented via HTTP headers that servers set
and browsers enforce
• Can be categorized into
– Simple requests
– Requests that need a ‘preflight’
20. Why is CORS needed?
• For legitimate and trusted requests to gain access
to authorized data from other domains
• Think cross application data sharing models
• Allows data to be exchanged with trusted sites
while using a relaxed Same Origin policy mode.
• Application APIs exposed via web services and
trusted domains require CORS to be accessible
over the SOP
22. CORS – Simple Requests
• Preflight is not needed if
– Request is a HEAD/GET/POST via XHR
– No Custom headers
– Body is text/plain
• Server responds with a CORS header
– Browser determines access
– Neither the request, nor response contain cookies
23. CORS Headers – Simple Request
• Origin
– Header set by the client for every CORS request
– Value is the current domain that made the request
• Access-Control-Allow-Origin
– Set by the server and used by the browser to
determine if the response is to be allowed or not.
– Can be set to * to make resources public (bad
practice!)
25. CORS – Requests with Preflight
• Preflight requests are made if
– Request is a method other than HEAD/GET/POST
via XHR (PUT, DELETE etc.)
– Custom headers are present (X-PINGBACK etc.)
– Content-Type other than application/x-www-
form-urlencoded, multipart/form-data, or
text/plain
• A transparent request is made to the server
requesting access information using OPTIONS
26. CORS – Requests with Preflight
• Browser sends
– Origin header
– Access-Control-Request-Method
– Access-Control-Request-Headers – (Optional)
• Server sends set of CORS headers that the
browser uses to determine if the actual
request has to be made or not
27. CORS Headers – Request with Preflight
(Preflight Browser Request)
• Origin
– Header set by the client for every CORS request
– Value is the current domain that made the request
• Access-Control-Request-Method:
– Set by the browser, along with Origin.
– Value is the method that the request wants to use
• Access-Control-Request-Headers (Optional):
– A comma separated list of the custom headers being
used.
28. CORS Headers – Request with Preflight
(Preflight Server Response)
• Access-Control-Allow-Origin
– Same as in Simple requests
• Access-Control-Allow-Methods:
– a comma separated list of allowed methods
• Access-Control-Allow-Headers:
– a comma separated list of headers that the server will
allow.
• Access-Control-Max-Age:
– the amount of time in seconds that this preflight
request should be cached for.
30. CORS (In)security?
• Several security issues arise from the improper
implementation of CORS, most commonly using a
universal allow notation (*) in the server headers
• Clients should not trust the received content
completely and eval or render content without
sanitization which could result in misplaced trust
• The application that allows CORS may become
vulnerable to CSRF attacks
31. CORS (In)security?
• Prolonged caching of Preflight responses could
lead to attacks arising out of abuse of the
Preflight Client Cache
• Access control decisions based on the Origin
header could result in vulnerabilities as this
can be spoofed by an attacker
32. CORS Security - Universal Allow
• Setting the 'Access-Control-Allow-Origin' header to *
• Effectively turns the content into a public resource,
allowing access from any domain
• Scenarios?
– An attacker can steal data from an intranet site that has set
this header to * by enticing a user to visit an attacker
controlled site on the Internet.
– An attacker can perform attacks on other remote apps via
a victim’s browser when the victim navigates to an attacker
controlled site.
34. CORS Security – Misplaced Trust
• Data exchange between two domains is based on trust
• If one of the servers involved in the exchange of data is
compromised then the model of CORS is put at risk
• Scenarios?
– An attacker can compromise site A and host malicious
content knowing site B trusts the data that site A sends to
site B via CORS request resulting in XSS and other attacks.
– An attacker can compromise site B and use the exposed
CORS functionality in site A to attack users in site A.
35. CSRF with CORS
• Server may process client request to change server side
data while verifying that the Origin header was set
• An attacker can use the .withCredentials = “true” property
of XHR to replay any cookies to the application on which
the victim is logged in
• Scenarios?
– An attacker sets the Origin header or uses a trusted site A to
send a non idempotent request to site B
– The victim who is logged into site B when he is viewing the
trusted site A causes site B to create a user account without
his knowledge via a CSRF attack
37. CORS – Caching of Preflight responses
• The Access-Control-Max-Age header is set to a high
value, allowing browsers to cache Preflight
responses
• Caching the preflight response for longer duration
can pose a security risk.
• If the COR access-control policy is changed on the
server the browser would still follow the old policy
available in the Preflight Result Cache
38. CORS – Access Control based on Origin
• The Origin header indicates that the request is from
a particular domain, but does not guarantee it
• Spoofing the Origin header allows access to the page
if access is based on this header
• Scenarios?
– An attacker sets the Origin header to view sensitive
information that is restricted
– Attacker uses cURL to set a custom origin header:
curl --header 'origin:http://someserver.com'
http://myserver.com:90/demo/origin_spoof.php