Don't Cross Me! Same Origin Policy and all the "cross" vulns: XSS, CSRF, and CORS

D935fc668d901fbb803fd5d8d0313c22?s=47 ropnop
February 04, 2020

Don't Cross Me! Same Origin Policy and all the "cross" vulns: XSS, CSRF, and CORS

All too often, even seasoned web security professionals get mixed up by the subtle differences between cross site scripting (XSS), cross site request forgery (CSRF) and cross origin resource sharing (CORS). In this talk, I’ll start at the basics and discuss the browser security model and same origin policy - the security boundary that protects and limits JavaScript’s power within the browser. After covering the basics of origins and JavaScript, I’ll walk through each of the three “cross” attacks and explain in depth what is happening, why they work - and what an attacker can do with them. The talk will feature code samples and discussions of how to mitigate these vulnerabilities by leveraging the SOP. Whether you are a pentester, security engineer, developer or product manager, this talk should help everyone design, implement and test secure web applications.

D935fc668d901fbb803fd5d8d0313c22?s=128

ropnop

February 04, 2020
Tweet