HTML5 has been on the way for a couple of years now. There have been many discussions about its security implications and how they should be handled; however, these discussions usually stop at showing the most hyped and scariest vulnerabilities and their countermeasures. This presentation will continue the discussion on another level. To create state-of-the-art web applications with HTML5, all of its features should be analysed to see the risks they introduce and how they should be used properly.
This presentation will analyse the Cross-Origin Resource Sharing (CORS). This HTML5 feature allows websites to load resources from other domains, even from restricted environments, using the authentication tokens saved by the browser. This has interesting effects on various actors of the Internet. It affects the clients and the servers alike bringing a whole new trust relationships in the game. It also breaks with the relevant parts of the same-origin policy, one of the most important security features of web browsers and all of these happened without most people noticing.
The first part of my analysis will introduce the Cross-Origin Resource Sharing, how it works, how JSON-P, it's predecessor, was used and why CORS is interesting from a security perspective. The functional introduction will be followed with a threat analyses to show how CORS affects the traditional usage of XmlHttpRequests (XHR). Because it introduces a change in the way how websites communicate with each other it has an effect on pre-CORS websites as well. Most importantly it introduces a new way to attack web applications and overturns well known attacks such as Cross-Site Request Forgery and Cross-Site Tracing and gives them whole new possibilities. Examples for these will be presented in live demos.
The presentation will be concluded with outlining the methods to mitigate the security risks of Cross-Origin Resource Sharing. The methods will include ways to prepare a site to handle CORS properly and to build new web applications enjoying the new features of CORS without risking the data of our users.