April Meeting: Enabling CORS Communication Securely

Hey everyone,

This month we have Ksenia Dmitrieva-Peguero speaking about CORS security. We hope you can make it out.

Description:
Traditionally, web applications were limited to AJAX communication only within the same origin, as mandated by the Same Origin Policy. Later, the emergence of mashup applications and development of heavy client-side JavaScript interactions demanded applications to communicate across origins. There are several ways to bypass Same Origin Policy, such as fragment identifier messaging or using window.name to send messages. However, as any hacky approach in nature, these methods are not entirely secure. Cross-origin resource sharing (CORS) was introduced to provide a secure way of cross-origin AJAX communication. It was implemented in Firefox since early 2000s, but the technology only gained traction in the last few years. On the surface, CORS is a pretty straight forward technology with a detailed spec, but there are multiple ways to shoot yourself in the foot when implementing it in an application. Several frameworks offer CORS features which make turning on cross origin communication easy, but making the application secure at the same time is tricky. In this presentation we will look at common mistakes that developers make when designing CORS-enabled applications and discuss best practices developers should follow to make their applications secure. Bio:
Ksenia Dmitrieva-Peguero is a Principal Consultant at Synopsys/Cigital with seven years of experience in application security and five years of software development experience. Over the years she performed numerous penetration tests, code reviews, and architecture analysis engagements for clients in financial services, entertainment, telecommunications, energy, and enterprise security industries. Her current concentration is on analyzing JavaScript frameworks and HTML5 technologies, researching their security implications, vulnerability discovery, and recommending best practices. Ms. Dmitrieva-Peguero has delivered presentations and trainings at conferences around the world, including BSides Security in London, Nullcon in India, AppSec California, RSA Asia Pacific & Japan in Singapore, and AppSec Europe in Italy. Ksenia also served on review boards of conferences such as AppSec USA and AppSec EU.