CSRF in the Modern Age: Sidestepping the CORS Standard

Presented at ToorCon San Diego 18 (2016), Oct. 15, 2016, 1 p.m. (50 minutes)

Any site your browser visits can make cross-site requests to any domain it wants, with relatively few restrictions. Abuse of this functionality is known as Cross-Site Request Forgery (CSRF). CSRF has been around for 15 years, and for most of that time CSRF tokens were the only solution. More recently, a new browser standard was developed to allow “safe” cross-origin requests: HTML5 Cross-Origin Resource Sharing (CORS). In reality, CORS has opened up new attack surface for cross-site requests and made preventing them more complex. This talk will cover the surprising versatility of CSRF as an attack vector, and the numerous ways applications fail to protect themselves. By systematically evaluating browsers’ CORS implementations, the author explored the “dark corners” of CORS, and will discuss how the standard violates users’ expectations - for better and for worse. Finally, framework-level protections against CSRF will be discussed, along with how these protections are often subverted, leading to a better understanding of how to test for and protect against modern CSRF.


  • Tanner Prynn
    Tanner Prynn is a senior security consultant with NCC Group. His focuses are in hardware reverse engineering, application security, and source review.

Similar Presentations: