The Subtleties of Bypassing the Same-Origin Policy and Exploiting Cross-Site Request Forgery

Presented at ToorCon San Diego 18 (2016), Oct. 16, 2016, 2:30 p.m. (20 minutes)

The same-origin policy remains one of the most important security mechanisms of the web, protecting servers from malicious pages interacting with their APIs through cross-site requests. However, the subtle details of the policy can be overlooked, so our talk aims to show how limitations in the application of the same-origin policy can undermine security. We explain in depth how the same-origin policy works and how it can be bypassed to exploit cross-site vulnerabilities, including examples of Java, Flash, Silverlight, and Cross-Origin Resource Sharing (CORS) misconfigurations. As the same-origin policy and cross-site request forgery (CSRF) are inherently connected, we will also show both simple and complex cross-site request forgery attacks and how CSRF functions within the context of the same-origin policy. This will include classic CSRF attacks that work within the confines of the same-origin policy and more complicated attacks that utilize server misconfigurations to bypass the same-origin restrictions altogether.


  • David Petty
    I am a current senior at Northwestern University studying Computer Science. I have been working for Independent Security Evaluators in Baltimore, MD since 2014 as a security analyst, and have experience in network penetration, reverse engineering, and digital forensics.

Similar Presentations: