What gives $7k and 3 CVEs? A web browser, confused about its cross-origin policy

About AaylaSecura1138

They call her Alex, but she is TheSociallyAwkwardPenguin. She felt awkward writing a bio in third person, so she quoted herself:

“I didn’t do a PhD. I suck at PhDs. I started a PhD… three times. By the time I got to my thesis I was bored. But I love arguing over problems no one will ever care about!

I don’t do bug bounties. I suck at bug bounties. I tried looking for bugs… three times. By the time I chose a program I was bored. But I love breaking web apps!

I don’t do gym. I suck at gymming. I tried gym… three times. By the time I decided on an exercise I was bored. But I love punching people!”

Talk Overview

The Same-Origin Policy (SOP) says web browsers should prevent one site from accessing another site, unless explicitly allowed by the Cross-Origin Resource Sharing (CORS) standard. But do all browsers follow the guidelines? Spoiler alert: no.

Can’t quite wrap your head around CSRF, SOP and CORS? Or maybe you want to get into bug bounties but, like me, just don’t know where to start? Let me tell you about my research which led me to bugs in Firefox and Chrome’s SOP/CORS implementation worth three CVEs and US$7k.