Modern web browsers have a fundamental security feature called the Same Origin Policy (SOP) that restricts web pages from accessing resources from a different origin. Despite this protection, there exist several techniques that can bypass the SOP restrictions, enabling attackers to gain access to confidential information or execute unauthorized actions on behalf of the victim. This talk will give a high-level overview of several techniques used for circumventing the SOP security measure. These techniques include cross-site scripting (XSS), misconfigured CORS, misconfigured PostMessage, and other vulnerabilities. Through real-world examples, I will demonstrate how attackers can abuse these techniques to abscond with sensitive information or carry out unauthorized actions on behalf of the user. Furthermore, I will delve into effective strategies for thwarting and lessening the impact of SOP bypass attacks. I will cover topics such as implementing Content Security Policy (CSP), configuring CORS appropriately, and leveraging browser extensions like NoScript. By the end of the talk, participants will have a clearer comprehension of the dangers of SOP bypass and be equipped with actionable measures to reduce these threats.

Speaker's Bio

I am Armaan Pathan, a Senior Security Engineer at Certus Cybersecurity, with 7 years of experience in bug bounty programs across various platforms. I have participated in multiple live hacking events and have been recognized for discovering critical vulnerabilities. I am enthusiastic about hacking and always eager to learn more.