Beyond the Top 10

John & Mary Beth King


  • CVE-2017-5638: March 9th, 2017
  • Equifax Breach: Mid-May, 2017

Application Security Requirements

  • Developer knowledge & ownership
  • Organizations must be Agile
  • Long-term commitment

OWASP Top 10 (v2013)

  • A1 – Injection
  • A2 – Broken Authentication and Session Management
  • A3 – Cross-Site Scripting (XSS)
  • A4 – Insecure Direct Object References
  • A5 – Security Misconfiguration
  • A6 – Sensitive Data Exposure
  • A7 – Missing Function Level Access Control
  • A8 - Cross-Site Request Forgery (CSRF)
  • A9 - Using Components with Known Vulnerabilities
  • A10 – Unvalidated Redirects and Forwards

We'll Cover

  • Session Cookie Flags
  • Third-party Scripts
  • Cross-origin Resource Sharing (CORS)

Demo: Session Cookie Attacks

Session Cookie Flags

  • Secure
  • HttpOnly
  • SameSite*

* Not yet widely supported

Demo: Session Cookie Defense

Third-party Scripts

"The issue involves a third-party vendor that Equifax uses to collect website performance data, and that vendor's code running on an Equifax website was serving malicious content. Since we learned of the issue, the vendor's code was removed from the webpage and we have taken the webpage offline to conduct further analysis."


Demo: Third-party Script Attacks

Third-party Scripts

  • Local copy or proxy
  • Sandbox / iFrame
  • Subresource Integrity (SRI)
  • Content Security Policy (CSP)

Demo: Third-party Script Defense

Cross-origin Resourse Sharing (CORS)

Demo: CORS Attacks


  • Limitations of Access-Control-Allow-Origin
  • Dangers of Access-Control-Allow-Credentials

Demo: CORS Defense

SRI & CSP Guides

★ Awesome Articles ★

GitHub Engineering

★ More Awesome Articles ★

PortSwigger Web Security Blog

Exploiting CORS Misconfigurations for Bitcoins and Bounties
James Kettle

OWASP Resources

Join Us

Get involved in the Rochester OWASP Chapter


John N. King <>
Mary Beth King <>

This presentation made possible by:
Rochester Security Summit
Rochester Chapter of OWASP

Slides made with Reveal.js