CHCon AAYLASECURA1138 – WHAT GIVES $7K AND 3 CVES? A WEB BROWSER, CONFUSED ABOUT ITS CROSS-ORIGIN POLICY, https://2019.chcon.nz/talks/aayla/

The Same-Origin Policy (SOP) says web browsers should prevent one site from accessing another site, unless explicitly allowed by the Cross-Origin Resource Sharing (CORS) standard. But do all browsers follow the guidelines? Spoiler alert: no.

Can’t quite wrap your head around CSRF, SOP and CORS? Or maybe you want to get into bug bounties but, like me, just don’t know where to start? Let me tell you about my research which led me to bugs in Firefox and Chrome’s SOP/CORS implementation worth three CVEs and US$7k.