It is unlikely when a bug affects almost every CDN and it becomes vulnerable, but when this happens the possibilities are endless and potentially disastrous.

Imagine – a Facebook worm giving an attacker full access to your bank account completely unbeknownst to you, until seven Bentleys, plane tickets for a herd of llamas, a mink coat once owned by P. Diddy, and a single monster cable all show up on your next statement. What a nightmare.

But in all seriousness, thousands of websites relying on the most popular CDNs are at risk. While some application requirements may need a security bypass in order to work, these intentional bypasses can become a valuable link in an exploit chain. Our research has unveiled a collection of general attack patterns that can be used against the infrastructure that supports high availability websites.

This is a story of exploit development with fascinating consequences.

Security Analyst Matthew Bryant and Security Associate Mike Brooks are presenting at Black Hat USA 2015: Bypass Surgery Abusing Content Delivery Networks with Server-Side-Request Forgery (SSRF), Flash, and DNS