It is unlikely when a bug affects almost every CDN and it becomes vulnerable, but when this happens the possibilities are endless and potentially disastrous.
Imagine – a Facebook worm giving an attacker full access to your bank account completely unbeknownst to you, until seven Bentleys, plane tickets for a herd of llamas, a mink coat once owned by P. Diddy, and a single monster cable all show up on your next statement. What a nightmare.
But in all seriousness, thousands of websites relying on the most popular CDNs are at risk. While some application requirements may need a security bypass in order to work, these intentional bypasses can become a valuable link in an exploit chain. Our research has unveiled a collection of general attack patterns that can be used against the infrastructure that supports high availability websites.
This is a story of exploit development with fascinating consequences.
Security Analyst Matthew Bryant and Security Associate Mike Brooks are set to speak at DerbyCon 5.0 “Unity” – Bypass Surgery Abusing Content Delivery Networks With Server-Side-Request Forgery (SSRF) Flash And DNS