[Blackhat Talk] Bypass Surgery Abusing Content Delivery Networks With Server-Side Request Forgery (SSRF), Flash, and DNS

For archival purposes I’m posting this talk that me and Mike Brooks (a.k.a. Rook) did at Blackhat USA 2015. While we danced around the vendor in the talk description, we can now disclose that that vendor was indeed Akamai – see their blog post about the issue here. Luckily Akamai was super helpful throughout the whole process (which is more than can be said for many vendors!). If any of you find any other vulnerabilities in Akamai, hit them up at [email protected] This vulnerability chain allowed us to achieve a full Same Origin Policy bypass on many of the internet’s most popular sites (Facebook, Verizon, Microsoft, etc).

“It is unlikely when a bug affects almost every CDN and it becomes vulnerable, but when this happens the possibilities are endless and potentially disastrous.

Imagine – a Facebook worm giving an attacker full access to your bank account completely unbeknownst to you, until seven Bentleys, plane tickets for a herd of llamas, a mink coat once owned by P. Diddy, and a single monster cable all show up on your next statement. What a nightmare.

But in all seriousness, thousands of websites relying on the most popular CDNs are at risk. While some application requirements may need a security bypass in order to work, these intentional bypasses can become a valuable link in an exploit chain. Our research has unveiled a collection of general attack patterns that can be used against the infrastructure that supports high availability websites.

This is a story of exploit development with fascinating consequences.”

Click here for the talk slides.

Matthew Bryant (mandatory)

Matthew Bryant (mandatory)
Security researcher who needs to sleep more. Opinions expressed are solely my own and do not express the views or opinions of my employer.