Bypass Surgery Abusing Content Delivery Networks with Server-Side-Request Forgery (SSRF) Flash and DNS

Black Hat USA 2015

Presented by: Michael Brooks, Matthew Bryant
Date: Thursday August 06, 2015
Time: 09:45 - 10:35
Location: South Seas GH

It is unlikely when a bug affects almost every CDN and it becomes vulnerable, but when this happens the possibilities are endless and potentially disastrous.

Imagine - a Facebook worm giving an attacker full access to your bank account completely unbeknownst to you, until seven Bentleys, plane tickets for a herd of llamas, a mink coat once owned by P. Diddy, and a single monster cable all show up on your next statement. What a nightmare.But in all seriousness, thousands of websites relying on the most popular CDNs are at risk. While some application requirements may need a security bypass in order to work, these intentional bypasses can become a valuable link in an exploit chain. Our research has unveiled a collection of general attack patterns that can be used against the infrastructure that supports high availability websites.This is a story of exploit development with fascinating consequences.

Michael Brooks

Mike Brooks (CISSP) is a Security Associate at Bishop Fox (formerly Stach & Liu), a security consulting firm providing IT security services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he focuses on software testing, application security assessments, source code review, blackbox penetration testing, and cryptography. Mike is an avid security researcher and contributes frequently to online vulnerability databases and security knowledge centers. He has researched and identified security vulnerabilities in dozens of software applications, including some severe enough to be assigned severity metrics from the Department of Homeland Security. The highest of these severity metrics rates in the top 500 most dangerous software flaws ever discovered. Mike is credited with the discovery of over 50 vulnerabilities with CVE entries, and was previously ranked in the top 10 of the Google AppSec Bug Bounty Program.

Matthew Bryant

As a Security Analyst at Bishop Fox, Matt Bryant focuses on web-based and mobile application penetration testing. Prior to joining Bishop Fox, Matt served as a web developer at Underground Computers. He has been quoted in publications, such as Ars Technica, and has presented at GrrCON.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats