Explore the vulnerabilities and attack patterns affecting Content Delivery Networks (CDNs) in this Black Hat conference talk. Delve into the potential consequences of exploiting CDN weaknesses, including unauthorized access to sensitive information and financial accounts. Learn about the research uncovering general attack patterns against high-availability website infrastructure. Discover techniques such as SRV record enumeration, internal network assessment, and SSRF tools. Examine the differences between JavaScript and Flash in terms of security, and understand the implications of crossdomain.xml files. Investigate methods for bypassing HTTP Content Security Policy and potential remediation strategies. Gain insights into future security research directions in this critical area of web infrastructure.
Bypass Surgery - Abusing Content Delivery Networks
Overview
Syllabus
Intro
Matthew Bryant (mandatory)
Content Delivery Networks
What happened?
A Divided Penetration Testing Scope
SRV Record Enumeration
subbrute - Internal Network Assessment
NOERROR?
Server Trust
Search for Cross Domain Proxy
SSRF tools
Access to the Web Server's localhost
Access to Internal Network Hardware
SSRF Questions
What's an origin?
Differences between JavaScript and Flash
Example Crossdomain.xml File
The Check
FlowPlayer Bypass #1 - The Bypass
Full Exploit Flow
Bypassing HTTP Content Security Policy
Remediation
Future Security Research
Taught by
Black Hat
