Introduction
Content Distribution Networks (CDNs), such as CloudFront and CloudFlare, are often used to improve the performance and security of public-facing websites. Standard features of CDNs like these include IP firewalling, client authentication, and WAF filtering. These controls present obstacles for an attacker when trying to exploit web application vulnerabilities that may exist in the underlying application.
Restricting the ability for attackers to bypass the CDN and access the origin server is critical to the effective implementation of the security controls CDNs offer. Despite this, preventing unauthorized access to the origin is a detail often missed during implementation of the infrastructure.
Other blog posts have covered the security risks of directly accessible origin servers at length. We won’t be covering this specific misconfiguration in this post. Instead, We will focus on a similar attack which is often the result of attempting to fix this vulnerability by IP allow listing the CDN’s IP range. This IP range is shared across all customers, so IP allow listing is insufficient to restrict access to the origin to traffic traversing the intended CDN distribution.
This post was created with our nice and easy submission form. Create your post!
GIPHY App Key not set. Please check settings