Exploiting CDN Integrations: A WAF Bypass Threatening Global Web Applications
In a recently disclosed analysis, Zafran’s research team has unveiled a pervasive misconfiguration vulnerability affecting some of the world’s largest web application firewall (WAF) vendors, including Akamai, Cloudflare, Fastly, and Imperva. These vendors collectively protect 90% of global web applications, making the findings both alarming and impactful.
The misconfiguration arises from a fundamental architectural weakness in how these WAF vendors integrate with content delivery network (CDN) services. By exploiting this flaw, threat actors can bypass WAF protections, directly targeting backend servers and exposing them to distributed denial-of-service (DDoS) attacks or vulnerabilities within the web applications themselves.
As Zafran’s report states, “The misconfiguration stems from an architectural weakness of WAF providers that also act as CDN (content delivery network) providers. In the architecture of such CDN/WAF services, protected web applications are instructed to validate Internet traffic routed to them originated by the CDN/WAF provider. Failure to do so may lead to the discovered bypass.”
Zafran’s team conducted an extensive study involving 700,000 domains associated with Fortune 1000 companies. Their research revealed:
- 36,000 backend servers were directly accessible on the internet due to this misconfiguration.
- These servers spanned 8,000 domains, affecting nearly 40% of Fortune 100 companies and 20% of the Fortune 1000.
- Industries most affected include financial services, which represent over a third of impacted companies.
A particularly striking observation is that companies utilizing Akamai services appeared more vulnerable, with Akamai representing 59% of affected companies despite only covering 42% of Fortune 1000 domains.
The bypass exploit takes advantage of misconfigured origin server settings. Typical CDN setups rely on DNS records to route traffic to CDN proxy servers. However, if an attacker identifies the backend origin server’s IP address, they can sidestep the CDN entirely. The issue is exacerbated by poor implementation of security best practices, such as mutual TLS (mTLS) and IP filtering.
Zafran’s report highlights that “only about 13% of these origin servers implement Authenticated Origin Pulls,” underscoring the widespread neglect of robust security configurations.
To validate their findings, Zafran’s team simulated DDoS attacks on exposed origin servers. Their analysis demonstrated measurable service disruptions, even when requests were routed through the CDN, confirming the bypass’s effectiveness.
The report warns, “A well-organized attacker can also create a botnet, harvesting the bandwidth, the geo-location, and the CPUs of tens of thousands of machines, to carry out simple but much more powerful DDoS attacks even against the largest web-applications setups available – where a CDN is bypassed.”
To address these vulnerabilities, Zafran recommends the following best practices:
- IP Filtering: Limit incoming traffic to origin servers from known CDN IP ranges.
- Custom HTTP Headers: Use pre-shared secrets to validate requests between CDNs and origin servers.
- Mutual TLS Authentication: Ensure that origin servers validate client certificates issued by CDN providers.
While these measures are well-documented, their implementation remains inconsistent. Zafran emphasizes, “Misconfigurations of security tools can have an extremely serious effect, as enterprises walk around with a false sense of security.”
