Exposing Sensitive Data: A Journey into CDN Path Traversal Vulnerabilities

1. Introduction

In the digital landscape, the security of web applications is of paramount importance, especially when they handle sensitive data. Many websites rely on Content Delivery Networks (CDNs) like Amazon S3 to store and distribute content efficiently. However, improper configuration or validation can lead to serious vulnerabilities. In this post, I will share how I discovered a path traversal vulnerability on the website that exposed sensitive internal files stored on their CDN.

2. What is a CDN?

A Content Delivery Network (CDN) is a geographically distributed network of servers designed to deliver content to users more efficiently. CDNs are used to improve website performance, availability, and security by caching content closer to the user’s location, thus reducing load times and latency. Typical content stored on CDNs includes static assets like images, videos, CSS, JavaScript files, and other types of media.

2.1 Why CDNs Are Used

1. Performance Enhancement: CDNs cache content closer to the user’s location, reducing the distance data needs to travel and thereby speeding up load times.
2. Scalability: By distributing the load across multiple servers, CDNs help websites handle large amounts of traffic without overloading a single server, ensuring continuous availability.
3. Security: CDNs offer additional security layers, including protection against DDoS attacks and the ability to secure connections, which help safeguard web applications from potential threats.
4. Cost Efficiency: Offloading traffic to CDN servers can significantly reduce bandwidth costs and alleviate the load on the primary servers, making operations more cost-effective.

2.2 How CDNs Can Become Vulnerable

While CDNs provide numerous benefits, they can become vulnerable if not configured correctly:

1. Path Traversal Vulnerabilities: Attackers can exploit poorly sanitized URLs to navigate through directories and access files that should remain private.
2. Improper Access Controls: Without adequate restrictions or authentication, CDN content may become accessible to unauthorized users.
3. Misconfigured Permissions: Overly permissive settings on files stored in the CDN can expose sensitive data to the public, accessible to anyone with the correct URL.
4. Exposure of Directory Listings: If the CDN is configured to expose directory listings, attackers can browse through available files and identify potentially sensitive content.

3. How I Discovered the Vulnerability

During a routine assessment, I noticed that various resources, such as images, were hosted on their CDN.

Here’s a step-by-step breakdown of how I identified the vulnerability:

3.1 Initial Observation

While exploring the application, I noticed the website was built with a significant number of images and other static resources. Curious about how these assets were being managed and served, I decided to delve into the source code to understand their storage and delivery mechanism.

3.2 Source Code Analysis

By examining the source code, I observed that the images and other resources were being served from a CDN, with URLs structured in a specific way. These URLs appeared as follows:

https://cdn.xxxxxx.com/cover/organization/ORG20230388182306657Of8IXXQA/facilities/FC202303881823oN2QFC202303881823oN2Q/RUHubP22-desktop_icon.jpg

This structure indicated a hierarchical organization of files, which piqued my interest to see if it could be manipulated to access other files on the CDN.

3.3 Path Traversal Attempt

To explore further, I began experimenting with the URL paths by removing segments to see if any additional content could be revealed. This is a common technique used to check for directory listings or other files that might not be intended for public access.

• Removing the File Name: I started by removing the file name RUHubP22-desktop_icon.jpg:

https://cdn.xxxxxx.com/cover/organization/ORG20230388182306657Of8IXXQA/facilities/FC202303881823oN2QFC202303881823oN2Q/

This resulted in an error message stating, “No such data and The specified key does not exist.”

• Continuing Up the Path: I continued to remove segments of the path one by one:

https://cdn.xxxxxx.com/cover/organization/ORG20230388182306657Of8IXXQA/facilities/

• Each time, I encountered the same error until I finally reached:

https://cdn.xxxxxx.com/

• At this point, I discovered a directory listing of files stored on the CDN.

3.4 Accessing Sensitive Files

At first, I thought I could only see basic details like the path, last modified time, and size of the files, which seemed to have limited impact. However, as I scrolled down the list, I noticed several PDF files that appeared to be related to payment invoices. Intrigued, I copied one of the paths and pasted it into the URL to see if I could access the actual content of the PDF.

To my surprise, the PDF loaded successfully, revealing sensitive information including purchase amounts, bank details, and other financial data. This demonstrated that the vulnerability had a significant impact, as it exposed critical financial documents that should have been kept private.

4. The Impact

The implications of this vulnerability are significant. By exploiting the path traversal issue.

• Exposure of Sensitive Data: Confidential files like invoices and financial details were accessible, leading to potential breaches of privacy and security.
• Privacy Violations: Personal and financial information could be exposed, risking non-compliance with data protection laws like GDPR and CCPA.
• Financial Loss and Damage to Reputation: Access to sensitive documents can result in financial fraud and harm the organization’s reputation, leading to loss of customer trust.
• Risk of Further Attacks: Exposed data can be used to conduct targeted attacks such as phishing or social engineering, increasing the overall security risk.
• Competitive Disadvantage: Confidential business information can be exploited by competitors, undermining the company’s competitive position.

5. Conclusion

This vulnerability highlights the critical need for robust security measures when configuring CDNs and cloud storage. Organizations should enforce strict access controls, validate URL paths to prevent traversal, and regularly audit their storage configurations. Properly securing these elements can prevent unauthorized access to sensitive data and protect both the organization and its users.

6. References

• Amazon S3 Documentation: Amazon S3 Security Best Practices
• OWASP Path Traversal Guide: OWASP Path Traversal
• Content Delivery Network Security: CDN Security Practices

About the Author

Sulman Farooq S is a passionate cybersecurity enthusiast with over three years of experience in penetration testing. He specializes in network, web application, mobile application, and API penetration testing. Follow me on Medium for more insights into cybersecurity and vulnerability assessments.

Stay vigilant and keep your applications secure! Happy (ethical) hacking! 😊😊😊