By now we’re all aware of the breach at Capital One, which affected nearly 106 million U.S. and Canadian residents, due to an attacker bypassing a web application firewall (WAF) Capital One was using as part of its operations in the cloud. In a nutshell, the attacker was able to trick the WAF into sharing credentials with access to Capital One’s AWS operations, thus leading to the data breach. The WAF possessed excessive permissions – enough to view and copy information behind it in AWS S3 buckets.
Specifically, consensus has emerged that this is a Server-Side Request Forgery (SSRF) attack. Our aim here is not to conduct an attack post-mortem but rather think about how to best move forward. For a thorough, digestible review of the attack, please read Brian Krebs' excellent write up.Read more »