Zafran Uncovers Widespread WAF Vulnerability at Fortune 1000 Companies

Researchers from Zafran have identified a critical misconfiguration in Web Application Firewalls (WAF) from major providers, including those from Akamai, Cloudflare, and Imperva. The vulnerability impacts more than 140,000 domains belonging to some of the world's largest companies, such as JPMorganChase, Visa, and Intel.

The findings in the report expose weaknesses in security controls that leave web applications vulnerable to severe cyberattacks, including Distributed Denial-of-Service (DDoS) and data breaches.

Zafran researchers pinpointed a systemic flaw in how WAFs, often used as both security tools and Content Delivery Networks (CDNs), are configured. The misconfiguration stems from a lack of proper validation between backend web applications (origin servers) and the CDN layer. As a result:

• Attackers can bypass WAF protections, accessing backend servers directly.
• Threat actors can exploit these gaps to launch DDoS attacks, steal sensitive data, and even compromise entire systems.

Among 8,000 domains mapped to 36,000 backend servers, the misconfiguration impacts 40% of Fortune 1000 companies' critical infrastructure, highlighting a widespread security blind spot.

JPMorganChase's primary website (chase.com) was identified as vulnerable, but the company quickly addressed the issue following Zafran's disclosure.

For Berkshire Hathaway Subsidiary, researchers demonstrated the vulnerability by executing a 20-second DoS attack on a domain owned by BHHC, proving the ease with which attackers could exploit this flaw.

Other high-risk industries, such as financial services and healthcare, remain highly exposed, with the cost of DDoS attacks for financial organizations estimated at $1.8 million per incident.

The root of the issue lies in how CDN/WAF providers handle traffic routing and validation:

• Origin servers fail to restrict access to traffic originating only from approved CDNs, making them directly accessible over the internet.
• This architectural flaw allows attackers to easily map backend IP addresses and exploit them, often bypassing security layers entirely.

This vulnerability mirrors past high-profile breaches, such as the Capital One incident, and aligns with tactics used by advanced persistent threat (APT) groups like APT41.

Zafran recommends several measures to address this critical WAF misconfiguration, including:

• IP Whitelisting: Restrict access to origin servers to only the IP addresses of trusted CDN providers.
• Custom HTTP Headers with Shared Secrets: Use pre-shared secrets to validate requests from the CDN to the origin server.
• Mutual TLS (mTLS): Implement client-side certificates for stronger authentication between the CDN and the origin server. While mTLS offers the most secure option, it requires custom tooling and is not yet supported by all load balancers.

Organizations using WAF/CDN solutions must urgently evaluate their configurations to ensure backend servers are not exposed. Zafran has also integrated these findings into its Threat Exposure Management platform, enabling customers to assess and prioritize remediation efforts.

For cybersecurity professionals, the research serves as a reminder of the importance of securing public-facing web applications. As businesses continue to rely heavily on the internet for operations, ensuring the integrity of WAF protections is critical to mitigating potentially catastrophic attacks.

WAFs are critical to protecting web applications, but their effectiveness relies on proper configuration. Without robust safeguards, even the best security solutions can leave organizations "walking naked and exposed."

Zafran has also offered a technical blog offering a deeper dive on the technical challenges of uncovering the findings.

A few snippets from the technical blog:

• The misconfiguration can allow threat actors to bypass WAF protections and directly target web applications and load balancers over the Internet. By doing so, attackers may perform DDoS attacks on exposed web applications, or alternatively exploit vulnerabilities in the apps themselves that would have otherwise been identified or blocked by the WAF. The misconfiguration stems from an architectural weakness of WAF providers that also act as CDN providers. In the architecture of such CDN/WAF services, protected web applications are instructed to validate Internet traffic routed to them originated by the CDN/WAF provider. Failure to do so may lead to the discovered bypass.
  

• As we'd like to discover all CDN-related domains that belong to Fortune 1000 companies, with a huge list of domains in hand we now need to check each of them and classify whether the domain points to a CDN server, and to which one. We identified a few techniques to identify and classify domains that point to CDN servers:

  • Resolve the domain (via DNS), and check whether the ASN of the IP (the name of the IP range) is owned by a CDN provider (not all of the CDN's ASNs are owned by the CDN providers, but many are).
  • Use the results from a DNS resolution of the domain in additional ways; for instance, it's possible to look at substrings of the domains in the CNAME chains (like *.akamaiedge.net from the dig example in the section below, given for images.jpmorganchase.com).
  • Send an HTTP request to the suspected CDN server, and fingerprint its response.

• After mapping, verifying, and cleaning the data, we were able to find interesting results about the vulnerability of Fortune 1000 companies to the WAF bypass misconfiguration.

  Out of Fortune 1000, we have mapped domains of 670 companies. For these companies 2367 exposed Origin Servers were identified. Among them, 2028 domains belonging to 135 different Fortune 1000 companies are assessed with high confidence to have at least one impacted domain/server.



  It is worth noting that the WAF bypass bug seems to be especially a concern for very large companies placed at the top of the Fortune 1000 list. For example, the first 100 companies of the list represent 35% of the potentially impacted ones. Likewise, companies with over $50 billion annual revenue are over-represented among the affected organizations.

• Summary: This research uncovered the wide spread of misconfigured security tools, that are considered the best type of protection for web-applications—CDN-based WAFs.

  While this research included some novel techniques for identifying Origin Servers, and mapping them to CDN-protected domains, the weakness of CDN-based WAFs is actually well known in the industry for almost 10 years. An article by Imperva from 2015 (!!!) details methods of protecting Imperva customers from this type of bypass.

  Nevertheless, it seems the architectural weakness of CDN/WAFs have created a long-lasting misconfiguration issue that doesn't seem to be going away anytime soon.


  ‍Misconfigurations of security tools can have an extremely serious effect, as enterprises walk around with a false sense of security, while gaping holes might be lurking in their "defense-in-depth" strategy. Further analysis of similar systemic issues are required to strengthen the walls.