Capital One’s massive data breach is the subject of intense scrutiny as well as fear among companies. An intruder may have leveraged a server side request forgery, a type of web application vulnerability that security blogger Brian Krebs wrote about on Friday. The criminal complaint against Paige A. Thompson, the accused intruder, alleges she bypassed a misconfigured Capital One firewall and obtained administrative credentials for an account, which is described as *****-WAF-ROLE. That account had enough privileges to view and copy data behind the firewall.”]
Source: https://www.cuinfosecurity.com/capital-ones-breach-may-be-server-side-request-forgery-a-12871