Akamai ARL security issue

Basically, an attacker can perform a phishing web page or even reflected XSS with this attack.

If you want to try it:

  1. Blog: Hacking naked Akamai ARL at scale :: War + Code β€” hacking, software security, devops/devsecops, automation
  2. Tool: GitHub - war-and-code/akamai-arl-hack: Script to test open Akamai ARL vulnerability.

Is it impacting all the sites hosted in akamai or its specific to v1/v2 arls

1 Like

Not all websites in Akamai is vulnerable. Only some old Akamai servers.

Sites which like this is vulnerable:

Error in dev tools looks like this:

1 Like

So what would be best remediation we can suggest for this

1 Like

Quoting the Akamai Community link:

As noted in prior communications, the use of V1/V2 ARLs is a security risk since it can be exploited by attacks such as cross-site scripting. In 2016, Akamai disabled the use of V1 ARLs with certain exceptions (see V1 ARL + Metadata Behavior Change - Starting Feb 12, 2016 ). We are currently planning to start block all existing use of V1 ARLs starting Aug 10, 2021 .

So basically after August 10 this issue won’t be valid. Thanks @Edi26 for asking this. We love your engagement in this community.