CDN-WORKER-COMPROMISEInitial Access

Cloudflare Worker / Edge Function Compromise

Compromised account or leaked Cloudflare API token deploys an attacker Worker — sees every customer request, can rewrite responses on the fly.

§ Where this technique fits

CDN-WORKER-COMPROMISE is catalogued under the Initial Access tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 2 on average.

§ Dossiers chaining this technique

Cloudflare account compromise → Worker rewrite → mass cred theft
Phish a Cloudflare account belonging to a popular site operator. Deploy a Worker that injects JS into every response — captures form posts (logins, payments) for the duration the operator doesn't notice.
step 2 / 6

§ What commonly comes next

01
Stored XSS
W-XSS-STORED · Impact
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

Cloudflare account compromise → Worker rewrite → mass cred theft

§ What commonly comes next