Hey guys, I was doing Penetration testing for the private company. I Prefer manual pentesting rather than using tools. At that time, the company had used Cloudflare WAF. As a penetration tester, you fill like your inputs are not working and you haven’t found a single bug. Your inputs are going to block by WAF.
WHAT EXACTLY IS CLOUDFLARE AND HOW CAN YOU DETECT WHICH WEB APPLICATION USES IT?
Cloudflare is a CDN service that helps to improve user experience in the form of web page speed and performance of web applications. Cloudflare is all in one package such as Analysis,DDOS Prevention,CDN, DNS, Security firewall, Optimizer, etc. In short, You can say Cloudflare gets a faster result and secure the web application from the attackers.
However, as infrastructure and DNS records grow and configurations are modified, things become more problematic.
BEHIND THE SCENSE OF CLOUDFLARE
When a company uses the Cloudflare, It hides the original server. So, an attacker tries malicious payloads or files which you try to execute on the main app goes through Cloudflare and as a result, it blocks in the result. Even if you try with an IP address, It will show you “Direct Access is not allowed“.
Ping targetwebsite.com It will give you IP address of website. Now just try to directly access the Website using this IP and you will get the following error:
HOW TO BYPASS CLOUDFLARE? what will happen if you could just access the Origin Server directly without going through Cloudflare’s protection? Then the app will have no protection via Cloudflare’s firewall and we can now test for various vulnerabilities like XSS and SQLI.
‘’’Remember Recon is the key’’’
There Are so many ways to bypass Cloudflare. You can Just Google It.
Here I am Going To Share How I was able to bypass!!
Let’s Begin,
First I used All the Available tools Available On Internet,
- CloudFlare
- CloudUnflair
- CloudBypass
- CloudFlareBypass
“But Nothing Worked!!”
Then I Thought Why not To check for MX Record!!
What is MX Record?
A mail exchanger record specifies the mail server responsible for accepting email messages on behalf of a domain name.
Then I Started Running My Payloads And The Server Was Completely Naked..NO WAF….
Why MxTool Was Showing Real IP Of Server?
— Vulnerability Found: Misconfigured SPF RECORDS…
XSS Payload To bypass CLoudflare:
for(t?c.outerHTmL=o:i=o=’’;i++<1024;o+=`<code onclick=this.innerHTmL=’${M(i)?’*’:n||’·’}’>#</code>${i%64?’’:’<p>’}`)for(n=j=0;j<9;n+=M(i-65+j%3+(j++/3|0)*64))M=i=>i>64&i<960&i%64>1&C(i*i)>.7
javascript:{alert ‘0’ }
This is how,I bypassed Cloudflare WAF!! And Pentesting Journey was Continue…To find More Vulnerabilities On Server…
Happy Hacking
CONCLUSION:
- CloudFlare is a great cloud security tool, offering WAF/DDoS protection by hosting your DNS and protecting the true IP of your domains
- CloudFlare requires proper configuration and maintenance to be its most effective
- Server IPs may still be exposed if moved to CloudFlare from “direct IP” DNS provider
- Subdomains bypassing CloudFlare often exposes all DNS records to bypass attacks.
There are probably many other ways to perform this bypassing task, and now that you get the idea, feel free to send me your tips in the comments or via twitter. I will be more than happy to add them onto my blog.
Thank You
