Bypassing Cloudflare WAF to get more vulnerabilities


Bypassing Cloudflare WAF to get more vulnerabilities

Hey guys,

If you have been doing penetration testing or bug bounties for some time now, then you must have come across applications which uses Cloudflare as their Content Delivery Network(CDN). As a new bug bounty hunter or penetration tester, you must be feeling kind of frustrated when any XSS Payload you provide leads to a security page or you get blocked by Cloudflare’s Web Application Firewall in place there.

What exactly is Cloudflare and how can you detect which web application uses it?

CloudFlare is a useful tool to enhance site performance, accelerate the access speed and improve the visitors’ experience. It is a CDN, DNS, Security(Web Firewall), Optimer, Analytics etc. all in one package. In a simple way, you can say that Cloudflare makes the application loading time faster and saves it from attacks such as SQLi and XSS to save your users from being hacked. If you are unsure about how to check if a web application is using Cloudflare, you can simply use an extension such as Wappaylzer which shows the different technologies, Frameworks, CDN’s the application is using. You can download it from here if you don’t have this or any other extension like it.  Its usage is pretty simple. This is how it will look like when you browse an application which uses Cloudflare as CDN.

This is how it will look when you see the Extension for a particular app using Cloudflare. There are other ways too and we will get to that eventually. Now if you try to use your normal XSS payload, you are either going to get the Captcha Security Box every time or on doing it constantly you will be blocked from further interaction with the app on that IP. Not only this, scanning and spam messages or emails will also lead to problematic issues for as a penetration tester.

What’s actually happening behind the scenes?

When a company uses Cloudflare, what happens is that Cloudflare sits in between you and the web application original server. So any malicious payloads or files which you try to execute on the main app goes through Cloudflare and as a result it blocks you. Not only this, even if you get the IP address and try to access the app using this IP, it will show that “Direct Access is not allowed”. Below is the image of a target which uses Cloudflare. Use the below command to get the IP being used

ping target.com

This is where Cloudflare is hosting your application. Any time you insert your payload, it goes here. Now just try to directly access the app using this IP and you will get the following error:

So is there any way out of it?

Yes, of course, there is. Think of what will happen if you could just access the Origin Server directly without going through Cloudflare’s protection? Then the app will have no protection via Cloudflare’s firewall and we can now test for various vulnerabilities like XSS and SQLI.

Let’s see some of the tools and methods which can help us to access the Origin Server directly.

1.Crimeflare:

You can access the application here. This applications work is solely based to determine the Directly Accessible server for that application i.e the origin server. They have maintained a database and a zip file containing the name of all the services which use Cloudflare and who is sitting behind this Cloudflare’s service. You will be able to see a search box at the bottom of the page. Once you enter the website’s name and Crimeflare comes up with a Direct Connection IP, then you can be almost sure that it’s the Origin Server. We are using “almost” here because many times the results produced are that of the target’s subdomain instead of the main domain, so you have to further verify from the other methods we are going to talk about. On the other hand, if you didn’t get any information on the Origin Server from here move to the other methods.

A sample demonstration for Bugcrowd.com which uses Cloudflare and how you can get the Origin Server.

2.Censys:

The website itself says that it’s a tool to find and analyze every reachable server on the internet. This tool comes in very handy during the Recon process of a penetration test or Bug Bounties as we can get different types of information from here about the target. But this is also helpful in this case where we have to find the Origin Server for an application using Cloudflare.

If you just enter the target’s name in the search box, it will come up with the IP’s of that target and mostly the origin server is in those. Let’s say for example Bugcrowd here.

https://censys.io/ipv4?q=bugcrowd.com

This is what the URL looks like and it’s giving a lot of results because the application might be using multiple hosts so you need to work a little harder.

3.Security Trails:

It is actually a repository of historical DNS data and you can get the origin server’s IP by looking at this data. Just like before, enter the application name in the search box and it will give you a whole lot of information. On the left side, you will find 4 rows. Go to Historical Data in there and see the ‘A’ field which will reveal all the IP’s related to the target.

4.Netcraft:

This website contains the history of hosting records for different websites. It can also be used if the other previous methods are not working. There is an extension for Netcraft which you can install to keep a look at the target’s different info which you can get from here.

What to do after we got the Origin Server?

Now there are 3 things which you can do now.

  1. Directly access the app through the real IP.
  2. Add the entry in the /etc/hosts file. In Windows, you can access this file from c:\windows\system32\drivers\etc\ hosts. Add the entry in it. In Linux, you can just do cd /etc to go to the /etc directory and then do nano hosts or vi hosts, whichever you like and add the entry like this.

    The OriginServer one was our new entry. You can use the same format on both Linux and Windows. Now when you do this, if you now try to go to the target application, it won’t go through the Cloudflare’s servers and directly access the application.

  3. Instead of option 2, you can also choose to override the DNS resolver for this project if you are using Burpsuite while Testing. It will do the same thing but it’s probably better because you just want to do it for this pentesting project and not for every time.To do this, go to the Project Options -> Hostname Resolution. Add the entry there. Just see the below screenshot in which I have added the Hostname and the IP address and this will override our computer’s DNS resolution which always takes us to the Cloudflare’s server.

When to think of bypass?

These methods are not 100% full proof and there are many more methods to bypass Cloudflare’s protection. dig and ping are especially useful in this cases. But when should you start looking for a bypass. Don’t just start looking for a bypass just after seeing that the application is using a Cloudflare’s CDN. First know, if the firewall is blocking your payloads. Cloudflare won’t possibly block you for every testing. Like it won’t if you check for Access Control and IDOR’s. It is up to the applications internal code how it handles that. Cloudflare will mostly block you for XSS, SQli injections, DoS, and DDoS attacks primarily, spamming etc. And many times even if you find the real IP and you go there it may behave in a weird manner or they may have taken extra measures in advance, so don’t lose hope. But from the next time you find an application using Cloudflare, you can definitely follow the methods mentioned in the post and you can also find some other ways if you search the internet. Try this and let us know your success stories.

HAPPY HACKING until then. !!!

Blogger
I am the one who publishes all the blogs for ENCIPHERS :-)