Monday, October 10, 2016

[RESEARCH] Cloudflare Can Be Bypassed

About two years ago, CEO of Cloudflare (cloud based Content Delivery Network, CDN) visited Hong Kong to promote their services after an unofficial referendum site (hosted by anti-government party), which is protected by Cloudflare, is under DDoS attack with about 400GB traffic. From that day, Cloudflare is well known to all anti-government parties in Hong Kong. Most of their websites are then protected by it.

This cloud based CDN service provides DDoS protection and the real IP address of the websites are hidden by purpose. Cloudflare has free and paid plans. The paid plan is equipped with Web Application Firewall (WAF). However, this plan is not cheap, so some of the anti-government websites are not in the plan.

When you google the keyword "cloudflare bypass", it returns a lot of pages that are mentioning how to find out the real IP address of the websites that protected by Cloudflare. However, most websites are configured not to present their content properly when browsing it with IP address. Therefore, to find out the real IP address of the website is not the way to bypass Cloudflare unless you want to attack the web server instead of the web application. Meanwhile, to find out the real IP address of the web servers are not easy as it is hidden properly recently.

To pentest those sites, you cannot use Web Vulnerability Scanners, that without WAF evasion feature, as they will be blocked. WAF evasion features for the scanners are not common in the market. You need to pentest those sites manually. Once you find something interesting and suspect it is vulnerable to SQL injection, you need to confirm it with other SQLi takeover tools, such as SQLMap. No matter it is pentesting by manual or SQLMap, you need WAF evasion skill to complete.

Meanwhile, Wordpress is very famous in Hong Kong too. If the target is a Wordpress site, make sure you do not use WPScan to scan it as your IP address will be banned for sure. Once your IP address is banned, you are no way to do the pentesting.

I conduct a research for bypassing Cloudflare with SQLMap and it is successfully with WAF evasion technique. No matter it is free or paid plan, Cloudflare can be bypassed for sure. I am not working for Cloudflare and I do not want to get any bounty. Therefore, I am not going to share my detailed research here as it will alert Cloudflare to improve their WAF when it is disclosed. I am sure that some other researchers out there are already bypassed Cloudflare too. Meanwhile, other OWASP Top 10 and other cloud based WAFs are not tested in this research.


(1) Cloudflare
(2) OWASP Top Ten Project

That's all! See you.