Hey guys, I was doing Penetration testing for the private company. I am used to of manual testing instead of tools. At that time, the company had used Cloudflare WAF. As a penetration tester, you fill like your inputs are not working and you haven’t found a single bug. Your inputs are going to block by WAF.
WHAT EXACTLY IS CLOUDFLARE AND HOW CAN YOU DETECT WHICH WEB APPLICATION USES IT?
Cloudflare is a CDN service that helps to improve user experience in form of web page speed and performance of web application. Cloudflare is all in one package such as Analysis, CDN, DNS, Security firewall, Optimizer, etc. In short, You can say Cloudflare gets a faster result and secure the web application from the attackers.
BEHIND THE SCENSE OF CLOUDFLARE
When a company uses the Cloudflare, It hides the original server. So, an attacker tries malicious payloads or files which you try to execute on the main app goes through Cloudflare and as a result, it blocks in the result. Even if you try with an IP address, It will show you “Direct Access is not allowed“.
Ping targetwebsite.com It will give you IP address of website. Now just try to directly access the app using this IP and you will get the following error:
HOW TO BYPASS CLOUDFLARE? what will happen if you could just access the Origin Server directly without going through Cloudflare’s protection? Then the app will have no protection via Cloudflare’s firewall and we can now test for various vulnerabilities like XSS and SQLI.
1.SECURITY TRAILS It is a repository of DNS data. It may you get the result from the data. enter the application name in the search box and it will give you a whole lot of information. On the left side, you will find 4 rows. Go to Historical Data in there and see the ‘A’ field which will reveal all the IP’s related to the target. You can visit Security Trails
2.NETCRAFT Netcraft extension which you can install to keep a look at the target’s different info which you can get from here. It is similar to Security Trails.
3.CRIMEFLARE You can access the application here. Crimeflare has maintained a database and a zip file containing the name of all the services which use Cloudflare and who is sitting behind this Cloudflare’s service. You will be able to see a search box at the bottom of the page.
As an example, Bugcrowd.com which uses Cloudflare and how you can get the Origin Server.