Cloudflare origin server

What is Cloudflare? In short: Content Delivery Network (CDN), Web Application Firewall (WAF) and cherry/icing on the cake, 1 year go Cloudflare released a fast DNS resolver. With 4 pricings and more than 16M Internet properties, Cloudflare is now one of the most popular firewall used for web applications. Working as a reverse proxy the WAF does not only offer a protection against DDOS but can also trigger an alert/error when he detects an attack. But what if you can bypass all these protections in a second making the defense useless?

Note that what is following is probably relevant for any kind of Web Application Firewall.


Regarding the most popular attacks against web applications, Cloudflare offers a protection from SQLi, XSS and CSRF. Unfortunately the WAF is not available for free account (for payed account it has to be manually enabled) and the customization of the rules is only available for Business and Entreprise account. This means that even if your target is using Cloudflare to spread the content, it’s not necessarily protected against such vulnerabilities by their web application firewall. Plus, while the WAF is pretty good to block basic payloads, many bypass already exist and new ones pop out every days. At the exact moment I am writing this article:

cloudflare lastday

As a hacker bug bounty hunter it’s obvious that it could be very interesting to get ride of the firewall. For that, you basically have 3 options:

  • Customize your payloads in order to bypass the rules in place. It can be interesting to improve your skills about firewall bypass but it can be a tedious and very long task, which is not something you can’t afford when you’re a bug hunter, time is prime! You better try crazy payloads listed in PayloadsAllTheThings or search on Twitter.
  • Alter the requests in a proper way to disrupt the server. Same as first option, it can be time consuming, requires patience and good fuzzing skills. Soroush Dalili wrote a nice presentation which could help to create such requests by Using HTTP Standard and Web Servers’ Behaviour.
  • Get around Cloudflare by finding the origin IP of the web server. Probably the easiest option, no technical skills required, it’s also part of the recon process so no time wasted. As soon as you get it you don’t have to worry anymore about the WAF or the DDOS protection (rate limit).

In this in this article, I’m going to focus on the last option and how to achieve it based on tips grabbed here and there.

Reminder: Cloudflare is only a tool that has to be setted by humans, usually developers or system administrators. Cloudflare is not responsible of the misconfiguration that could lead to successful attacks performed using the methods described below.

Recon, recon, recon

The idea is to start your normal recon process and grab as much IP adresses as you can (host, nslookup, whois, ranges…), then check which of those servers have a web server enabled (netcat, nmap, masscan). Once you have a list of web server IP, the next step is to check if the protected domain is configured on one of them as a virtual host. If not, you’ll get the default server page or the default website configured, if yes then you found the entry point! Using Burp:

Subdomain I’m looking for, wrong IP address:
cloudflare burp suite wrong ip

Wrong subdomain, good IP address:
cloudflare burp suite wrong subdomain

Subdomain I’m looking for, good IP address, perfect!
cloudflare burp good

Some tools that could help you in this task:


If your target has a SSL certificate (and it should!), it’s registered in Censys database (I strongly recommend to subscribe). Choose “Certificates” in the select input, provide the domain of your target, hit <enter>.

You should see a list of certificates that fit to your target:
cloudflare censys results

Click on every result to display the details and, in the “Explore” menu at the very right, choose “IPv4 Hosts”:
cloudflare censys certificate details

You should be able to see the IP addresses of the servers that use the certificate:
cloudflare censys certificate ipv4

From here, grab all IP you can and, back to the previous chapter, try to access your target through all of them.

Mail headers

Subscribe the newsletter, create an account, use the function “forgotten password”, order something, in a nutshell do whatever you can to get an email from the website you’re testing (note that Burp Collaborator can be used). Once you get an email, check the source, specially the headers. Record all IPs you can find there as well as subdomains that could possibly belong to a hosting service. And again, try to access your target through all of them.

The value of header Return-Path worked pretty well for me:
cloudflare mail headers

Test using Curl:
cloudflare curl test

Another trick is to send a mail from your own mailbox to a random (non existing) email address If the delivery fails, you should receive back a notification. Thanks to @_3P1C.

XML-RPC Pingback

Very famous in Wordpress, the XML-RPC (Remote Procedure Call) is a tool that allows an administrator to manage his blog remotely using XML requests. A pingback is the response of a ping. A ping is performed when a site A links a site B, then the site B notifies the site A that he is aware of the mention, this is the pingback.

You can easily check if it’s enable by calling, you should get the following: XML-RPC server accepts POST requests only.

According to WordPress XML-RPC Pingback API, the functions takes 2 parameters sourceUri and targetUri. Here is how it looks like in Burp Suite:

cloudflare xmlrpc

Thanks to @Rivitheadz.

Previous findings

What you need is that the web server of your target performs a request to your server/collaborator. Using another type of issue could also be a good idea: SSRF, XXE, XSS (triggered server side) or whatever you already found, inject a payload that contains your IP address and check the logs. If you got any hit then check the virtual host again.


Below some tools that are supposed to do the job for you:

cloudflare cloudip censys certificates (key required)
HatCloud: crimeflare,
CrimeFlare: crimeflare,
bypass-firewalls-by-DNS-history: securitytrails, crimeflare

cloudflare cloudfail

CloudFail: dnsdumpster, crimeflare, subdomain brute force
CloudFlair: censys key required
CloudIP: nslookup some subdomains (ftp, cpanel, mail, direct, direct-connect, webmail, portal)

Note that none of those methods are 100% reliable. All targets are different, what will work for one would not work for another. Try them all.

DNS resources



As we often say in the security industry: a chain is as strong as its weakest link. No matter how much time you spent to configure Cloudflare, if it can be bypassed and if your webapp can be directly reached through the server IP then all protections offered by Clouflare are also bypassed and so totally useless, you’re not protected anymore.

There is probably many other ways to perform this task. Now you get the idea, feel free to send me your tips or describe them to the Twitter feed listed below, I will be more than happy to add them here.

I personally never reported such things but according to Soroush Dalili, being able to get around Cloudflare is something considered as a security misconfiguration so it deserves an alert. Bounty plzzzzzzzzzzzzzzzzzzzz!

Swag Store

In the bug bounty industry, companies/programs reward hackers with bounties for their contribution, most of the time money and swag from ...… Continue reading

« Swag Store

Published on July 10, 2019

The Hunter Games »

Published on March 24, 2019