What is Cloudflare? In short: Content Delivery Network (CDN), Web Application Firewall (WAF) and cherry/icing on the cake, 1 year go Cloudflare released a fast DNS resolver. With 4 pricings and more than 16M Internet properties, Cloudflare is now one of the most popular firewall used for web applications. Working as a reverse proxy the WAF does not only offer a protection against DDOS but can also trigger an alert/error when he detects an attack. But what if you can bypass all these protections in a second making the defense useless?
At the same time I was redacting this article, I wrote a Python script to automate some tests.
usage: cloudflare-origin-ip.py [-h] [-u URL] [-s SOURCE] optional arguments: -h, --help show this help message and exit -u URL, --url URL url to test -s SOURCE, --source SOURCE datas sources separated by coma, can be: censys,crtsh,local file Examples: cloudflare-origin-ip.py -u https://xxx.xxxxxxxxxxxx.xxx cloudflare-origin-ip.py -u https://xxx.xxxxxxxxxxxx.xxx -s censys,crtsh (default) cloudflare-origin-ip.py -u https://xxx.xxxxxxxxxxxx.xxx -s /home/local/ips.txt cloudflare-origin-ip.py -u https://xxx.xxxxxxxxxxxx.xxx -s censys,crtsh,/home/local/ips.txt,/home/local/subdomains.txt Note that this is an automated tool, manual check is still required.
Basically the script compares some datas (HTML, headers, Content-Type…) of the host you provide with the HTTP response of an IPs list but using the host you provide as the header
IP sources can be: Censys, crt.sh or local files containing IPs and/or subdomains.