Cloudflare origin server

What is Cloudflare? In short: Content Delivery Network (CDN), Web Application Firewall (WAF) and cherry/icing on the cake, 1 year go Cloudflare released a fast DNS resolver. With 4 pricings and more than 16M Internet properties, Cloudflare is now one of the most popular firewall used for web applications. Working as a reverse proxy the WAF does not only offer a protection against DDOS but can also trigger an alert/error when he detects an attack. But what if you can bypass all these protections in a second making the defense useless?

>>> Read more on Detectify <<<

At the same time I was redacting this article, I wrote a Python script to automate some tests.

usage: cloudflare-origin-ip.py [-h] [-u URL] [-s SOURCE]

optional arguments:
  -h, --help            show this help message and exit
  -u URL, --url URL     url to test
  -s SOURCE, --source SOURCE
                        datas sources separated by coma, can be:
                        censys,crtsh,local file

Examples:
cloudflare-origin-ip.py -u https://xxx.xxxxxxxxxxxx.xxx
cloudflare-origin-ip.py -u https://xxx.xxxxxxxxxxxx.xxx -s censys,crtsh (default)
cloudflare-origin-ip.py -u https://xxx.xxxxxxxxxxxx.xxx -s /home/local/ips.txt
cloudflare-origin-ip.py -u https://xxx.xxxxxxxxxxxx.xxx -s censys,crtsh,/home/local/ips.txt,/home/local/subdomains.txt

Note that this is an automated tool, manual check is still required.

Basically the script compares some datas (HTML, headers, Content-Type…) of the host you provide with the HTTP response of an IPs list but using the host you provide as the header Host. IP sources can be: Censys, crt.sh or local files containing IPs and/or subdomains.

Give it a try!

External resources

• Introducing CFire - Evading CloudFlare Security Protections
• Cloudflare Bypass Security
• Exposing Server IPs Behind CloudFlare
• CloudFlair - Bypassing Cloudflare using Internet-wide scan data
• Cloudflare IP ranges
• One tweet about it
• And another tweet about it