For Cloudflare customers, having Cloudflare is like paying for peace of mind; where your system will have 99% protection against external threats. But why shouldn’t we try to bypass Cloudflare, even against that minuscule 1% chance?
So, without further ado, we purchased the Cloudflare Pro Plan and began this journey as a team, because teamwork makes the dream work!
In any penetration testing engagement, our hearts sink when we are greeted with this and question our existence!
In the initial assessment stage, we ruled out what is more possible vs what is nearly impossible. We have decided to zoom into file upload bypass.
Here, we are going to share 3 bypass tricks that we have discovered recently.
Before that, let’s see how Cloudflare reacted to the request below, as expected, any sign of shell code will be Blocked!
Trick #1 — Magic of Semicolon
Let’s try putting a semicolon at the end of the mutipart boundry=????????????????; and submit request. Bingo! This was not detected by Cloudflare, the file was uploaded and the entire content was preserved.
2. The following screenshot is not necessary, but we show it anyways.
Trick #2 — Magic of Transfer-Encoding
If you think transfer-encoding is used only in HTTP smuggling, think again!
Trick #3 — Magic of Prepended Large String
Generate 10,000 of “A” and prepend them before the shell payload.
When doubting if the payload is still able to interpret properly, doubt no more! The payload is still able to execute after the output of As.
How to Fix
To help mitigate this kind of bypass technique, one can contact Cloudflare for recommendations.
Single defense is definitely inadequate, companies must also make sure the application itself is also secured.
So, it is extremely important to detect and correct application vulnerabilities through
- Vulnerability Assessment
- Penetration Testing
- Code Review
- Soc as a Service
Conclusion
In Numen Labs, we are given engagement relevance challenges from time to time, to keep pushing our limits. With customers always first in our mind, we also want to ensure we are always prepared to give our customers the best of us.
Numen Cyber Labs is committed to facilitating the safe development of Web 3.0. We are dedicated to the security of the blockchain ecosystem, as well as operating systems & browser/mobile security. We regularly disseminate analyses on topics such as these, please stay tuned or visit our blog here for more!
This blog was originally published on our Medium Account.
