Numen

Logo

3 Tricks to Bypass Cloudflare WAF in File Upload

For Cloudflare customers, having Cloudflare is like paying for peace of mind; where your system will have 99% protection against external threats. But why shouldn’t we try to bypass Cloudflare, even against that minuscule 1% chance?

So, without further ado, we purchased the Cloudflare Pro Plan and began this journey as a team, because teamwork makes the dream work!

In any penetration testing engagement, our hearts sink when we are greeted with this and question our existence!

Sorry, you have been blocked screenshot by CloudFlare.

In the initial assessment stage, we ruled out what is more possible vs what is nearly impossible. We have decided to zoom into file upload bypass.

Here, we are going to share 3 bypass tricks that we have discovered recently.

Before that, let’s see how Cloudflare reacted to the request below, as expected, any sign of shell code will be Blocked!

Figure 1: Cloudflare Blocked the HTTP Request with Malicious Code
Figure 1: Cloudflare Blocked the HTTP Request with Malicious Code

Trick #1 — Magic of Semicolon

Let’s try putting a semicolon at the end of the mutipart boundry=????????????????; and submit request. Bingo! This was not detected by Cloudflare, the file was uploaded and the entire content was preserved.

Figure 2: Semicolon Bypassing Cloudflare
Figure 2: Semicolon Bypassing Cloudflare

2. The following screenshot is not necessary, but we show it anyways.

Cloudflare screenshot

Trick #2 — Magic of Transfer-Encoding

If you think transfer-encoding is used only in HTTP smuggling, think again!

Figure 3: Chunked Encoding Payload Bypassing Cloudflare
Figure 3: Chunked Encoding Payload Bypassing Cloudflare

Trick #3 — Magic of Prepended Large String

Generate 10,000 of “A” and prepend them before the shell payload.

Figure 4: Prepended Large String Payload Bypassing Cloudflare
Figure 4: Prepended Large String Payload Bypassing Cloudflare

When doubting if the payload is still able to interpret properly, doubt no more! The payload is still able to execute after the output of As.

The payload is still able to execute after the output of As.

How to Fix

To help mitigate this kind of bypass technique, one can contact Cloudflare for recommendations.

Single defense is definitely inadequate, companies must also make sure the application itself is also secured.

So, it is extremely important to detect and correct application vulnerabilities through

  • Vulnerability Assessment
  • Penetration Testing
  • Code Review
  • Soc as a Service

Conclusion

In Numen Labs, we are given engagement relevance challenges from time to time, to keep pushing our limits. With customers always first in our mind, we also want to ensure we are always prepared to give our customers the best of us.

Numen Cyber Labs is committed to facilitating the safe development of Web 3.0. We are dedicated to the security of the blockchain ecosystem, as well as operating systems & browser/mobile security. We regularly disseminate analyses on topics such as these, please stay tuned or visit our blog here for more!

This blog was originally published on our Medium Account.

Share:

More Posts