Zloupotreba Cloudflare Workers kao pass-through proxyja (IP rotation, FireProx-style)

Tip

Učite i vežbajte AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Učite i vežbajte GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Učite i vežbajte Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Podržite HackTricks

Proverite planove pretplate!

Pridružite se 💬 Discord grupi ili telegram grupi ili pratite nas na Twitteru 🐦 @hacktricks_live.

Podelite hakerske trikove slanjem PR-ova na HackTricks i HackTricks Cloud github repozitorijume.

Cloudflare Workers se mogu deploy-ovati kao transparentni HTTP pass-through proxyji gde upstream cilj URL obezbeđuje klijent. Zahtevi izlaze iz Cloudflare-ove mreže, pa cilj vidi Cloudflare IP adrese umesto klijentovih. Ovo odražava dobro poznatu FireProx tehniku na AWS API Gateway, ali koristi Cloudflare Workers.

Ključne mogućnosti

Podrška za sve HTTP metode (GET, POST, PUT, DELETE, PATCH, OPTIONS, HEAD)
Cilj se može proslediti putem query parametra (?url=…), header-a (X-Target-URL), ili čak enkodiran u putanji (npr. /https://target)
Zaglavlja i body se prox-yjuju uz filtriranje hop-by-hop/header po potrebi
Odgovori se prosleđuju nazad, zadržavajući status kod i većinu zaglavlja
Opcionalno falsifikovanje X-Forwarded-For (ako Worker postavi vrednost iz header-a koji kontroliše korisnik)
Veoma brzo/lako rotiranje deploy-ovanjem više Worker endpoint-a i raspoređivanjem zahteva

Kako to radi (flow)

Klijent šalje HTTP zahtev ka Worker URL-u (<name>.<account>.workers.dev ili custom domain route).
Worker izvlači cilj iz query parametra (?url=…), X-Target-URL header-a, ili segmenta putanje ako je implementirano.
Worker prosleđuje dolaznu metodu, zaglavlja i body na specificirani upstream URL (uz filtriranje problematičnih zaglavlja).
Upstream odgovor se stream-uje nazad ka klijentu preko Cloudflare-a; origin vidi Cloudflare egress IP adrese.

Primer implementacije Workera

Čita target URL iz query parametra, header-a ili putanje
Kopira bezbedan subset zaglavlja i prosleđuje originalnu metodu/body
Opcionalno postavlja X-Forwarded-For koristeći header koji kontroliše korisnik (X-My-X-Forwarded-For) ili nasumičnu IP adresu
Dodaje permisivan CORS i obrađuje preflight

Primer Workera (JavaScript) za pass-through proxying

```javascript /** * Minimal Worker pass-through proxy * - Target URL from ?url=, X-Target-URL, or /https://... * - Proxies method/headers/body to upstream; relays response */ addEventListener('fetch', event => { event.respondWith(handleRequest(event.request)) })

async function handleRequest(request) { try { const url = new URL(request.url) const targetUrl = getTargetUrl(url, request.headers)

if (!targetUrl) { return errorJSON(‘No target URL specified’, 400, { usage: { query_param: ‘?url=https://example.com’, header: ‘X-Target-URL: https://example.com’, path: ‘/https://example.com’ } }) }

let target try { target = new URL(targetUrl) } catch (e) { return errorJSON(‘Invalid target URL’, 400, { provided: targetUrl }) }

// Forward original query params except control ones const passthru = new URLSearchParams() for (const [k, v] of url.searchParams) { if (![‘url’, ‘_cb’, ‘_t’].includes(k)) passthru.append(k, v) } if (passthru.toString()) target.search = passthru.toString()

// Build proxied request const proxyReq = buildProxyRequest(request, target) const upstream = await fetch(proxyReq)

return buildProxyResponse(upstream, request.method) } catch (error) { return errorJSON(‘Proxy request failed’, 500, { message: error.message, timestamp: new Date().toISOString() }) } }

function getTargetUrl(url, headers) { let t = url.searchParams.get(‘url’) || headers.get(‘X-Target-URL’) if (!t && url.pathname !== ‘/’) { const p = url.pathname.slice(1) if (p.startsWith(‘http’)) t = p } return t }

function buildProxyRequest(request, target) { const h = new Headers() const allow = [ ‘accept’,‘accept-language’,‘accept-encoding’,‘authorization’, ‘cache-control’,‘content-type’,‘origin’,‘referer’,‘user-agent’ ] for (const [k, v] of request.headers) { if (allow.includes(k.toLowerCase())) h.set(k, v) } h.set(‘Host’, target.hostname)

// Optional: spoof X-Forwarded-For if provided const spoof = request.headers.get(‘X-My-X-Forwarded-For’) h.set(‘X-Forwarded-For’, spoof || randomIP())

return new Request(target.toString(), { method: request.method, headers: h, body: [‘GET’,‘HEAD’].includes(request.method) ? null : request.body }) }

function buildProxyResponse(resp, method) { const h = new Headers() for (const [k, v] of resp.headers) { if (![‘content-encoding’,‘content-length’,‘transfer-encoding’].includes(k.toLowerCase())) { h.set(k, v) } } // Permissive CORS for tooling convenience h.set(‘Access-Control-Allow-Origin’, ‘’) h.set(‘Access-Control-Allow-Methods’, ‘GET, POST, PUT, DELETE, OPTIONS, PATCH, HEAD’) h.set(‘Access-Control-Allow-Headers’, ‘’)

if (method === ‘OPTIONS’) return new Response(null, { status: 204, headers: h }) return new Response(resp.body, { status: resp.status, statusText: resp.statusText, headers: h }) }

function errorJSON(msg, status=400, extra={}) { return new Response(JSON.stringify({ error: msg, …extra }), { status, headers: { ‘Content-Type’: ‘application/json’ } }) }

function randomIP() { return [1,2,3,4].map(() => Math.floor(Math.random()*255)+1).join(‘.’) }

</details>

### Automatizacija deploy-a i rotacije sa FlareProx

FlareProx je Python alat koji koristi Cloudflare API za postavljanje više Worker endpoint-a i rotiranje između njih. Ovo obezbeđuje FireProx-like IP rotation putem Cloudflare mreže.

Setup
1) Kreirajte Cloudflare API Token koristeći šablon “Edit Cloudflare Workers” i dobijte svoj Account ID iz dashboard-a.
2) Konfigurišite FlareProx:
```bash
git clone https://github.com/MrTurvey/flareprox
cd flareprox
pip install -r requirements.txt

Kreirajte konfiguracioni fajl flareprox.json:

{
"cloudflare": {
"api_token": "your_cloudflare_api_token",
"account_id": "your_cloudflare_account_id"
}
}

Korišćenje CLI

Kreirajte N Worker proxies:

python3 flareprox.py create --count 2

Lista endpoints:

python3 flareprox.py list

Health-test endpointi:

python3 flareprox.py test

Izbriši sve endpoints:

python3 flareprox.py cleanup

Usmeravanje saobraćaja kroz Worker

Oblik query parametara:

curl "https://your-worker.account.workers.dev?url=https://httpbin.org/ip"

Oblik zaglavlja:

curl -H "X-Target-URL: https://httpbin.org/ip" https://your-worker.account.workers.dev

Oblik putanje (ako je implementirano):

curl https://your-worker.account.workers.dev/https://httpbin.org/ip

Primeri metoda:

# GET
curl "https://your-worker.account.workers.dev?url=https://httpbin.org/get"

# POST (form)
curl -X POST -d "username=admin" \
"https://your-worker.account.workers.dev?url=https://httpbin.org/post"

# PUT (JSON)
curl -X PUT -d '{"username":"admin"}' -H "Content-Type: application/json" \
"https://your-worker.account.workers.dev?url=https://httpbin.org/put"

# DELETE
curl -X DELETE \
"https://your-worker.account.workers.dev?url=https://httpbin.org/delete"

X-Forwarded-For kontrola

Ako Worker poštuje X-My-X-Forwarded-For, možete uticati na uzvodnu vrednost X-Forwarded-For:

curl -H "X-My-X-Forwarded-For: 203.0.113.10" \
"https://your-worker.account.workers.dev?url=https://httpbin.org/headers"

Programatska upotreba

Koristite FlareProx biblioteku za kreiranje/izlistavanje/testiranje endpointa i usmeravanje zahteva iz Pythona.

Primer u Pythonu: Pošaljite POST preko nasumičnog Worker endpointa

```python #!/usr/bin/env python3 from flareprox import FlareProx, FlareProxError import json

Initialize

flareprox = FlareProx(config_file=“flareprox.json”) if not flareprox.is_configured: print(“FlareProx not configured. Run: python3 flareprox.py config”) exit(1)

Ensure endpoints exist

endpoints = flareprox.sync_endpoints() if not endpoints: print(“Creating proxy endpoints…”) flareprox.create_proxies(count=2)

Make a POST request through a random endpoint

try: post_data = json.dumps({ “username”: “testuser”, “message”: “Hello from FlareProx!”, “timestamp”: “2025-01-01T12:00:00Z” })

headers = { “Content-Type”: “application/json”, “User-Agent”: “FlareProx-Client/1.0” }

response = flareprox.redirect_request( target_url=“https://httpbin.org/post”, method=“POST”, headers=headers, data=post_data )

if response.status_code == 200: result = response.json() print(“✓ POST successful via FlareProx”) print(f“Origin IP: {result.get(‘origin’, ‘unknown’)}“) print(f“Posted data: {result.get(‘json’, {})}”) else: print(f“Request failed with status: {response.status_code}“)

except FlareProxError as e: print(f“FlareProx error: {e}“) except Exception as e: print(f“Request error: {e}”)

</details>

**Burp/Scanner integracija**
- Usmerite alatke (na primer Burp Suite) na Worker URL.
- Prosledite stvarni upstream koristeći ?url= ili X-Target-URL.
- HTTP semantika (methods/headers/body) se zadržava dok sakrivate svoju izvornu IP adresu iza Cloudflare.

**Operativne napomene i ograničenja**
- Cloudflare Workers Free plan allows roughly 100,000 requests/day per account; use multiple endpoints to distribute traffic if needed.
- Workers run on Cloudflare’s network; many targets will only see Cloudflare IPs/ASN, which can bypass naive IP allow/deny lists or geo heuristics.
- Koristite odgovorno i samo uz odobrenje. Poštujte ToS i robots.txt.

## References
- [FlareProx (Cloudflare Workers pass-through/rotation)](https://github.com/MrTurvey/flareprox)
- [Cloudflare Workers fetch() API](https://developers.cloudflare.com/workers/runtime-apis/fetch/)
- [Cloudflare Workers pricing and free tier](https://developers.cloudflare.com/workers/platform/pricing/)
- [FireProx (AWS API Gateway)](https://github.com/ustayready/fireprox)

> [!TIP]
> Učite i vežbajte AWS Hacking:<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../../../../images/arte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">\
> Učite i vežbajte GCP Hacking: <img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)<img src="../../../../../images/grte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
> Učite i vežbajte Azure Hacking: <img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">[**HackTricks Training Azure Red Team Expert (AzRTE)**](https://training.hacktricks.xyz/courses/azrte)<img src="../../../../../images/azrte.png" alt="" style="width:auto;height:24px;vertical-align:middle;">
>
> <details>
>
> <summary>Podržite HackTricks</summary>
>
> - Proverite [**planove pretplate**](https://github.com/sponsors/carlospolop)!
> - **Pridružite se** 💬 [**Discord grupi**](https://discord.gg/hRep4RUj7f) ili [**telegram grupi**](https://t.me/peass) ili **pratite** nas na **Twitteru** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
> - **Podelite hakerske trikove slanjem PR-ova na** [**HackTricks**](https://github.com/carlospolop/hacktricks) i [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repozitorijume.
>
> </details>