HackTricks CloudKutumia vibaya Cloudflare Workers kama pass-through proxies (IP rotation, FireProx-style)
Reading time: 8 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Cloudflare Workers inaweza kuwekwa kama transparent HTTP pass-through proxies ambapo target URL ya upstream inatolewa na mteja. Maombi yanaondoka kutoka kwenye mtandao wa Cloudflare kwa hivyo target inaona Cloudflare IPs badala ya za mteja. Hii inafanana na mbinu maarufu ya FireProx kwenye AWS API Gateway, lakini inatumia Cloudflare Workers.
Sifa kuu
- Inasaidia njia zote za HTTP (GET, POST, PUT, DELETE, PATCH, OPTIONS, HEAD)
- Target inaweza kutolewa kupitia query parameter (?url=...), header (X-Target-URL), au hata kuwa encoded katika path (mfano, /https://target)
- Headers na body zinapitishwa kwa proxy kwa ufuatiliaji wa hop-by-hop/header filtering inapohitajika
- Majibu yamerudishwa, yakihifadhi status code na headers nyingi
- Uwezo wa kujigaunjua X-Forwarded-For (ikiwa Worker inaiweka kutoka kwenye header inayotawala na mtumiaji)
- Mzunguko wa IP wa haraka/rahisi kwa kupeleka endpoints za Worker nyingi na kunyonya requests
Jinsi inavyofanya kazi (mtiririko)
- Mteja anatuma ombi la HTTP kwa Worker URL (
<name>.<account>.workers.devau njia ya domain maalum). - Worker huvunja target kutoka ama query parameter (?url=...), header ya X-Target-URL, au kipande cha path ikiwa imefanywa hivyo.
- Worker hupeleka njia (method), headers, na body zinazokuja kwenda kwenye URL ya upstream iliyobainishwa (ukienda kusafisha headers zenye shida).
- Jibu kutoka upstream hupanuliwa/hupelekwa nyuma kwa mteja kupitia Cloudflare; origin inaona Cloudflare egress IPs.
Worker implementation example
- Husesha target URL kutoka query param, header, au path
- Inakopa subset salama ya headers na kupeleka njia/body ya awali
- Hiari huweka X-Forwarded-For kwa kutumia header inayodhibitiwa na mtumiaji (X-My-X-Forwarded-For) au IP nasibu
- Inaongeza CORS permissive na kushughulikia preflight
Mfano wa Worker (JavaScript) kwa pass-through proxying
javascript
/**
* Minimal Worker pass-through proxy
* - Target URL from ?url=, X-Target-URL, or /https://...
* - Proxies method/headers/body to upstream; relays response
*/
addEventListener('fetch', event => {
event.respondWith(handleRequest(event.request))
})
async function handleRequest(request) {
try {
const url = new URL(request.url)
const targetUrl = getTargetUrl(url, request.headers)
if (!targetUrl) {
return errorJSON('No target URL specified', 400, {
usage: {
query_param: '?url=https://example.com',
header: 'X-Target-URL: https://example.com',
path: '/https://example.com'
}
})
}
let target
try { target = new URL(targetUrl) } catch (e) {
return errorJSON('Invalid target URL', 400, { provided: targetUrl })
}
// Forward original query params except control ones
const passthru = new URLSearchParams()
for (const [k, v] of url.searchParams) {
if (!['url', '_cb', '_t'].includes(k)) passthru.append(k, v)
}
if (passthru.toString()) target.search = passthru.toString()
// Build proxied request
const proxyReq = buildProxyRequest(request, target)
const upstream = await fetch(proxyReq)
return buildProxyResponse(upstream, request.method)
} catch (error) {
return errorJSON('Proxy request failed', 500, {
message: error.message,
timestamp: new Date().toISOString()
})
}
}
function getTargetUrl(url, headers) {
let t = url.searchParams.get('url') || headers.get('X-Target-URL')
if (!t && url.pathname !== '/') {
const p = url.pathname.slice(1)
if (p.startsWith('http')) t = p
}
return t
}
function buildProxyRequest(request, target) {
const h = new Headers()
const allow = [
'accept','accept-language','accept-encoding','authorization',
'cache-control','content-type','origin','referer','user-agent'
]
for (const [k, v] of request.headers) {
if (allow.includes(k.toLowerCase())) h.set(k, v)
}
h.set('Host', target.hostname)
// Optional: spoof X-Forwarded-For if provided
const spoof = request.headers.get('X-My-X-Forwarded-For')
h.set('X-Forwarded-For', spoof || randomIP())
return new Request(target.toString(), {
method: request.method,
headers: h,
body: ['GET','HEAD'].includes(request.method) ? null : request.body
})
}
function buildProxyResponse(resp, method) {
const h = new Headers()
for (const [k, v] of resp.headers) {
if (!['content-encoding','content-length','transfer-encoding'].includes(k.toLowerCase())) {
h.set(k, v)
}
}
// Permissive CORS for tooling convenience
h.set('Access-Control-Allow-Origin', '*')
h.set('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS, PATCH, HEAD')
h.set('Access-Control-Allow-Headers', '*')
if (method === 'OPTIONS') return new Response(null, { status: 204, headers: h })
return new Response(resp.body, { status: resp.status, statusText: resp.statusText, headers: h })
}
function errorJSON(msg, status=400, extra={}) {
return new Response(JSON.stringify({ error: msg, ...extra }), {
status, headers: { 'Content-Type': 'application/json' }
})
}
function randomIP() { return [1,2,3,4].map(() => Math.floor(Math.random()*255)+1).join('.') }
Kuendesha kiotomatiki deployment na rotation na FlareProx
FlareProx ni zana ya Python inayotumia Cloudflare API ku-deploy Worker endpoints nyingi na ku-rotate kati yao. Hii inatoa FireProx-like IP rotation kutoka kwenye mtandao wa Cloudflare.
Setup
- Unda Cloudflare API Token ukitumia kiolezo “Edit Cloudflare Workers” na upate Account ID yako kutoka kwenye dashboard.
- Sanidi FlareProx:
bash
git clone https://github.com/MrTurvey/flareprox
cd flareprox
pip install -r requirements.txt
Tengeneza faili ya usanidi flareprox.json:
json
{
"cloudflare": {
"api_token": "your_cloudflare_api_token",
"account_id": "your_cloudflare_account_id"
}
}
Matumizi ya CLI
- Unda N Worker proxies:
bash
python3 flareprox.py create --count 2
- Orodhesha endpoints:
bash
python3 flareprox.py list
- Endpoints za mtihani wa afya:
bash
python3 flareprox.py test
- Futa endpoints zote:
bash
python3 flareprox.py cleanup
Kupitisha trafiki kupitia Worker
- Fomu ya query parameter:
bash
curl "https://your-worker.account.workers.dev?url=https://httpbin.org/ip"
Fomu ya kichwa:
bash
curl -H "X-Target-URL: https://httpbin.org/ip" https://your-worker.account.workers.dev
- Fomu ya path (ikiwa imetekelezwa):
bash
curl https://your-worker.account.workers.dev/https://httpbin.org/ip
- Mifano ya mbinu:
bash
# GET
curl "https://your-worker.account.workers.dev?url=https://httpbin.org/get"
# POST (form)
curl -X POST -d "username=admin" \
"https://your-worker.account.workers.dev?url=https://httpbin.org/post"
# PUT (JSON)
curl -X PUT -d '{"username":"admin"}' -H "Content-Type: application/json" \
"https://your-worker.account.workers.dev?url=https://httpbin.org/put"
# DELETE
curl -X DELETE \
"https://your-worker.account.workers.dev?url=https://httpbin.org/delete"
X-Forwarded-For udhibiti
Ikiwa Worker itaheshimu X-My-X-Forwarded-For, unaweza kuathiri thamani ya X-Forwarded-For ya upstream:
bash
curl -H "X-My-X-Forwarded-For: 203.0.113.10" \
"https://your-worker.account.workers.dev?url=https://httpbin.org/headers"
Matumizi ya programatiki
Tumia maktaba ya FlareProx kuunda/kuorodhesha/kujaribu endpoints na kupitisha requests kutoka Python.
Mfano wa Python: Tuma POST kupitia endpoint ya Worker nasibu
python
#!/usr/bin/env python3
from flareprox import FlareProx, FlareProxError
import json
# Initialize
flareprox = FlareProx(config_file="flareprox.json")
if not flareprox.is_configured:
print("FlareProx not configured. Run: python3 flareprox.py config")
exit(1)
# Ensure endpoints exist
endpoints = flareprox.sync_endpoints()
if not endpoints:
print("Creating proxy endpoints...")
flareprox.create_proxies(count=2)
# Make a POST request through a random endpoint
try:
post_data = json.dumps({
"username": "testuser",
"message": "Hello from FlareProx!",
"timestamp": "2025-01-01T12:00:00Z"
})
headers = {
"Content-Type": "application/json",
"User-Agent": "FlareProx-Client/1.0"
}
response = flareprox.redirect_request(
target_url="https://httpbin.org/post",
method="POST",
headers=headers,
data=post_data
)
if response.status_code == 200:
result = response.json()
print("✓ POST successful via FlareProx")
print(f"Origin IP: {result.get('origin', 'unknown')}")
print(f"Posted data: {result.get('json', {})}")
else:
print(f"Request failed with status: {response.status_code}")
except FlareProxError as e:
print(f"FlareProx error: {e}")
except Exception as e:
print(f"Request error: {e}")
Uunganisho wa Burp/Scanner
- Elekeza zana (kwa mfano, Burp Suite) kwenye Worker URL.
- Toa upstream halisi kwa kutumia ?url= au X-Target-URL.
- Semantiki za HTTP (methods/headers/body) zinahifadhiwa huku zikificha IP yako ya chanzo nyuma ya Cloudflare.
Vidokezo vya uendeshaji na mipaka
- Cloudflare Workers Free plan inaruhusu takriban maombi 100,000 kwa siku kwa akaunti; tumia endpoints kadhaa kusambaza trafiki ikiwa inahitajika.
- Workers zinaendesha kwenye mtandao wa Cloudflare; malengo mengi yataona tu Cloudflare IPs/ASN, ambayo inaweza kupita orodha rahisi za kuruhusu/kukataa IP au heuristics za kijiografia.
- Tumia kwa uwajibikaji na tu ukiwa na idhini. Heshimu ToS na robots.txt.
References
- FlareProx (Cloudflare Workers pass-through/rotation)
- Cloudflare Workers fetch() API
- Cloudflare Workers pricing and free tier
- FireProx (AWS API Gateway)
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.