Cloudflare Security

Reading time: 6 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

In a Cloudflare account there are some mipangilio ya jumla na huduma that can be configured. In this page we are going to tuchambue mipangilio inayohusiana na usalama ya kila section:

Websites

Review each with:

Cloudflare Domains

Domain Registration

  • Kwenye Transfer Domains hakikisha kwamba haiwezekani kuhamisha domain yoyote.

Review each with:

Cloudflare Domains

Analytics

I couldn't find anything to check for a config security review.

Pages

On each Cloudflare's page:

  • Angalia taarifa nyeti katika the Build log.
  • Angalia taarifa nyeti katika the Github repository iliyoteuliwa kwa pages.
  • Angalia uwezekano wa kuathiriwa kwa github repo kupitia workflow command injection au udhaifu wa pull_request_target. More info in the Github Security page.
  • Angalia vulnerable functions katika the /fuctions directory (ikiwa ipo), angalia the redirects katika faili _redirects (ikiwa ipo) na misconfigured headers katika faili _headers (ikiwa ipo).
  • Angalia vulnerabilities katika the web page kupitia blackbox au whitebox ikiwa unaweza kupata code.
  • Katika maelezo ya kila page /<page_id>/pages/view/blocklist/settings/functions. Angalia taarifa nyeti katika the Environment variables.
  • Katika ukurasa wa maelezo angalia pia the build command na root directory kwa uwezekano wa injections ili kuathiri page.

Workers

On each Cloudflare's worker check:

  • The triggers: Nini kinachosababisha the worker ianze? Je, mtumiaji anaweza kutuma data itakayotumika na the worker?
  • Kwenye Settings, angalia Variables zenye taarifa nyeti
  • Angalia code ya the worker na tafuta vulnerabilities (hasa sehemu ambapo mtumiaji anaweza kudhibiti input)
  • Check for SSRFs returning the indicated page that you can control
  • Check XSSs executing JS inside a svg image
  • Inawezekana the worker inashirikiana na huduma nyingine za ndani. Kwa mfano, worker inaweza kuingiliana na R2 bucket kuhifadhi taarifa iliyopatikana kutoka kwa input. Katika kesi hiyo, inabidi ukague uwezo gani the worker ina juu ya the R2 bucket na jinsi inavyoweza kutumika vibaya kutokana na input ya mtumiaji.

warning

Note that by default a Worker is given a URL such as <worker-name>.<account>.workers.dev. The user can set it to a subdomain but you can always access it with that original URL if you know it.

For a practical abuse of Workers as pass-through proxies (IP rotation, FireProx-style), check:

Cloudflare Workers Pass Through Proxy Ip Rotation

R2

On each R2 bucket check:

  • Sanidi CORS Policy.

Stream

TODO

Images

TODO

Security Center

  • Ikiwa inawezekana, endesha skani ya Security Insights na skani ya Infrastructure, kwani zitatoa taarifa za kuvutia kwa upande wa usalama.
  • Angalia tu taarifa hizi kwa ajili ya misanidi isiyo sahihi ya usalama na taarifa za kuvutia

Turnstile

TODO

Zero Trust

Cloudflare Zero Trust Network

Bulk Redirects

note

Unlike Dynamic Redirects, Bulk Redirects are essentially static — they do not support any string replacement operations or regular expressions. However, you can configure URL redirect parameters that affect their URL matching behavior and their runtime behavior.

  • Angalia kwamba the expressions na requirements za redirects zinafanya maana.
  • Angalia pia kwa sensitive hidden endpoints ambazo zinaweza kuwa na taarifa za kuvutia.

Notifications

  • Angalia the notifications. Hizi notifications zinapendekezwa kwa usalama:
  • Usage Based Billing
  • HTTP DDoS Attack Alert
  • Layer 3/4 DDoS Attack Alert
  • Advanced HTTP DDoS Attack Alert
  • Advanced Layer 3/4 DDoS Attack Alert
  • Flow-based Monitoring: Volumetric Attack
  • Route Leak Detection Alert
  • Access mTLS Certificate Expiration Alert
  • SSL for SaaS Custom Hostnames Alert
  • Universal SSL Alert
  • Script Monitor New Code Change Detection Alert
  • Script Monitor New Domain Alert
  • Script Monitor New Malicious Domain Alert
  • Script Monitor New Malicious Script Alert
  • Script Monitor New Malicious URL Alert
  • Script Monitor New Scripts Alert
  • Script Monitor New Script Exceeds Max URL Length Alert
  • Advanced Security Events Alert
  • Security Events Alert
  • Angalia yote the destinations, kwa kuwa kunaweza kuwa na sensitive info (basic http auth) katika webhook urls. Pia hakikisha webhook urls zinatumia HTTPS
  • Kama ukaguzi wa ziada, unaweza kujaribu kuigiza cloudflare notification kwa mtu wa tatu; labda kwa namna fulani utaweza kuingiza kitu hatari

Manage Account

  • Inawezekana kuona tarakimu 4 za mwisho za kadi ya mkopo, tarehe ya kumalizika na anuani ya bili katika Billing -> Payment info.
  • Inawezekana kuona aina ya plan inayotumika katika akaunti katika Billing -> Subscriptions.
  • Kwenye Members inawezekana kuona wanachama wote wa akaunti na role zao. Kumbuka kwamba ikiwa aina ya plan si Enterprise, kuna roles 2 tu: Administrator na Super Administrator. Lakini ikiwa plan is Enterprise, more roles zinaweza kutumika kufuata kanuni ya least privilege.
  • Kwa hivyo, inapowezekana inashauriwa kutumia the Enterprise plan.
  • Kwenye Members inawezekana kukagua ni wapi members wana 2FA enabled. Kila mtumiaji anapaswa kuwa na 2FA imewezeshwa.

note

Note that fortunately the role Administrator doesn't give permissions to manage memberships (cannot escalate privs or invite new members)

DDoS Investigation

Check this part.

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks