News

Cloudflare WAF bypass exploits revealed

Cloudflare Web Application Firewall (WAF) which touts itself to protect some 25 million sites remains vulnerable to rule bypasses, researchers have noted this week.

Websites protected with Cloudflare WAF intelligence typically block attackers who attempt to exploit vulnerabilities, such as SQL Injection, Cross-Site Scripting (XSS), and DoS, via common tactics and payloads.

For example, a crafted HTTP request riddled with an XSS or SQLi exploit made to a Cloudflare protected website payload would be automatically blocked by Cloudflare before it even reaches the website’s backend.

Slight modifications of generic exploit payloads, however, bypasses Cloudflare’s filters and reaches the protected website, as reported by security researchers and bug bounty hunters.

XSS filter bypass known since 2019, remains unpatched

This week, infosec researcher and bug bounty hunter Jackson Henry aka CVE-JACKSON-1337 shared how he created an SVG HTML tag, normally meant to render scalable vector graphics onto webpages to trigger a Cross-Site Scripting (XSS) proof-of-concept exploit on a Cloudflare-protected website.

While the payload shown in the researcher’s tweet is functionally equivalent to the simpler <svg onload=alert("1")> , adding a few encoded characters and leading zeros makes the payload evasive such that it flies right past Cloudflare’s WAF protections.

The researcher noted that this particular XSS bypass technique has been known publicly since at least Jun 4, 2019, when security researcher Bohdan Korzhynskyi had disclosed it.

In September 2020, Korzhynskyi reported, Cloudflare had recently downgraded certain rules in place because of which his year-old XSS protection bypass technique was working again.

WAF bypasses available for other vulnerabilities too

Although the researchers have demonstrated how to bypass XSS protections offered by Cloudflare, it is worth noting a simple Google search may reveal similar tactics that can be used to deliver payloads for different vulnerabilities.

Vulnerabilities like SQL Injections (SQLi), Remote Code Execution (RCE), or untrusted deserialization, if exploited, can have far more damaging consequences for websites than an XSS might.

It must be noted, protections offered by WAF are supplementary to protections built into a website’s backend. Therefore, just because an XSS payload can “pass-through” the WAF to the website’s backend, for example, does not guarantee a successful attack.

Should the website’s backend code have adequate protections against XSS, SQL Injections, and other common vulnerabilities, the attacker would not be able to succeed.

Protections offered by Cloudflare WAF and similar products are meant to be used as an additional layer of perimeter security and should not be blindly relied upon.

When asked for comment, Henry told Security Report, “Companies should not solely rely on WAFs to do the job. Industry standard protections against XSS and SQL injection should be implemented in conjunction with the chosen WAF.”

At the same time, making a WAF too restrictive and block even slightly suspicious HTTP requests may lead to false positives, and impact business operations.

Cloudflare to block the payload in next iteration of its WAF engine

Security Report reached out to Cloudflare for comment. A Cloudflare spokesperson told us:

“We value bypass notifications as they help us improve our WAF offering via our Managed Rulesets*. While bypasses do not signify a vulnerable application, being aware of these helps us block more attack vectors.”

“When we were notified of this specific XSS vector, we immediately set about fixing the bypass and provided custom rules to all customers that were concerned while we worked to close it for everyone by default.” 

“To address this specific XSS vector, and add other improvements, we have been working on our next major iteration of the Firewall engine that better handles encodings. For instance, I can confirm that the payload you asked about gets blocked in the new engine:”

“The new engine is currently being tested by a group of our customers, and we expect major rollout to start early this year,” a Cloudflare spokesperson told Security Report.

*In addition to managed rulesets, the Cloudflare WAF provides the ability for customers to write and deploy custom rules to block any application specific bypasses that may not be blocked by our rulesets.

Update 5-Jan-2021: Added Cloudflare’s response.

Ax Sharma

Ax Sharma is an Indian-origin British security researcher, journalist and TV subject matter expert with a focus on malware analysis and cybercrime investigations. His areas of interest include open source software security, threat intel analysis, and reverse engineering. Frequently featured by leading media outlets like the BBC, Channel 5, Fortune, WIRED, The Register, among others, Ax is an active community member of the OWASP Foundation and the British Association of Journalists (BAJ).

Recent Posts

Sea Turtle Cyber Espionage Campaign Targets Telecommunication and IT Companies in the Netherlands

Telecommunication, media, internet service providers (ISPs), information technology (IT)-service providers, and Kurdish websites in the…

12 months ago

Rogue WordPress plugin: Threat hunters uncover credit card skimming campaign targeting e-commerce sites

Rogue WordPress Plugin Found to Steal Credit Card Information in Magecart Campaign Threat hunters have…

12 months ago

Albanian Parliament and telco ‘One Albania’ suffer cyber attacks

The Assembly of the Republic of Albania and telecom company One Albania have recently fallen…

12 months ago

Carbanak Banking Malware Resurfaces with Updated Tactics in Ransomware Attacks

The banking malware Carbanak has resurfaced with updated tactics, incorporating attack vendors and techniques to…

12 months ago

Theme park giant Parques Reunidos hit by a ransomware cyber attack

One of the world's largest theme park operators, Parques Reunidos has disclosed a cybersecurity incident.…

2 years ago

Phishing kit screenshots your email domain on the fly to appear real

Phishing kit used by multiple hacked sites generates a log in page on the fly…

2 years ago

This website uses cookies.