Breaching WAF

this is kind of related to this thread.

  • say i have a name-based site mysite.example.
  • origin server’s ip is x.x.x.x and it blocks all connections except for Cloudflare ip ranges.
  • site is fronted by free Cloudflare (orange cloud).
  • end-to-end tls.
  • one waf rule to block access from ipv4 y.y.y.y.
  • no tunnel, no authenticated origin pull.

is there a way for someone to circumvent this?

as in, allow y.y.y.y to access the content on mysite.example.

one thought was setting up a site badguy.example on Cloudflare with a dns record x.x.x.x and orange cloud.

then somehow fool Cloudflare to access mysite.example from y.y.y.y via badguy.example using forged headers, etc.

have tried this in several ways using curl and similar tools but in each case Cloudflare returns errors, which is good.

so again, is there a way to breach this setup, even without authenticated origin pull?

It’s possible that an Enterprise customer could use Resolve Override in a Page Rule to reach your origin but I’m pretty sure they’d still use their original Host header - so if you’re only serving your website to Host: mysite.example then I don’t think even that would work.

This would reach your site but with Host: badguy.example - so you could just not serve your site to that hostname.

This is where customer-certificate Authenticated Origin Pull works - you provide the certificate to Cloudflare and they will use that whenever fetching your site. No-one else will have the certificate you made (ideally).


correct. as can prob tell, i’m paranoid but not yet enough to want to deal with client certs, specially if my server doesn’t support them and then i’ll be forced to proxypass via apache or nginx to get that capability.

Resolve Override does something different. Host Header Override is the enterprise Page Rule feature that can do damage here. But the same options are available elsewhere, such as in a Cloudflare Load Balancer.

1 Like

interesting point about host header overrides.

but can this be considered a mitigating factor?

The FQDN in the Host header must be a subdomain of a zone associated with the account, which is applicable for partial zones and secondary zones.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.