Recently Cloudflare has enabled Wildcard Proxy for all accounts, even free plan. This change was unannounced and as of this time it’s undocumented.
I would like clarification about this change and more details as to why Cloudflare has made the decision to make Wildcard Proxy available to all when previously it was a reserved feature for Enterprise accounts ONLY.
A few months ago I posted on this forum a hack about how anyone could enable Wildcard Proxy on free plans which my post was subsequently deleted. I am wondering if the decision by Cloudflare to make Wildcard Proxy free for all is in relation to the bug I found in which Cloudflare may have thought it to be easier to make this feature free rather than fixing the bug itself?
At the time of discovering the bug where you can enable Wildcard Proxy on free accounts, I did report it on Hacker1 however my report has gone un-responded to in over a month, and after asking if their decision to make Wildcard Proxy free for all was anything related my bug report, that also has gone un-responded to, so I’m asking here publicly.
I’d also like to know if the Worker vulnerability using Wildcard Proxy has also been fixed? Details in the Hacker1 bug report.
Hi, it was me who responded to that and I did follow up on it and it was investigated. It was found not to be a bug and was intended behaviour.
I do not believe these two are related.
I’m not sure exactly what this is in relation to, there was no vulnerability found with the information you provided in the previous thread and we have no access to your HackerOne reports.
At the time I also assumed it was intended behaviour. It wasn’t until after I wrote that post that I became more involved in this community and found so many posts where people are asking for Wildcard Proxy on free plans that I realised maybe it was a bug.
I thought that if it was “intended behaviour” then why nobody gave the details how to enable Wildcard Proxy any of the many times the question was asked on this community forum? Thats when I read more into it and found the official Cloudflare documentation says Wildcard Proxy is for Enterprise plans only and I subsequently asked for my post to be deleted as to not inadvertently tell people how to enable it for free.
Nevertheless, now its available free for all, I just wonder whats behind Cloudflare’s reasoning to make Wildcard Proxy available to all free accounts and I wonder why they haven’t announced it or updated their documentation.
Of course, I wouldn’t detail any exploit publicly. When I wrote the original post about enabling Wildcard Proxy for free, I thought it was intended behaviour so I didn’t look for any possibility of exploits; it wasn’t until after the post was deleted that I started probing for exploits using the Wildcard Proxy.
One thing is that you can break out of the requests chain for requests made by Workers so that your sub-requests go back through the front-door of Cloudflare. This can be used maliciously but also for more innocent things getting some of the Cloudflare SSL for SaaS feature for free where you’d usually be stopped by the CNAME Cross-User Ban policy.
It was not intentional that free plans can directly enable the proxy on a wildcard, however when the wildcard pointed cross-zone that was the expected behaviour to see the wildcard as if it was proxied. This is for a variety of reasons but it was passed to engineering and they confirmed there was no bug there. I personally had no idea this was possible until I looked into your post and followed up on it.
I don’t know why the decision was made, but it is only very recent and the documentation updates are in progress.
Was this reported in detail on HackerOne? I know they monitor that closely and it’s the best way to bring this to their attention.
Not a bug. This change is entirely intentional. All plans can now create proxied wildcard DNS records. There is a blog coming soon to go into more detail on the change.
The tl;dr is - we want everyone to have it. Its a widely requested change, and it helps a number of other use cases like Workers and tunnels.
Ok so they should announce this change soon and update the documentation. I’m very happy to hear this feature is here to stay. I was worried that reporting it would mean that I couldn’t use Wildcard Proxy on non-enterprise anymore.
I would have thought Cloudflare to be a bit more organised with their documentation. I don’t refer to their documentation much but the few times I do its pretty out-of-date or inaccurate, especially when referring to newer things like Workers; here for example I helped someone with some undocumented Worker stuff that he had asked in multiple threads for days (How do you use the API to bind an instance of a KV Namespace to access its data in a Worker?).
I hope Cloudflare can hire somebody to do better at their documentation, it’s pretty poor at the moment IMHO.
Yes I mentioned worker-to-worker execution briefly in the report but 2 months later and absolutely no response. As with any exploit it takes time to realise all the possibilities and use cases. They haven’t responded to me so I haven’t provided anymore details either.
Cloudflare have relatively recently updated all their documentation and changed the structure of that team. It’s more integrated with the product teams which does mean it mostly keeps up with the releases.
It’s a huge thing to keep documented and they’re doing a pretty good job, in my opinion. There is always room for improvement but the team is very responsive.
I’m not sure how this works on their side but if you think this is a genuine bug that warrants more attention then you may want to file it alone with more detail, away from the general wildcard proxy issue.
Good advise, it probably hasn’t got any real attention because its convoluted mainly about the Wildcard Proxy for free thing with you have confirmed is intentional but undocumented.
It would have been nice for them to just say so and then I could have raised the new discoveries as a seperate concern.
I work with people on the PCX team (The people who review, maintain and improve the docs daily) constantly. They’re some absolutely amazing people and are always working to improve the documentation. Trust me, they have plenty of great people doing that work. For the product I work on and the adjacent products (including Workers) are very well documented, much better than a few years ago.
You can always make an issue on the repo too if you want more content or think something needs an update: Issues · cloudflare/cloudflare-docs · GitHub
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.