I have tested posting JSON data using this instruction: https://developers.cloudflare.com/waf/managed-rules/check-for-exposed-credentials/test-configuration/, but it is not blocked, and no header was set.
Just to test that this managed rule is active, I tried enabling and disabling Blocks requests containing 'Exposed-Credential-Check' (rule: ef21b0a932ae422790f9249d213b85e6). This particular rule works fine (when enabled, it will block requests with Exposed-Credential-Check, and when disabled, it lets it through). So I can conclude that the managed rule is activated.
However, using any known password leak or using the suggested test values are not blocked, and does not add the exposed-credential-check header.
Similar question was asked here: https://community.cloudflare.com/t/cloudflare-exposed-credentials-not-working/599644, but there was no answer
I have tried deleting and redeploying the managed rule, and it still does not work.
Checking your dashboard and going through your many domains, I assume you’re referring to ge(...).id. In firewall events I can see requests being blocked by Cloudflare Exposed Credentials Check Ruleset:
The one that doesn’t work is all the credential check, it does not block or add Exposed -Credential-Check, for example rule: 7d576b8b22fd4303949fc789d4b53bb2 (Checks credentials sent as JSON with ‘username’ and ‘password’ keys). The other rules also doesn’t work (JSON with ‘email’ and ‘password’/rule: 7d576b8b22fd4303949fc789d4b53bb2),
You can test this just by sending any JSON data with curl with username CF_EXPOSED_USERNAME and password CF_EXPOSED_PASSWORD to the site, and it will not be blocked.
I have found the cause. I copied the request from browser developer console (“Copy as curl”), it turns out the website used old version of Axios (v0.19.0), in this version, it has:
The existence of ;charset=utf-8 will cause it to be not processed by the WAF. If I remove ;charset=utf8 part, then the combination of CF_EXPOSED_USERNAME/CF_EXPOSED_PASSWORD will be blocked
So this can be used as a WAF bypass, but since this is not in Cloudflare bug bounty scope, then I guess it’s ok to just write it here.
In my opinion, this is not good, it is too easy to bypass the check. But at least now we can have a workaround, by ensuring no “;charset=utf8” in our request, and on the backend, we check this.
“Checks credentials sent as JSON with ‘username’ and ‘password’ keys” Is there a curl query that can test that detailed policy? I tried it on my test domain as shown below, but it wasn’t detected by the policy.