Cloudflare Exposed Credentials Check not working

I have tested posting JSON data using this instruction:
https://developers.cloudflare.com/waf/managed-rules/check-for-exposed-credentials/test-configuration/, but it is not blocked, and no header was set.

I tried

Just to test that this managed rule is active, I tried enabling and disabling Blocks requests containing 'Exposed-Credential-Check' (rule: ef21b0a932ae422790f9249d213b85e6). This particular rule works fine (when enabled, it will block requests with Exposed-Credential-Check, and when disabled, it lets it through). So I can conclude that the managed rule is activated.

However, using any known password leak or using the suggested test values are not blocked, and does not add the exposed-credential-check header.

Similar question was asked here: https://community.cloudflare.com/t/cloudflare-exposed-credentials-not-working/599644, but there was no answer

I have tried deleting and redeploying the managed rule, and it still does not work.

Hi there,

Checking your dashboard and going through your many domains, I assume you’re referring to ge(...).id. In firewall events I can see requests being blocked by Cloudflare Exposed Credentials Check Ruleset:

Please filter for the timeframe on the screen and for the ruleset ID use c2e184081120413c86c3ab7e14069605 and you’ll be able to see it.

If you need to test it in real-time, leave the same ruleset ID and change the date to previous 30 minutes:

Take care.

The one that doesn’t work is all the credential check, it does not block or add Exposed -Credential-Check, for example rule: 7d576b8b22fd4303949fc789d4b53bb2 (Checks credentials sent as JSON with ‘username’ and ‘password’ keys). The other rules also doesn’t work (JSON with ‘email’ and ‘password’/rule: 7d576b8b22fd4303949fc789d4b53bb2),

You can test this just by sending any JSON data with curl with username CF_EXPOSED_USERNAME and password CF_EXPOSED_PASSWORD to the site, and it will not be blocked.

I have found the cause. I copied the request from browser developer console (“Copy as curl”), it turns out the website used old version of Axios (v0.19.0), in this version, it has:

 setContentTypeIfUnset(headers, 'application/json;charset=utf-8');

The existence of ;charset=utf-8 will cause it to be not processed by the WAF. If I remove ;charset=utf8 part, then the combination of CF_EXPOSED_USERNAME/CF_EXPOSED_PASSWORD will be blocked

So this can be used as a WAF bypass, but since this is not in Cloudflare bug bounty scope, then I guess it’s ok to just write it here.

In my opinion, this is not good, it is too easy to bypass the check. But at least now we can have a workaround, by ensuring no “;charset=utf8” in our request, and on the backend, we check this.

Hello,

I too am having similar problem as you.

“Checks credentials sent as JSON with ‘username’ and ‘password’ keys” Is there a curl query that can test that detailed policy? I tried it on my test domain as shown below, but it wasn’t detected by the policy.

curl -X POST ‘https://www.test.com’ -H “Content-Type: application/json” -d ‘{email: “[email protected]”, password: “CF_EXPOSED_PASSW”, autoLogin: “N”}’

If there is anything I should consider, please share.