On my settings, Tor visitors are submitted to a captcha challenge, whatever the request.
Some of them solve the challenge.
Does this create a waf whitelist for them ?
If you click on the relevent Firewall event log, it should list the Action Taken to indicate if the request bypassed, solved or did not solve the challenge.
Action Taken = Managed Challenge means not solved as the FirewallMatchesActions at https://developers.cloudflare.com/logs/reference/log-fields/zone/http_requests lists the following options
- unknown
- allow
- block
- challenge
- jschallenge
- log
- connectionClose
- challengeSolved
- challengeFailed
- challengeBypassed
- jschallengeSolved
- jschallengeFailed
- jschallengeBypassed
- bypass
- managedChallenge
- managedChallengeSkipped
- managedChallengeNonInteractiveSolved
- managedChallengeInteractiveSolved
- managedChallengeBypassed
So if that log4j scan request did solve a Managed Challenge, the Action Taken would be listed as either managedChallengeNonInteractiveSolved or managedChallengeInteractiveSolved instead of managedChallenge
I don’t have access to the logs, still not “enterprise”.
Maybe my example is not relevant / explicit.
My question is:
If I have a rule which requires a “Challenge” for Tor users for example,
can they bypass a “block” rule by solving the challenge ?
Look at this:
The Tor user hits the “Security level” / badscore rule which prompts the challenge.
But the “Path” hits CVE-2017-9841 , which should be blocked by PHP100012
Did the Tor user manage to try to exploit the CVE ?
The screenshot says Action Taken = Managed Challenge so that means the request didn’t pass the challenge from what I understand so the request would get 403 permission denied .
Ok according to https://support.cloudflare.com/hc/en-us/articles/200170136-Understanding-Cloudflare-Captchas-and-Challenge-Passage
The Challenge Passage does not apply to challenges issued by the Web Application Firewall (WAF)
And “Managed Challenge” does not mean “Solved Challenge”, so this looks safe.
Thank you for your help
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.