Mangled/Different POST data sent after Managed Challenge

Hello Cloudflare Community, I’m faced with a problem that, quite frankly, has me stumped.

Recently, users of our site have started complaining that editing certain large posts (which involves submitting a HTML form) on our website leads to a challenge page, followed by our website rejecting the edit. Looking at Security Events, I figured out that the managed challenges are triggered by WAF Managed Rule (specifically “OWASP SQL Injection Attack”), though in this case they are false positives. So far so good.

What has me baffled is what happens to the requests themselves. After the challenge completes, the browser sends another request to the same endpoint (triggered by the CF Managed Challenge page), with identical HTTP headers besides the Referrer header (which is expected and not a problem for us). However, the post data (~85kb) from the first request is gone, and replaced with some other post data (~36kb) that appears to be random base64-encoded binary blobs. So, our website rejects the request because required POST data is missing.

I’ve been going through all the docs, trying to find something documenting how we should handle challenge responses on our side in this situation, but I can find nothing that applies (and it rather looks like, besides the Referrer header, everything else is supposed to be perfectly transparent).

Do you have any ideas what could be happening here?

3 Likes

Same for me, tried with Intruder.io and Hostedscan.com vulnerability scanners, all shows Critical SQL Injection vulnerability.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.