Websites abuse cloudflare's static format file extensions

This recommendation is for Cloudflare developers.

To abuse Cloudflare’s management of storing static format file extensions, websites put different formatted data in a jpg file, for example the file extension is jpg but the file format can actually be a 1mb mpg.

Cloudflare should also check the integrity of the file content.

I don’t think that’s going to matter much. Cloudflare already caches extensions associated with some pretty large files:
https://developers.cloudflare.com/cache/about/default-cache-behavior/#default-cached-file-extensions

Cloudflare does not validate the file format and content, and this is logically wrong.

I gave an example over mpg here and you are evaluating that there is no problem in the way it works here,
mpg format is already one of the extensions to be cached.

because you have no idea how the vulnerability is currently used and can be exploited, and this is not a problem for your knowledge.

You mentioned storing based on static file extensions. You mean cache? This is also done in Polish, where a cached image has a .jpg extension, but Cloudflare can deliver a webp for that .jpg file if the browser accepts it.

So, is this an issue with taking up cache space (storage), or is your concern that it may be a security vulnerability?

1 Like

Have a look at Cache Deception Armor and how to enable it.

1 Like

For example, somebody changes video.mp4 to asset.css and has their video players “download” the fake CSS and reproduce the video. I suspect that the analytics will just show a bunch of CSS traffic and not video and thus making it harder for the abuse team to spot the issue.

Because there is no point in doing so, you could spoof the extension (easy to detect) or have a legitimate png file and hide the video information within it; this is called steganography and is impossible to detect accurately. It’s a cat and mouse game that Cloudflare can’t win because there are just so many ways to hide the content you are delivering to your visitors.
If somebody is using a noticeable amount of bandwidth, they will be reached out sooner or later, whether the content i’s HTML or not.

I don’t think they’re going to care what actual the content is. Massive bandwidth usage is going to get their attention for a ToS violation, no matter the content. Though massive CSS files might get their attention faster. :wink:

1 Like

I agree; it’s likely that some people are abusing it and getting away with it but then… if nobody is noticing, the odds are that they aren’t as big to make it worthwhile noticing their project.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.