Open in app

Sign in

Write

Sign in

3 tricks to bypass Cloudflare WAF in file upload

Numen Cyber Labs
Numen Cyber Labs
Published in
3 min readJul 1, 2022

For Cloudflare customers, having Cloudflare is like paying a peace of mind insurance that your system will get 99% protection against external threats. Even with only a 1% chance of success, WHY NOT, WE TRY?

So, without further ado, we purchased the Cloudflare Pro Plan and begin this journey as a team, because teamwork makes the dream work!

In any penetration testing engagement, our hearts sink when we are greeted with this and question our existence!

In the initial assessment stage, we ruled out what is more possible vs what is nearly impossible. We have decided to zoom into file upload bypass.

Here, we are going to share 3 bypass tricks that we have discovered recently.

Before that, let’s see how Cloudflare reacted to the request below, as expected, any sign of shell code will be Blocked!

Figure 1: Cloudflare Blocked the HTTP Request with Malicious Code

Trick #1 — Magic of Semicolon

  1. Let’s try putting a semicolon at the end of the mutipart boundry=????????????????; and submit request. Bingo! This was not detected by Cloudflare, the file was uploaded and the entire content was preserved.
Figure 2: Semicolon Bypassing Cloudflare

2. The following screenshot is not necessary, but we show it anyways.

Trick #2 — Magic of Transfer-Encoding

  1. If you think transfer-encoding is used only in HTTP smuggling, think again !
Figure 3: Chunked Encoding Payload Bypassing Cloudflare

Trick #3 — Magic of Prepended Large String

1. Generate 10,000 of “A” and prepend them before the shell payload.

Figure 4: Prepended Large String Payload Bypassing Cloudflare

2. When doubting if the payload is still able to interpret properly, doubt no more! The payload is still able to execute after the output of As.

How to Fix?

To help mitigate this kind of bypass technique, one can contact Cloudflare for recommendations.

Single defense is definitely inadequate, companies must also make sure the application itself is also secured.

So, it is extremely important to detect and correct application vulnerabilities through

  • Vulnerability Assessment
  • Penetration Testing
  • Code Review
  • Soc as a Service

Conclusion

In Numen Labs, we are given engagement relevance challenges from time to time, to keep pushing our limits. With customers always first in our mind, we also want to ensure we are always prepared to give our customers the best of us.

Web
Security
Pentest
Singapore
Cloudflare

--

--

Numen Cyber Labs
Numen Cyber Labs

Written by Numen Cyber Labs

630 Followers
Editor for

Numen Cyber Technology is a Cybersecurity vendor and solution provider based in Singapore.We dedicate ourselves in Web3 Security and Threat Detection & Response

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams