3 tricks to bypass Cloudflare WAF in file upload
For Cloudflare customers, having Cloudflare is like paying a peace of mind insurance that your system will get 99% protection against external threats. Even with only a 1% chance of success, WHY NOT, WE TRY?
So, without further ado, we purchased the Cloudflare Pro Plan and begin this journey as a team, because teamwork makes the dream work!
In any penetration testing engagement, our hearts sink when we are greeted with this and question our existence!
In the initial assessment stage, we ruled out what is more possible vs what is nearly impossible. We have decided to zoom into file upload bypass.
Here, we are going to share 3 bypass tricks that we have discovered recently.
Before that, let’s see how Cloudflare reacted to the request below, as expected, any sign of shell code will be Blocked!
Trick #1 — Magic of Semicolon
- Let’s try putting a semicolon at the end of the mutipart boundry=????????????????; and submit request. Bingo! This was not detected by Cloudflare, the file was uploaded and the entire content was preserved.
2. The following screenshot is not necessary, but we show it anyways.
Trick #2 — Magic of Transfer-Encoding
- If you think transfer-encoding is used only in HTTP smuggling, think again !
Trick #3 — Magic of Prepended Large String
1. Generate 10,000 of “A” and prepend them before the shell payload.
2. When doubting if the payload is still able to interpret properly, doubt no more! The payload is still able to execute after the output of As.
How to Fix?
To help mitigate this kind of bypass technique, one can contact Cloudflare for recommendations.
Single defense is definitely inadequate, companies must also make sure the application itself is also secured.
So, it is extremely important to detect and correct application vulnerabilities through
- Vulnerability Assessment
- Penetration Testing
- Code Review
- Soc as a Service
Conclusion
In Numen Labs, we are given engagement relevance challenges from time to time, to keep pushing our limits. With customers always first in our mind, we also want to ensure we are always prepared to give our customers the best of us.