Cloudflare Zero Trust Network

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Useful to get to know the environment

In Policies it's possible to generate policies to restrict by DNS, network or HTTP request who can access applications.

If used, policies could be created to restrict the access to malicious sites.
This is only relevant if a gateway is being used, if not, there is no reason to create defensive policies.

Check who can access to the application in the Policies and check that only the users that need access to the application can access.

To allow access Access Groups are going to be used (and additional rules can be set also)

Check the available identity providers and make sure they aren't too open

In Settings:

Check CORS isn't enabled (if it's enabled, check it's secure and it isn't allowing everything)
Cookies should have Strict Same-Site attribute, HTTP Only and binding cookie should be enabled if the application is HTTP.
Consider enabling also Browser rendering for better protection. More info about remote browser isolation here.

Check that the access groups generated are correctly restricted to the users they should allow.

It's specially important to check that the default access group isn't very open (it's not allowing too many people) as by default anyone in that group is going to be able to access applications.

Note that it's possible to give access to EVERYONE and other very open policies that aren't recommended unless 100% necessary.

Check that all service tokens expires in 1 year or less

You could search for unexpected actions from users

Check the plan type

It's possible to see the credits card owner name, last 4 digits, expiration date and address

It's recommended to add a User Seat Expiration to remove users that doesn't really use this service

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Last updated 4 months ago

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Useful to get to know the environment

In Policies it's possible to generate policies to restrict by DNS, network or HTTP request who can access applications.

If used, policies could be created to restrict the access to malicious sites.
This is only relevant if a gateway is being used, if not, there is no reason to create defensive policies.

Check who can access to the application in the Policies and check that only the users that need access to the application can access.

To allow access Access Groups are going to be used (and additional rules can be set also)

Check the available identity providers and make sure they aren't too open

In Settings:

Check CORS isn't enabled (if it's enabled, check it's secure and it isn't allowing everything)
Cookies should have Strict Same-Site attribute, HTTP Only and binding cookie should be enabled if the application is HTTP.
Consider enabling also Browser rendering for better protection. More info about remote browser isolation here.

Check that the access groups generated are correctly restricted to the users they should allow.

Note that it's possible to give access to EVERYONE and other very open policies that aren't recommended unless 100% necessary.

Check that all service tokens expires in 1 year or less

You could search for unexpected actions from users

Check the plan type

It's possible to see the credits card owner name, last 4 digits, expiration date and address

It's recommended to add a User Seat Expiration to remove users that doesn't really use this service

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Cloudflare Zero Trust Network

Analytics

Gateway

Access

Applications

Access Groups

Service Auth

Tunnels

My Team

Logs

Settings

Analytics

Gateway

Access

Applications

Access Groups

Service Auth

Tunnels

My Team

Logs

Settings