Cloudflare Security
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
In a Cloudflare account there are some general settings and services that can be configured. In this page we are going to analyze the security related settings of each section:
Review each with:
Cloudflare DomainsReview each with:
Cloudflare DomainsI couldn't find anything to check for a config security review.
On each Cloudflare's page:
On each Cloudflare's worker check:
Note that by default a Worker is given a URL such as <worker-name>.<account>.workers.dev
. The user can set it to a subdomain but you can always access it with that original URL if you know it.
On each R2 bucket check:
TODO
TODO
TODO
Unlike Dynamic Redirects, Bulk Redirects are essentially static — they do not support any string replacement operations or regular expressions. However, you can configure URL redirect parameters that affect their URL matching behavior and their runtime behavior.
Check that the expressions and requirements for redirects make sense.
Check also for sensitive hidden endpoints that you contain interesting info.
Check the notifications. These notifications are recommended for security:
Usage Based Billing
HTTP DDoS Attack Alert
Layer 3/4 DDoS Attack Alert
Advanced HTTP DDoS Attack Alert
Advanced Layer 3/4 DDoS Attack Alert
Flow-based Monitoring: Volumetric Attack
Route Leak Detection Alert
Access mTLS Certificate Expiration Alert
SSL for SaaS Custom Hostnames Alert
Universal SSL Alert
Script Monitor New Code Change Detection Alert
Script Monitor New Domain Alert
Script Monitor New Malicious Domain Alert
Script Monitor New Malicious Script Alert
Script Monitor New Malicious URL Alert
Script Monitor New Scripts Alert
Script Monitor New Script Exceeds Max URL Length Alert
Advanced Security Events Alert
Security Events Alert
Check all the destinations, as there could be sensitive info (basic http auth) in webhook urls. Make also sure webhook urls use HTTPS
As extra check, you could try to impersonate a cloudflare notification to a third party, maybe you can somehow inject something dangerous
It's possible to see the last 4 digits of the credit card, expiration time and billing address in Billing
-> Payment info
.
It's possible to see the plan type used in the account in Billing
-> Subscriptions
.
In Members
it's possible to see all the members of the account and their role. Note that if the plan type isn't Enterprise, only 2 roles exist: Administrator and Super Administrator. But if the used plan is Enterprise, more roles can be used to follow the least privilege principle.
Therefore, whenever possible is recommended to use the Enterprise plan.
In Members it's possible to check which members has 2FA enabled. Every user should have it enabled.
Note that fortunately the role Administrator
doesn't give permissions to manage memberships (cannot escalate privs or invite new members)
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)