Cloudflare WAF Bypass Via Padding Technique Discovered

Researchers have discovered another vulnerability leading to a Cloudflare bypass via padding. Exploiting this vulnerability could threaten the security of web applications using Cloudflare WAF.

Cloudflare WAF Bypass Via Padding

Security researchers from the cybersecurity firm Swascan have found a way to bypass Cloudflare Web Application Firewall (WAF).

Web Application Firewall is a critical security measure protecting web apps from most common cyber threats. Cloudflare WAF is one of the most popular WAF used globally.

However, researchers found the possibility to bypass Cloudflare WAF by applying the padding technique. As stated in their post,

Examining Cloudflare we discovered that, in its default configuration, adding about 128 KB of padding before any multipart/form-data POST request will cause the WAF to truncate it to that maximum size, skipping the exceeding part and sending it to the target application.

This eventually allowed an adversary to malicious payloads to bypass WAF and exploit other app vulnerabilities.

The researchers discovered this flaw during penetration testing, where they could achieve remote code execution access on target systems. Under the default configuration, Cloudflare WAF allowed HTTP malicious requests and file uploads with padding.

They have shared the proof-of-concept of the vulnerability in their post.

Possible Mitigations

Upon discovering the vulnerability, the researchers reached out to Cloudflare to report the matter. In response, Cloudflare Product Manager, Michael Tremante, advised applying rule 100048 that prevents padding attacks. As per Tremante’s statement to Swascan,

This bypass can be mitigated by turning on rule 100048. This rule now protects against padding type attacks but it is not deployed by default as it causes a large number of false positives in customer environments. It is, however, important that customers tune their WAF. We are also working on a better longer term solution.

While talking to LHN, Pierguido Iezzi, Co-founder and CyberSecurity Director at Swascan, commented about this problem,

It’s crucial for any organization or government agency which currently uses a Cloudflare WAF to enable the rules as rules we described. This remediation activity could make the difference between having a secure perimeter or having to deal with a Cyber Security Incident. Our activity and the subsequent disclosure only reinforces the importance of Preventive Cyber Security. Only through regular Vulnerability Assessment and Penetration Testing activity – carried out following the reference methodologies such as OWASP, Penetration Testing Execution Standard and OSSTMM – it’s possible to comprehensively protect your ICT Infrastructure and Data while maintaining a satisfactory level of Business Continuity.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients