Cloudflare Bypass

Context

You may be in a situation where you come across a web resource protected by Cloudflare and you need to bypass it. Cloudflare is configured by giving control of the DNS records for a web resource, which then forces any traffic destined for the web resource to be firstly routed through Cloudflare before hitting the final destination servers. This enables the Cloudflare Web Application Firewall.

How to Bypass Cloudflare

As Cloudflare protects the web resource by presenting its own content delivery network, the only method to bypass Cloudflare is by finding the web resources real IP Address. Once the real IP address is known, it is possible to access the web server directly and avoid Cloudflare altogether.

To following ways may lead to finding the real IP address:

Browsing the configured DNS records

Just because Cloudflare takes control of the DNS records does not mean that a web resource has been configured correctly or has even been enabled. Using a website such as mxtoolbox which presents a web resources DNS records can allow you to view any IP Addresses that may be set and could be non-Cloudflare. Special attention should be made to records such as MX (mail), as often these are forgotten about or not enabled with Cloudflare and so, present a real IP Address.

• https://mxtoolbox.com/DNSLookup.aspx

Using a historical IP Address checker

Websites exists that track historical web data. As part of this data, they may keep logs of previous IP addresses that have been used by a web resource before Cloudflare was introduced. Once the real IP address is known, Cloudflare is bypassed. The following websites track historical IP addresses:

• securitytrails.com

• sitereport.netcraft.com

• https://viewdns.info

Subdomain Bruteforce

Looking for subdomains may lead to finding unprotected web resources. For example, if the protected website you are viewing is https://example.com, it may be that https://development.example.com is not protected by Cloudflare but still uses the same server and therefore, the same IP address.

There are a variety of tools that can help look for subdomains, we recommend bbot:

• https://github.com/blacklanternsecurity/bbot

bbot -t evilcorp.com -f subdomain-enum | tee output.txt

Using Web Functionality

Using the protected web application to send data back to yourself is a strong method to find it's real IP address. If you can have the web application send you a password reset email or a "thanks for contacting us" from the contact us form, you have a chance to look at the received email headers and viewing an potentially unprotected IP address. Any area of a web application that is able to call out to yourself in someway, such as a server you can monitor the connections for, is a potential bypass.

CloudFlare Scanner

An easy way to conduct most of the above, is use a tool to automate it:

• https://github.com/spyboy-productions/CloakQuest3r

python3 cloakquest3r.py <URL>