Cloudflare whitelists their own bots and fetchers in the WAF to bypass captchas. This allows their internal tools to navigate through captchas without being blocked. This practice raises security concerns as it may provide unauthorized access to protected resources. Security teams should review their whitelisting policies to prevent potential bypass vulnerabilities.
Original tweet: https://twitter.com/mainbadguy/status/1895786352157032939