This writeup explains two important findings related to Cloudflare's WAF and server protection. The first part covers a bypass technique targeting WAF rules that only allow access from Cloudflare IP addresses. Normally, websites behind Cloudflare only accept traffic that comes from Cloudflare's IP ranges, a method to block direct access to the origin server. However, this bypass shows how an attacker might circumvent these restrictions and send requests that seem to be coming from Cloudflare's IPs, effectively evading the WAF's protection. The second part reveals a method to identify the real origin server behind Cloudflare by analyzing specific cookie names. Sometimes, when a website uses Cloudflare as a proxy, the true server address is hidden. Finding the origin server helps attackers who want to target the server directly, ignoring Cloudflare's protections. Both techniques demonstrate ways to weaken Cloudflare's security measures, including WAF and IP-based filtering, highlighting the importance of additional security controls and careful configuration for websites relying on Cloudflare for protection.
I wrote two writeups about cloudflare:
The first one about bypassing WAF rules if it only allows cloudflare ips only https://t.co/xtEKIJj6zBThe second one about finding the origin server behind cloudflare using cookies name https://t.co/NXsqg7HB0I
— 0vulns (@0vulns) September 2, 2025