This tweet reveals an interesting bypass technique involving Server-Side Request Forgery (SSRF) vulnerabilities. SSRF vulnerabilities that allow proxying requests to arbitrary URLs can be exploited to send malicious requests that bypass Cloudflare's Web Application Firewall (WAF). However, even though these malicious requests can evade detection by Cloudflare WAF, they still trigger rules on Wordfence, a popular WordPress security plugin. Specifically, requests targeting WordPress management URLs such as /wp-login.php and /wp-admin/ can bypass Cloudflare's protection but will be intercepted by Wordfence. This implies that using SSRF as a vector, attackers can effectively bypass one layer of security (Cloudflare WAF) whilst triggering security rules on a second layer (Wordfence), opening up potential for sophisticated attack chains. In summary, this technique shows the complexity in securing web applications and highlights the importance of multiple layers of defense including WAFs and CMS-specific security plugins like Wordfence.
Check out the original tweet here: https://twitter.com/evilsocket/status/2046206400519401582