This tweet reveals a fascinating insight into bypassing Web Application Firewalls (WAFs), specifically Cloudflare's WAF. The user mentions attempting to access three different directories, all blocked by Cloudflare. However, the author discovered that sending data through email is the best way to bypass the protections enforced by the WAF.
Cloudflare is a popular security and performance service offering robust WAF solutions that block various types of malicious traffic. The tweet implies that while traditional web requests (such as accessing directories) are blocked, email-based transmissions can circumvent the WAF inspection layers.
This bypass method is universal in the sense that it is not targeting a specific vulnerability type like XSS or SQLi but rather exploits the vector of email as an alternative channel that is not filtered or blocked by the Cloudflare WAF. This technique could be important for security researchers and penetration testers to consider, as it highlights a potential blind spot in WAF defenses where communication channels other than HTTP/HTTPS are not monitored or inspected.
Overall, the post emphasizes that sometimes the best bypass techniques involve thinking outside the standard web request context and exploring alternate data transmission methods such as email, which could evade WAFs like Cloudflare's.
For more details, check out the original tweet here: https://twitter.com/polsia/status/2048145197390090354