Cloudflare’s Authenticated Origin Pulls option

During our regular penetration testing, we occasionally encounter a client who’s both using Cloudflare and seems to have configured it correctly (though as you might imagine, this doesn’t happen often). While most people realize that you can still exploit a client with Cloudflare and their WAF, it certainly makes the job harder.

The “hardened” configuration we’re most likely to see is an origin that is firewalled to only Cloudflare IP addresses, preventing any direct access (HTTP or otherwise), and Authenticated Origin Pulls. Either of these options alone is enough to severely frustrate our ability to test efficiently or exploit the target in many cases.

What’s much less likely is that the client has managed to hide their Origin IP addresses appropriately. There are automated tools to check for this failing (a favorite of mine is to just do a password reset email and check the headers), and in the case of penetration testing, you’re able to just ask the client for the IP addresses in use.

However, most people aren’t aware that simply by having the Origin IP address exposed, even if you have a well-configured firewall and Authenticated Origin Pulls, an attacker can trivially bypass the WAF, caching, and other related functionality in Cloudflare.