Translated ['src/README.md', 'src/banners/hacktricks-training.md', 'src/

src/pentesting-ci-cd/cloudflare-security/README.md

@@ -2,13 +2,13 @@
 
 {{#include ../../banners/hacktricks-training.md}}
 
-In a Cloudflare account there are some **general settings and services** that can be configured. In this page we are going to **analyze the security related settings of each section:**
+Katika akaunti ya Cloudflare kuna **mipangilio na huduma za jumla** ambazo zinaweza kuanzishwa. Katika ukurasa huu tutachambua **mipangilio inayohusiana na usalama ya kila sehemu:**
 
 <figure><img src="../../images/image (117).png" alt=""><figcaption></figcaption></figure>
 
 ## Websites
 
-Review each with:
+Kagua kila moja na:
 
 {{#ref}}
 cloudflare-domains.md
@@ -16,9 +16,9 @@ cloudflare-domains.md
 
 ### Domain Registration
 
-- [ ] In **`Transfer Domains`** check that it's not possible to transfer any domain.
+- [ ] Katika **`Transfer Domains`** hakikisha kuwa haiwezekani kuhamasisha domain yoyote.
 
-Review each with:
+Kagua kila moja na:
 
 {{#ref}}
 cloudflare-domains.md
@@ -26,39 +26,39 @@ cloudflare-domains.md
 
 ## Analytics
 
-_I couldn't find anything to check for a config security review._
+_Sikuweza kupata chochote cha kukagua kwa ajili ya ukaguzi wa usalama wa mipangilio._
 
 ## Pages
 
-On each Cloudflare's page:
+Katika kila ukurasa wa Cloudflare:
 
-- [ ] Check for **sensitive information** in the **`Build log`**.
-- [ ] Check for **sensitive information** in the **Github repository** assigned to the pages.
-- [ ] Check for potential github repo compromise via **workflow command injection** or `pull_request_target` compromise. More info in the [**Github Security page**](../github-security/).
-- [ ] Check for **vulnerable functions** in the `/fuctions` directory (if any), check the **redirects** in the `_redirects` file (if any) and **misconfigured headers** in the `_headers` file (if any).
-- [ ] Check for **vulnerabilities** in the **web page** via **blackbox** or **whitebox** if you can **access the code**
-- [ ] In the details of each page `/<page_id>/pages/view/blocklist/settings/functions`. Check for **sensitive information** in the **`Environment variables`**.
-- [ ] In the details page check also the **build command** and **root directory** for **potential injections** to compromise the page.
+- [ ] Kagua kwa **taarifa nyeti** katika **`Build log`**.
+- [ ] Kagua kwa **taarifa nyeti** katika **Github repository** iliyotengwa kwa ajili ya kurasa.
+- [ ] Kagua kwa uwezekano wa kuathiriwa kwa github repo kupitia **workflow command injection** au kuathiriwa kwa `pull_request_target`. Maelezo zaidi katika [**Github Security page**](../github-security/).
+- [ ] Kagua kwa **kazi zenye udhaifu** katika saraka ya `/fuctions` (ikiwa ipo), kagua **redirects** katika faili ya `_redirects` (ikiwa ipo) na **vichwa vilivyopangwa vibaya** katika faili ya `_headers` (ikiwa ipo).
+- [ ] Kagua kwa **udhaifu** katika **ukurasa wa wavuti** kupitia **blackbox** au **whitebox** ikiwa unaweza **kufikia msimbo**
+- [ ] Katika maelezo ya kila ukurasa `/<page_id>/pages/view/blocklist/settings/functions`. Kagua kwa **taarifa nyeti** katika **`Environment variables`**.
+- [ ] Katika ukurasa wa maelezo kagua pia **amri ya kujenga** na **saraka ya mzizi** kwa ajili ya **uwezekano wa kuingilia** ili kuathiri ukurasa.
 
 ## **Workers**
 
-On each Cloudflare's worker check:
+Katika kila mfanyakazi wa Cloudflare kagua:
 
-- [ ] The triggers: What makes the worker trigger? Can a **user send data** that will be **used** by the worker?
-- [ ] In the **`Settings`**, check for **`Variables`** containing **sensitive information**
-- [ ] Check the **code of the worker** and search for **vulnerabilities** (specially in places where the user can manage the input)
-  - Check for SSRFs returning the indicated page that you can control
-  - Check XSSs executing JS inside a svg image
-  - It is possible that the worker interacts with other internal services. For example, a worker may interact with a R2 bucket storing information in it obtained from the input. In that case, it would be necessary to check what capabilities does the worker have over the R2 bucket and how could it be abused from the user input.
+- [ ] Vichocheo: Nini kinachofanya mfanyakazi kuanzishwa? Je, **mtumiaji anaweza kutuma data** ambayo itatumika na mfanyakazi?
+- [ ] Katika **`Settings`**, kagua kwa **`Variables`** zinazokuwa na **taarifa nyeti**
+- [ ] Kagua **msimbo wa mfanyakazi** na tafuta kwa **udhaifu** (hasa katika maeneo ambapo mtumiaji anaweza kudhibiti ingizo)
+- Kagua kwa SSRFs zinazorejesha ukurasa ulioonyeshwa ambao unaweza kudhibiti
+- Kagua XSSs zinazotekeleza JS ndani ya picha ya svg
+- Inawezekana kwamba mfanyakazi anashirikiana na huduma nyingine za ndani. Kwa mfano, mfanyakazi anaweza kuingiliana na R2 bucket inayohifadhi taarifa ndani yake iliyopatikana kutoka kwa ingizo. Katika kesi hiyo, itahitajika kukagua ni uwezo gani mfanyakazi ana juu ya R2 bucket na jinsi gani inaweza kutumika vibaya kutokana na ingizo la mtumiaji.
 
 > [!WARNING]
-> Note that by default a **Worker is given a URL** such as `<worker-name>.<account>.workers.dev`. The user can set it to a **subdomain** but you can always access it with that **original URL** if you know it.
+> Kumbuka kwamba kwa kawaida **Mfanyakazi anapewa URL** kama `<worker-name>.<account>.workers.dev`. Mtumiaji anaweza kuipanga kuwa **subdomain** lakini unaweza kila wakati kuipata kwa hiyo **URL ya asili** ikiwa unajua.
 
 ## R2
 
-On each R2 bucket check:
+Katika kila R2 bucket kagua:
 
-- [ ] Configure **CORS Policy**.
+- [ ] Panga **CORS Policy**.
 
 ## Stream
 
@@ -70,8 +70,8 @@ TODO
 
 ## Security Center
 
-- [ ] If possible, run a **`Security Insights`** **scan** and an **`Infrastructure`** **scan**, as they will **highlight** interesting information **security** wise.
-- [ ] Just **check this information** for security misconfigurations and interesting info
+- [ ] Ikiwezekana,endesha **`Security Insights`** **scan** na **`Infrastructure`** **scan**, kwani zitatoa **maelezo** ya kuvutia kuhusu **usalama**.
+- [ ] Kagua tu **taarifa hii** kwa ajili ya mipangilio mibaya ya usalama na taarifa za kuvutia
 
 ## Turnstile
 
@@ -86,53 +86,49 @@ cloudflare-zero-trust-network.md
 ## Bulk Redirects
 
 > [!NOTE]
-> Unlike [Dynamic Redirects](https://developers.cloudflare.com/rules/url-forwarding/dynamic-redirects/), [**Bulk Redirects**](https://developers.cloudflare.com/rules/url-forwarding/bulk-redirects/) are essentially static — they do **not support any string replacement** operations or regular expressions. However, you can configure URL redirect parameters that affect their URL matching behavior and their runtime behavior.
+> Tofauti na [Dynamic Redirects](https://developers.cloudflare.com/rules/url-forwarding/dynamic-redirects/), [**Bulk Redirects**](https://developers.cloudflare.com/rules/url-forwarding/bulk-redirects/) kimsingi ni za kudumu — hazisaidii **operesheni za kubadilisha nyuzi** au matumizi ya kawaida. Hata hivyo, unaweza kupanga vigezo vya URL redirect vinavyoathiri tabia yao ya ulinganifu wa URL na tabia yao ya wakati wa kutekeleza.
 
-- [ ] Check that the **expressions** and **requirements** for redirects **make sense**.
-- [ ] Check also for **sensitive hidden endpoints** that you contain interesting info.
+- [ ] Kagua kwamba **expressions** na **requirements** za redirects **zina maana**.
+- [ ] Kagua pia kwa **mipangilio ya siri iliyofichwa** ambayo ina taarifa za kuvutia.
 
 ## Notifications
 
-- [ ] Check the **notifications.** These notifications are recommended for security:
-  - `Usage Based Billing`
-  - `HTTP DDoS Attack Alert`
-  - `Layer 3/4 DDoS Attack Alert`
-  - `Advanced HTTP DDoS Attack Alert`
-  - `Advanced Layer 3/4 DDoS Attack Alert`
-  - `Flow-based Monitoring: Volumetric Attack`
-  - `Route Leak Detection Alert`
-  - `Access mTLS Certificate Expiration Alert`
-  - `SSL for SaaS Custom Hostnames Alert`
-  - `Universal SSL Alert`
-  - `Script Monitor New Code Change Detection Alert`
-  - `Script Monitor New Domain Alert`
-  - `Script Monitor New Malicious Domain Alert`
-  - `Script Monitor New Malicious Script Alert`
-  - `Script Monitor New Malicious URL Alert`
-  - `Script Monitor New Scripts Alert`
-  - `Script Monitor New Script Exceeds Max URL Length Alert`
-  - `Advanced Security Events Alert`
-  - `Security Events Alert`
-- [ ] Check all the **destinations**, as there could be **sensitive info** (basic http auth) in webhook urls. Make also sure webhook urls use **HTTPS**
-  - [ ] As extra check, you could try to **impersonate a cloudflare notification** to a third party, maybe you can somehow **inject something dangerous**
+- [ ] Kagua **notifications.** Taarifa hizi zinapendekezwa kwa usalama:
+- `Usage Based Billing`
+- `HTTP DDoS Attack Alert`
+- `Layer 3/4 DDoS Attack Alert`
+- `Advanced HTTP DDoS Attack Alert`
+- `Advanced Layer 3/4 DDoS Attack Alert`
+- `Flow-based Monitoring: Volumetric Attack`
+- `Route Leak Detection Alert`
+- `Access mTLS Certificate Expiration Alert`
+- `SSL for SaaS Custom Hostnames Alert`
+- `Universal SSL Alert`
+- `Script Monitor New Code Change Detection Alert`
+- `Script Monitor New Domain Alert`
+- `Script Monitor New Malicious Domain Alert`
+- `Script Monitor New Malicious Script Alert`
+- `Script Monitor New Malicious URL Alert`
+- `Script Monitor New Scripts Alert`
+- `Script Monitor New Script Exceeds Max URL Length Alert`
+- `Advanced Security Events Alert`
+- `Security Events Alert`
+- [ ] Kagua zote **destinations**, kwani kunaweza kuwa na **taarifa nyeti** (basic http auth) katika urls za webhook. Hakikisha pia urls za webhook zinatumia **HTTPS**
+- [ ] Kama ukaguzi wa ziada, unaweza kujaribu **kujifanya kuwa notification ya cloudflare** kwa upande wa tatu, labda unaweza kwa namna fulani **kuingiza kitu hatari**
 
 ## Manage Account
 
-- [ ] It's possible to see the **last 4 digits of the credit card**, **expiration** time and **billing address** in **`Billing` -> `Payment info`**.
-- [ ] It's possible to see the **plan type** used in the account in **`Billing` -> `Subscriptions`**.
-- [ ] In **`Members`** it's possible to see all the members of the account and their **role**. Note that if the plan type isn't Enterprise, only 2 roles exist: Administrator and Super Administrator. But if the used **plan is Enterprise**, [**more roles**](https://developers.cloudflare.com/fundamentals/account-and-billing/account-setup/account-roles/) can be used to follow the least privilege principle.
-  - Therefore, whenever possible is **recommended** to use the **Enterprise plan**.
-- [ ] In Members it's possible to check which **members** has **2FA enabled**. **Every** user should have it enabled.
+- [ ] Inawezekana kuona **nambari 4 za mwisho za kadi ya mkopo**, **muda wa kumalizika** na **anwani ya bili** katika **`Billing` -> `Payment info`**.
+- [ ] Inawezekana kuona **aina ya mpango** inayotumika katika akaunti katika **`Billing` -> `Subscriptions`**.
+- [ ] Katika **`Members`** inawezekana kuona wanachama wote wa akaunti na **nafasi** zao. Kumbuka kwamba ikiwa aina ya mpango si Enterprise, kuna nafasi 2 tu: Msimamizi na Msimamizi Mkuu. Lakini ikiwa **mpango unaotumika ni Enterprise**, [**nafasi zaidi**](https://developers.cloudflare.com/fundamentals/account-and-billing/account-setup/account-roles/) zinaweza kutumika kufuata kanuni ya chini ya kibali.
+- Kwa hivyo, kila wakati inapowezekana ni **pendekezo** kutumia **mpango wa Enterprise**.
+- [ ] Katika Wanachama inawezekana kukagua ni **wanachama** gani wana **2FA imewezeshwa**. **Kila** mtumiaji anapaswa kuwa nayo imewezeshwa.
 
 > [!NOTE]
-> Note that fortunately the role **`Administrator`** doesn't give permissions to manage memberships (**cannot escalate privs or invite** new members)
+> Kumbuka kwamba kwa bahati nzuri nafasi **`Administrator`** haina ruhusa za kusimamia uanachama (**haiwezi kuongeza ruhusa au kuwaleta** wanachama wapya)
 
 ## DDoS Investigation
 
-[Check this part](cloudflare-domains.md#cloudflare-ddos-protection).
+[Angalia sehemu hii](cloudflare-domains.md#cloudflare-ddos-protection).
 
 {{#include ../../banners/hacktricks-training.md}}
-
-
-
-