gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-01-03 08:17:32 -08:00
Code Issues Packages Projects Releases Wiki Activity
Files
08bb01e0931ee6dadfca3ef36f12859f1ea15430
hacktricks-cloud/pentesting-ci-cd/cloudflare-security/cloudflare-domains.md
Carlos Polop 5ef56bb6b3 Recreating repository history for branch master
2024-12-12 19:35:48 +01:00

160 lines
7.4 KiB
Markdown
Raw Blame History

# Cloudflare Domains
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
In each TLD configured in Cloudflare there are some **general settings and services** that can be configured. In this page we are going to **analyze the security related settings of each section:**
<figure><img src="../../.gitbook/assets/image (101).png" alt=""><figcaption></figcaption></figure>
### Overview
* [ ] Get a feeling of **how much** are the services of the account **used**
* [ ] Find also the **zone ID** and the **account ID**
### Analytics
* [ ] In **`Security`** check if there is any **Rate limiting**
### DNS
* [ ] Check **interesting** (sensitive?) data in DNS **records**
* [ ] Check for **subdomains** that could contain **sensitive info** just based on the **name** (like admin173865324.domin.com)
* [ ] Check for web pages that **aren't** **proxied**
* [ ] Check for **proxified web pages** that can be **accessed directly** by CNAME or IP address
* [ ] Check that **DNSSEC** is **enabled**
* [ ] Check that **CNAME Flattening** is **used** in **all CNAMEs**
* This is could be useful to **hide subdomain takeover vulnerabilities** and improve load timings
* [ ] Check that the domains [**aren't vulnerable to spoofing**](https://book.hacktricks.xyz/network-services-pentesting/pentesting-smtp#mail-spoofing)
### **Email**
TODO
### Spectrum
TODO
### SSL/TLS
#### **Overview**
* [ ] The **SSL/TLS encryption** should be **Full** or **Full (Strict)**. Any other will send **clear-text traffic** at some point.
* [ ] The **SSL/TLS Recommender** should be enabled
#### Edge Certificates
* [ ] **Always Use HTTPS** should be **enabled**
* [ ] **HTTP Strict Transport Security (HSTS)** should be **enabled**
* [ ] **Minimum TLS Version should be 1.2**
* [ ] **TLS 1.3 should be enabled**
* [ ] **Automatic HTTPS Rewrites** should be **enabled**
* [ ] **Certificate Transparency Monitoring** should be **enabled**
### **Security**
* [ ] In the **`WAF`** section it's interesting to check that **Firewall** and **rate limiting rules are used** to prevent abuses.
* The **`Bypass`** action will **disable Cloudflare security** features for a request. It shouldn't be used.
* [ ] In the **`Page Shield`** section it's recommended to check that it's **enabled** if any page is used
* [ ] In the **`API Shield`** section it's recommended to check that it's **enabled** if any API is exposed in Cloudflare
* [ ] In the **`DDoS`** section it's recommended to enable the **DDoS protections**
* [ ] In the **`Settings`** section:
* [ ] Check that the **`Security Level`** is **medium** or greater
* [ ] Check that the **`Challenge Passage`** is 1 hour at max
* [ ] Check that the **`Browser Integrity Check`** is **enabled**
* [ ] Check that the **`Privacy Pass Support`** is **enabled**
#### **CloudFlare DDoS Protection**
* If you can, enable **Bot Fight Mode** or **Super Bot Fight Mode**. If you protecting some API accessed programmatically (from a JS front end page for example). You might not be able to enable this without breaking that access.
* In **WAF**: You can create **rate limits by URL path** or to **verified bots** (Rate limiting rules), or to **block access** based on IP, Cookie, referrer...). So you could block requests that doesn't come from a web page or has a cookie.
* If the attack is from a **verified bot**, at least **add a rate limit** to bots.
* If the attack is to a **specific path**, as prevention mechanism, add a **rate limit** in this path.
* You can also **whitelist** IP addresses, IP ranges, countries or ASNs from the **Tools** in WAF.
* Check if **Managed rules** could also help to prevent vulnerability exploitations.
* In the **Tools** section you can **block or give a challenge to specific IPs** and **user agents.**
* In DDoS you could **override some rules to make them more restrictive**.
* **Settings**: Set **Security Level** to **High** and to **Under Attack** if you are Under Attack and that the **Browser Integrity Check is enabled**.
* In Cloudflare Domains -> Analytics -> Security -> Check if **rate limit** is enabled
* In Cloudflare Domains -> Security -> Events -> Check for **detected malicious Events**
### Access
{% content-ref url="cloudflare-zero-trust-network.md" %}
[cloudflare-zero-trust-network.md](cloudflare-zero-trust-network.md)
{% endcontent-ref %}
### Speed
_I couldn't find any option related to security_
### Caching
* [ ] In the **`Configuration`** section consider enabling the **CSAM Scanning Tool**
### **Workers Routes**
_You should have already checked_ [_cloudflare workers_](./#workers)
### Rules
TODO
### Network
* [ ] If **`HTTP/2`** is **enabled**, **`HTTP/2 to Origin`** should be **enabled**
* [ ] **`HTTP/3 (with QUIC)`** should be **enabled**
* [ ] If the **privacy** of your **users** is important, make sure **`Onion Routing`** is **enabled**
### **Traffic**
TODO
### Custom Pages
* [ ] It's optional to configure custom pages when an error related to security is triggered (like a block, rate limiting or I'm under attack mode)
### Apps
TODO
### Scrape Shield
* [ ] Check **Email Address Obfuscation** is **enabled**
* [ ] Check **Server-side Excludes** is **enabled**
### **Zaraz**
TODO
### **Web3**
TODO
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
Reference in New Issue View Git Blame Copy Permalink