Will Cloudflare interfere with the scanner?
Cloudflare includes a Web Application Firewall (WAF) which attempts to block requests that appear to have attack payloads within them. As with all WAF's, they don't offer complete protection and can be bypassed.
When scanning against a web application that is protected by Cloudflare the results could give you a false sense of security as there may be more underlying security issues that AppCheck wasn't able to detect at scan time due to the interference caused by Cloudflare.
Why should I worry about the undetected security issues if Cloudflare is protecting me from attackers exploiting them?
Cloudflare as previously mentioned can be bypassed like other WAFs as detailed by OWASP Here.
If AppCheck was unable to detect a security issue on scans due to Cloudflare it doesn't mean a malicious user couldn't bypass the WAF at a later stage and exploit the vulnerabilities present on the system.
This false sense of security is similar to being careless about what you download because you have an Anti-Virus present, where the Anti-Virus should be a last resort rather than being the brunt of your security.
How can I stop Cloudflare from interfering with my scan results?
The best course of action is to target your scan directly at the host without Cloudflare sitting in front of it, this will ensure that there is no interference with our checks and will give you the most reliable results possible.
If that isn't an option, the second-best thing to do would be to add us to Cloudflare's Exceptions as detailed here: https://support.cloudflare.com/hc/en-us/articles/217074967-Configuring-IP-Access-Rules
You can also find our updated IP Ranges here: https://appcheck.zendesk.com/hc/en-us/articles/115002550565-What-is-your-IP-range-so-I-can-whitelist-the-scanner-
However, in some cases, Cloudflare will still intervene and interfere with requests it deems dangerous so scanning against the origin host is always better.
Comments
0 comments
Article is closed for comments.