scaredos / cfresearch Goto Github PK

A repository containing research regarding various Anti-DDoS systems. (CloudFlare)

cloudflare cfbypass layer7 cloudflarebypass cloudflare-js-challenge cloudflare-request captcha-challenges

cfresearch's Introduction

cfresearch

This repository contains my research from Cloudflare's AntiDDoS, JS Challenge, Captcha Challenges, and Cloudflare WAF.

This was built for educational purposes such as learning how Cloudflare works, how to bypass Cloudflare challenges, and how to prevent attacks that are bypassing Cloudflare.

Location to Cloudflare Scripts - Credits to devgianlu

Other relevant Cloudflare projects [CloudProxy] [cfbypass]

Challenge information

Headers should be set accordingly, including referer and origin
Headless browsers should be modified to become "undetectable"

Managed Challenge

Base URL: /cdn-cgi/challenge-platform/h/b OR /cdn-cgi/challenge-platform/h/g
The first request is GET to BASEURL/orchestrate/chl_page/v1?ray=${rayid}
- This replies with javascript to generate the challenege id and make the second request (to solve the challenge)
The second request is POST to BASEURL/flow/ov1/${unknown_here}:${unix_epoch}:${unknown_here}/${ray-id}/${cf-challenge-id} with the POST data of v_${rayid}: encoded information for the challenge and header cf-challenge.
- The request replies with header Cf-Chl-Gen.
The third request is GET to https://challenges.cloudflare.com/{BASEURL}/turnstile/if/ov2/av0/unknown/0/unknown/unknown/theme(dark)/normal
- For Turnstile captcha challenge
The fourth request is POST to 2nd URL
- This replies with Cf-Chl-Gen header
The fifth and sixths request is POST to:
- 5th: https://challenges.cloudflare.com/{BASEURL}/flow/ov1/${unknown_here}:${unix_epoch}:${unknown_here}/${ray-id}/${cf-challenge-id}with the POST data of v_${rayid}: encoded information for the challenge and header Cf-Challenge.
- 6th: https://DOMAIN/{BASEURL}/flow/ov1/${unknown_here}:${unix_epoch}:${unknown_here}/${ray-id}/${cf-challenge-id}with the POST data of v_${rayid}: encoded information for the challenge and header Cf-Challenge.
- These both include the referer header of the turnstile URL
The final request is POST to target url with POST DATA:
- md: Analytic data
- sh: Challenge processing
- aw: Challenge processing
- cf_ch_cp_return: unknown|{"managed_clearance":"ni"}
- After sending the final request, you are given a new cf_clearance cookie.

Please be aware there is an unknown timeout (60+ seconds) for turnstile captcha in which clearance is automatically granted!!

Random Directory Attack

Cloudflare cannot do much against this, but you can create a regexp that matches all URI on your website, and create a firewall rule to match them.
- (Example: (http.request.full_uri matches "(\/)([a-z]){0,12}\w|(-)([a-z]){0,12}\w(\/)|([a-z]){0,12}\w"))

Mitigating attacks

Cloudflare mitigate attacks at the edge, often utilizing turnstile (CAPTCHA-free challenge)
Attacks are mitigated at the edge (automatically) when:
- Request matches (D)DoS WAF rule (Managed, SSL/TLS, Layer 4 rules)
- Request matches user-defined rule (Firewall rule, IP/User-Agent Access rule)
- Request matches ratelimit rule
Attacks can be detected in the client-space then mitigated at the edge:
- Bot fight mode (Bot detection/if enabled)
- Page shield (if enabled)
- Managed challenge/JS Challenge/Legacy captcha
If attacks are not being mitigated by Cloudflare, consider the following:
- Implement rate-limiting where neccessary (Server-side processing (POST, PUT, DELETE requests))
  - Rate-limiting on login handlers is vital (or other methods to protect spam)
- Return managed-challenges to ASNs registered as hosting.
- Implement caching when possible (static pages)
  - Try Cloudflare's Railgun
    - Railgun caches the parts of webpages that are unchanged on dynamic pages (HTML of user dashboard with user's personal metrics being changes (username, etc.))
- Contact Cloudflare

cfresearch's People

Contributors

Stargazers

Watchers

cfresearch's Issues

How did you study/debug their scripts?

Hi, this is more of a technical question.
I'm looking at a JS script from /cdn-cgi/challenge-platform/h/g/orchestrate/jsch/v1, there's some parts like the following:

var t, q, u, v, w, x, y;
for (t = b('0x18'), q = s['dZiYC'](String, q)[b('0x136')](/[\t\n\f\r ]+/g, ''), q += '==' [b('0x16e')](2 - s[b('0x16b')](q[b('0xd3')], 3)), v = '', y = 0; y < q[b('0xd3')]; u = s[b('0x84')](s[b('0x80')](t[b('0x9f')](q[b('0xf6')](y++)), 18), t[b('0x9f')](q[b('0xf6')](y++)) << 12) | (w = t[b('0x9f')](q[b('0xf6')](y++))) << 6 | (x = t['indexOf'](q[b('0xf6')](y++))), v += w === 64 ? String[b('0x5b')](s[b('0x31')](u, 16) & 255) : s[b('0x48')](x, 64) ? String[b('0x5b')](s[b('0x16b')](s[b('0x119')](u, 16), 255), s[b('0x118')](u, 8) & 255) : String[b('0x5b')](u >> 16 & 255, s[b('0x71')](u, 8) & 255, u & 255));
return v

That's only a small piece. I think they're using the "pre-rotated list and translation function" (the b(...) calls) method that a popular JS obfuscator uses.

How do you usually debug obfuscated JS scripts like that? Once the challenge is solved, it immediately POSTs and redirects the page, so I don't have time to pause the debugger in my Firefox and step in the code.
Can you give me any tips on how you usually study these systems? (like the tools you use, your process etc.)
Thank you for your time.

Cloudflare has updated again challenge

Cloudflare has been updated, they now use bot fight mode, browser verification + free captcha all in same time

Captcha handling

More insight how the captcha parameters are generated would be helpful.
For example how the captcah_vc and captcha_answer field is produced carrying the hCaptcha response instead of the old h/g-captcha-response fields.
Any idea how one would go examining this?

Unknown Matches

Wrong captcha answer

Few weeks ago, cloudflare using raw hcaptcha response to solve captcha challenge.
(Like F0_ey0~~~~~~~)

But now, cloudflare using some strange value as captcha answer. It doesn’t seems to be like original hcaptcha answer.
And they stop using h-captcha-response, they using captcha_verify, captcha_vc.

What is value inside captcha_verify and captcha_vc?
How they come?

Sorry for bad grammers...

HCAPTCHA UPDATED

@scaredos cloudflare just made new changes on hcaptcha i think

A little help with information

Hello sir @scaredos , recentry i used cloudscraper (nodejs lib with some changes for bypass hcaptcha, but for 4 days it stopped working)
I dont know what changes he made, i use 2captcha, and lib cloudscraper seems to send data to hcaptcha, but I think the hcaptcha-response is invalid
andress134/cloudscraper@29db1eb here are my changes, i added manualy rayId, sitekey, the response
and until 4 days ago it worked, now it doesn't seem to work, meaning he gets all the data, but they seem invalid
Is it posible if u can to look my changes and help me with some informations what is wrong

CF deep search!

I am unsure if this is the appropriate place to ask my question, but I am seeking assistance. There are specific IP addresses that belong to a particular company(most of them are cf partners), and when attempting to open them, a Cloudflare error message is displayed. I am interested in determining if it is possible to find the IP addresses that are behind Cloudflare, even if the company is not using Cloudflare's IP ranges. I have attempted to use peers, but some companies have a significant number of IP addresses, making it challenging to identify the IP addresses behind Cloudflare. For instance, the IP address 70.34.214.96 belongs to The Constant Company, but upon opening it, a Cloudflare error message is displayed.
my country blocked all of the Cloudflare IPs and I can't use Cloudflare directly, but I can use these kinds of IP addresses as a meddling man that kind of somehow use Cloudflare, I asked around and I think they are some Cloudflare private ips that Cloudflare use for their partners! i made a script to search some networks that have Cloudflare as peers in them but it's taking years to find anything because of the verrry large amount of IP addresses in the networks
Please let me know if you can provide any insight or assistance, that would help me a lot, thanks

Credit for scripts reverse engineering

I have just realised that you are including my reverse engineered scripts from https://github.com/devgianlu/cloudflare-bypass, but I don't see any credit. Can this be fixed?

captcha bypass

Hello sir @scaredos , do you have experience with scraping, captcha?
Im looking to buy a ddos l7 captcha bypass script, some based public lib like 2captcha, anticaptcha, privacypass
I pay for it, let me know if u can do it, if yes give me your telegram or discod
Thank