Listen to this Post
Introduction:
Cloudflare provides robust protection for millions of websites, including DDoS mitigation, WAF filtering, and essential IP masking services. However, organizations often overlook the security of their subdomains, leaving development servers, admin panels, and staging environments directly exposed. Automated tools like CloudRip can rapidly uncover these misconfigurations by scanning subdomains and filtering out Cloudflare IP ranges, exposing the true origin servers to potential attackers.
Learning Objectives:
- Understand how CDN bypass tools leverage subdomain enumeration to discover real origin IP addresses
- Learn to identify and mitigate common Cloudflare misconfigurations that expose backend infrastructure
- Master manual Linux command-line techniques to verify Cloudflare protection and uncover exposed subdomains
1. CloudRip Installation and Basic Subdomain Bypass Methodology
CloudRip is a specialized reconnaissance tool that automates the discovery of real origin IP addresses hiding behind Cloudflare by systematically scanning subdomains and eliminating Cloudflare-owned IP ranges. This approach targets a critical oversight in CDN deployment: while the primary domain may be properly secured behind Cloudflare, associated subdomains often remain directly exposed.
Step-by-step installation and usage guide:
Initial Setup:
Clone the repository git clone https://github.com/moscovium-mc/CloudRip cd CloudRip Create and activate virtual environment python3 -m venv venv Linux/macOS activation source venv/bin/activate Windows activation venv\Scripts\activate Install Python dependencies pip install -r requirements.txt
Requirements: Python 3.8 or higher.
Basic Scan Execution:
Perform a standard subdomain scan against a target python3 cloudrip.py example.com
The tool automatically resolves IPv4 and IPv6 records, fetches current Cloudflare IP ranges from the Cloudflare API, and filters out any resolved IPs belonging to Cloudflare infrastructure. Only real origin server addresses are displayed in the results.
Advanced Configuration:
Custom wordlist scan with JSON output python3 cloudrip.py example.com -w my_custom_wordlist.txt -t 20 -o report.json -f json
– `-w` – Specify custom wordlist file (can be used multiple times)
– `-t` – Number of concurrent threads (default: 10)
– `-o` – Save results to output file
– `-f` – Output format (normal, json, yaml, csv)
– `-v` – Verbose mode showing all attempts
– `-q` – Quiet mode showing only discovered IPs
Verification of Cloudflare Protection:
Manual DNS verification using dig dig example.com Check name servers to confirm Cloudflare involvement whois example.com | grep -i "name server" Alternative using nslookup (Windows) nslookup example.com
Before launching CloudRip, confirm the target domain is actually protected by Cloudflare by examining its NS records and A-record responses.
2. Alternative OSINT Techniques for Origin IP Discovery
Beyond automated subdomain scanning, security researchers can leverage passive reconnaissance techniques that avoid sending any traffic directly to the target.
Certificate Transparency Logs & Censys Queries:
Certificate transparency logs often reveal origin IP addresses through historical SSL certificate associations.
Censys Search Query:
ssl.cert.subject.cn:"target.com"
This query returns all IPv4 hosts presenting an SSL certificate associated with the target domain name. Origin servers frequently become exposed through this method.
Shodan Search Commands:
Search for hosts with specific SSL certificate shodan search ssl.cert.subject.cn:"target.com" Filter by HTTP title shodan search http.title:"Target Website " Hostname-based search shodan search hostname:"target.com"
Historical DNS Data Mining:
Services like DNSDumpster, SecurityTrails, and AlienVault OTX maintain historical DNS records that may predate Cloudflare deployment.
Passive DNS Enumeration:
Using dnsrecon for DNS record harvesting dnsrecon -d target.com -t axfr,zonewalk,bing,goog,crt Subdomain enumeration with Sublist3r sublist3r -d target.com -o subdomains.txt Advanced enumeration with Amass amass enum -d target.com -o amass_output.txt
Reverse DNS Lookups:
Perform reverse DNS on discovered IPs for ip in $(cat discovered_ips.txt); do dig -x $ip +short done
Reverse DNS can reveal naming conventions that map directly back to the target organization.
3. Advanced Tool Ecosystem: CloudReaper, CloudFail, and CF-Hero
The subdomain bypass methodology has been expanded across multiple specialized tools, each offering unique capabilities for origin IP discovery.
CloudReaper – Multi-technique OSINT Platform:
CloudReaper combines DNS brute force, HTTP/S verification with host header injection, reverse DNS lookups, and optional stealth mode to evade detection.
Installation and Usage:
git clone https://github.com/ShadowByteOS/CloudReaper.git cd CloudReaper pip install -r requirements.txt Basic execution python CloudReaper.py -d target.com Stealth mode with randomized user-agents and delays python CloudReaper.py -d target.com --stealth JSON output for integration python CloudReaper.py -d target.com --json -o scan_report
Key features include HTTP/S verification with proper host headers, simulating legitimate browser behavior to retrieve accurate responses, and optional integration with SecurityTrails and Shodan APIs for enriched data.
CloudFail – Passive Reconnaissance Specialist:
CloudFail operates entirely through passive data sources without sending any traffic to the target, making it ideal for covert red team operations.
Setup:
git clone https://github.com/anmolksachan/CloudFail cd CloudFail python3 -m venv venv source venv/bin/activate pip install -r requirements.txt
CloudFail queries certificate transparency logs (crt.sh, CertSpotter), passive DNS databases (HackerTarget, AlienVault OTX, ViewDNS.info), and optional paid APIs including Censys and Shodan for enhanced discovery. The tool includes built-in Tor SOCKS5 proxy support for additional anonymity.
CF-Hero – Go-based Multi-source Intelligence:
CF-Hero is a comprehensive reconnaissance tool written in Go that performs multi-source intelligence gathering through DNS analysis, historical infrastructure correlation, and fingerprinting techniques.
Installation:
Requires Go 1.18 or higher go install github.com/musana/CF-Hero@latest Or build from source git clone https://github.com/musana/CF-Hero cd CF-Hero go build
CF-Hero leverages JA3 fingerprinting, custom header analysis, and response validation to identify origin servers that may not appear through conventional DNS enumeration alone.
4. Defensive Hardening: Preventing Origin IP Exposure
Understanding offensive techniques is essential for implementing effective defensive controls. Organizations must adopt multiple layers of protection beyond basic Cloudflare configuration.
Firewall Configuration for Origin Servers:
The most critical defensive measure is restricting origin server access to only Cloudflare IP ranges.
Linux iptables Rules:
Create dedicated chain for Cloudflare rules iptables -1 CLOUDFLARE Allow Cloudflare IPv4 ranges (obtain current list) for ip in $(curl -s https://www.cloudflare.com/ips-v4); do iptables -A CLOUDFLARE -s $ip -p tcp -m multiport --dports 80,443 -j ACCEPT done Apply chain to INPUT iptables -A INPUT -p tcp -m multiport --dports 80,443 -j CLOUDFLARE Block all other traffic on web ports iptables -A INPUT -p tcp -m multiport --dports 80,443 -j DROP Save rules (Debian/Ubuntu) iptables-save > /etc/iptables/rules.v4
Windows Firewall Configuration via PowerShell:
Run as Administrator
$cfRanges = Invoke-WebRequest -Uri "https://www.cloudflare.com/ips-v4"
$cfRanges = $cfRanges.Content -split "`n"
Create rule for each Cloudflare IP range
foreach ($range in $cfRanges) {
New-1etFirewallRule -DisplayName "Cloudflare Allow $range" `
-Direction Inbound -Protocol TCP `
-RemoteAddress $range `
-LocalPort 80,443 `
-Action Allow
}
Block all other IPs on web ports
New-1etFirewallRule -DisplayName "Block All Others Port 80/443" `
-Direction Inbound -Protocol TCP `
-LocalPort 80,443 `
-Action Block
Authenticated Origin Pulls:
Cloudflare’s Authenticated Origin Pulls feature ensures that only Cloudflare can connect to the origin server, preventing direct IP access even if the IP is discovered.
Nginx Configuration:
/etc/nginx/sites-available/default
ssl_client_certificate /etc/nginx/ssl/cloudflare.crt;
ssl_verify_client on;
server {
listen 443 ssl;
... SSL configuration ...
Require valid Cloudflare client certificate
if ($ssl_client_verify != SUCCESS) {
return 403;
}
}
Apache Configuration:
Enable client certificate verification SSLCACertificateFile /etc/apache2/ssl/cloudflare.crt SSLVerifyClient require SSLVerifyDepth 1
Regular Security Audits:
Implement quarterly automated scans using tools like CloudRip, CloudReaper, or custom scripts to detect unintended subdomain exposure before attackers do.
Automated Audit Script:
!/bin/bash Automated Cloudflare exposure scanner DOMAIN="example.com" TIMESTAMP=$(date +%Y%m%d_%H%M%S) Run CloudRip python3 /opt/CloudRip/cloudrip.py $DOMAIN -t 10 -o "audit_$TIMESTAMP.txt" Check Censys for certificates curl -X POST https://search.censys.io/api/v2/certificates/search \ -H "Accept: application/json" \ -d "q=parsed.subject_dn:\"$DOMAIN\"" \ -o "censys_certs_$TIMESTAMP.json" Verify all discovered IPs are behind Cloudflare grep -v "Cloudflare" audit_$TIMESTAMP.txt | while read ip; do echo "[!] ALERT: Direct origin IP exposed: $ip" done
5. Recent Cloudflare WAF Zero-Day Analysis
In late 2025, security researchers uncovered a critical zero-day vulnerability in Cloudflare’s Web Application Firewall that allowed attackers to bypass all access restrictions and directly connect to backend origin servers, highlighting the importance of layered security even behind CDN protection.
Vulnerability Overview:
The flaw resided in Cloudflare’s ACME (Automatic Certificate Management Environment) HTTP-01 challenge path, specifically /.well-known/acme-challenge/{token}. Cloudflare’s infrastructure treated requests sent to this path differently from normal traffic, bypassing WAF rule execution entirely to facilitate automated SSL certificate validation.
Attack Vector and Exploitation Details:
When a request contained a token that did not match an active Cloudflare-managed certificate order, the system routed the request to the customer origin server without any WAF processing. Attackers could exploit this by:
- Path traversal attacks against Spring/Tomcat applications: `/.well-known/acme-challenge/..;/actuator/env` accessed environment variables, API keys, and cloud credentials
- Local File Inclusion (LFI) against PHP applications reading sensitive files like `/etc/hosts`
– Next.js information leakage exposing server-side rendering data not intended for public visibility
Proof of Concept:
GET /.well-known/acme-challenge/malicious-token/..;/actuator/env HTTP/1.1 Host: vulnerable-target.com User-Agent: Mozilla/5.0
In all cases, account-level WAF rules and custom security headers were completely ignored, confirming that the entire WAF logic was bypassed.
Detection and Mitigation:
Cloudflare fixed this vulnerability on October 27, 2025, by modifying WAF evaluation to apply standard rules to all `.well-known/acme-challenge/` paths. Organizations should verify their Cloudflare configuration and ensure no custom exceptions remain that could bypass WAF protections.
Verification Command:
Test if ACME path is still exposed curl -k -I https://target.com/.well-known/acme-challenge/test Expected response from fixed implementation: HTTP/2 403 Forbidden (or standard block page)
The incident underscores that CDN protection is not absolute; human error, misconfiguration, and platform-level vulnerabilities can all expose origin infrastructure.
What Undercode Say:
- Origin exposure is the single most critical weakness in CDN-protected applications. Organizations invest heavily in perimeter security while overlooking subdomain misconfigurations and outdated DNS records that can completely negate Cloudflare’s protection. Regular automated scanning should be mandatory.
-
Passive reconnaissance techniques are increasingly sophisticated and accessible. Tools like CloudRip, CloudFail, and CloudReaper democratize advanced OSINT capabilities, making it essential for defenders to understand exactly how attackers think. The playing field has been leveled, and defenders must adopt continuous monitoring to stay ahead.
The ACME zero-day vulnerability serves as a powerful reminder: CDNs are not magic shields. Attackers continuously probe for exceptions, bypasses, and misconfigurations at scale. Defensive strategies must assume that origin IPs will eventually be discovered and implement compensating controls such as authenticated origin pulls, restrict ingress to Cloudflare IP ranges only, and conduct regular penetration testing that includes CDN bypass scenarios. Security is not a product—it is a continuous process of assessment, remediation, and adaptation.
Prediction:
- -1 Cloudflare bypass tools will continue to evolve with AI-assisted subdomain discovery and automated certificate transparency log analysis, making origin IP discovery faster and more accurate. Security teams can no longer rely on obscurity alone; zero-trust origin protection strategies will become mandatory.
- -1 The rise of automated attack frameworks will incorporate CDN bypass techniques as standard modules, reducing the skill barrier for opportunistic attackers and increasing the frequency of origin server compromises due to misconfigured subdomains.
- +1 Security awareness and automated scanning tools will become more accessible to defenders, enabling smaller organizations to audit their own Cloudflare configurations. This democratization of security tooling may reduce the average exposure window for misconfigured deployments.
- -1 Cloudflare and other CDN providers will face increasing regulatory pressure and liability concerns as high-profile origin exposures lead to data breaches. Stricter default security postures may be forced upon all customers regardless of configuration choices.
- -1 Zero-day WAF bypass vulnerabilities like the ACME flaw will continue to be discovered, and the window between discovery and exploitation is shrinking. Organizations must implement defense-in-depth strategies rather than treating CDN as an impenetrable perimeter.
- +1 The security community’s collective research into CDN bypass techniques paradoxically improves platform security by forcing providers to address architectural weaknesses and implement more robust validation logic.
▶️ Related Video (72% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Omar Aljabr – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
