Comment by marginalia_nu
2 days ago
Yeah, even beyond common decency, there's pretty strong incentives to fix it, as it's a fantastic way of having your bot's fingerprint end up on Cloudflare's shitlist.
2 days ago
Yeah, even beyond common decency, there's pretty strong incentives to fix it, as it's a fantastic way of having your bot's fingerprint end up on Cloudflare's shitlist.
Kinda disappointed by cloudflare - it feels they have quite basic logic only. Why would anomaly detection not capture these large payloads?
There was a zip-bomb like attack a year ago where you could send one gigabyte of the letter "A" compressed into very small filesize with brotli via cloudflare to backend servers, basically something like the old HTTP Transfer-Encoding (which has been discontinued).
Attacker --1kb--> Cloudflare --1GB--> backend server
Obviously the servers who received the extracted HTTP request from the cloudflare web proxies were getting killed but cloudflare didn't even accept it as a valid security problem.
AFAIK there was no magic AI security monitoring anomaly detection thing which blocked anything. Sometimes I'd love to see the old web application firewall warnings for single and double quotes just to see if the thing is still there. But maybe it's misconfiguration on side of cloudflare user because I can remember they at least had a WAF product in the past.
> But maybe it's misconfiguration on side of cloudflare user because I can remember they at least had a WAF product in the past
They still have a WAF product, though I don't think anything in the standard managed ruleset will fire just on quotes, the SQLi and XSS checks are a bit more sophisticated than that.
From personal experience, they will fire a lot if someone uses a WAF-protected CMS to write a post about SQL.