I was checking out 0day.today's website, curious to know more about this, popular and a rather infamous, platform. It's a place where you could find exploits ranging from 0days in software to security vulnerabilities in live websites like Twitter and Facebook to name a few. The service is popular with scammers and cybercriminals since they can acquire exploits in exchange for cryptocurrency (anonymizing the trade).
What makes it different from the other 0day acquisition platforms (like Zerodium, and ZDI) is that it has a totally different business model. Anyone who pays gets the exploit, you don't need to be a large organisation or, enter into some sort of contract with the platform to buy an exploit. There are a lot of vulnerabilities with exploits on offer, in a wide range of services starting from web applications to almost anything.
There are people offering you business logic bugs and exploits to hijack high value target accounts on Twitter. It could be something as simple as a vulnerability in a 3rd party service like an API vulnerability in a Wordpress social plugin like Baptiste Robert found in a Wordpress plugin which enabled you to tweet from the account and completely compromise Twitter accounts with a huge follower count.
Such exploits make use of a different path in order to hijack your victim's account on a live web app, which might require some knowledge about the victim as well. So 0day.today market not only has 0days in software on offer for almost anyone but also, vulnerabilities and exploits against popular live websites. It is worth noting that I find it might be illegal to acquire exploits against live websites where you live, I don't condone using this platform for illegal activities.
How I Discovered The Vulnerability
The place looked shady in the first place, which just made me keen to explore its many moving parts. It also operates a hidden service on Tor, which is a mirror of the clearnet version. It's also worthwhile to note that they were using Cloudflare to protect their server against DoS and DDoS attacks. But how effective was it?
Perhaps wanted to preserve the anonymity of their origin server, but did that work?
It barely took me a few minutes to figure out their origin server IP address (126.96.36.199) and it still works as of writing the article. The server is located in France. For this who are still wondering, it's easy to figure out a website's IP address even though they are behind CloudFlare.
This can be done easily by collecting historical information about the domain from various services like DNStrails. But, the point is that one must configure their server to block direct access through origin IP. If that is done, Cloudflare protection could be fully effective.
I wouldn't write about the discovery of this vulnerability since Paul, a fellow researcher has covered in-depth about the process to find origin IPs of services behind CloudFlare in his article, https://www.secjuice.com/finding-real-ips-of-origin-servers-behind-cloudflare-or-tor/
Impact Of This IP Disclosure On 0day.today
Leakage of the real, or origin IP, of a service makes Cloudflare protection and DDoS mitigations ineffective as a whole. Not only does it neutralize Cloudflare DDoS protection but also it's WAF which protects the server from various sorts of attacks like SQL injection, XXE, rate-limiting on endpoints and also client side vulnerabilities like XSS and so on.
The overall impact on the overall site security can be classified as:
- Client side WAF Bypass: XSS, etc.
- Server side WAF Bypass: XXE, SQLi, etc.
Thus, it dramatically increases the potential attack surface of the web app if you are solely relying on Cloudflare as a Firewall, because the Cloudflare WAF is useless if attacker can reach the website or, web service via Origin IP.
I have reported it to 0day.today admin, but he decided not to fix it , thus, after almost a year of reporting this vulnerability on their service, I decided to disclose it publicly for the common good of one and all :)
Peace - For further comments and questions, feel free to hit me up on Twitter, http://twitter.com/payloadartist.