利用 Cloudflare Workers 繞過 Cloudflare 自家的阻擋機制
source link: https://blog.gslin.org/archives/2021/04/05/10108/%e5%88%a9%e7%94%a8-cloudflare-workers-%e7%b9%9e%e9%81%8e-cloudflare-%e8%87%aa%e5%ae%b6%e7%9a%84%e9%98%bb%e6%93%8b%e6%a9%9f%e5%88%b6/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
利用 Cloudflare Workers 繞過 Cloudflare 自家的阻擋機制
在 Hacker News 首頁上看到「How to bypass Cloudflare bot protection (jychp.medium.com)」這則,裡面的文章是「How to bypass CloudFlare bot protection ?」這篇,利用 Cloudflare Workers 繞過 Cloudflare 自家的 CAPTCHA 機制。
這個漏洞有先被送給 Cloudflare,但被認為不是問題,所以作者就決定公開:
Several months ago I submitted what appeared to be a security flaw to CloudFalre’s bugbounty program. According to them, this is not a problem, it’s up to you to make up your own mind.
技術上就是透過 Cloudflare Workers 當作 proxy server,只是看起來 Cloudflare 對自家 IP 有特別處理,在設定妥當後,用 Cloudflare Workers 的 IP address 去連 Cloudflare 的站台,幾乎不會觸發 Cloudflare 的阻擋機制。
不過 free tier 還是有限制,主要就是數量:
The first 100,000 requests each day are free and paid plans start at just $5/10 million requests, making Workers as much as ten-times less expensive than other serverless platforms.
作者也有提到這點:
So let’s enjoy the 100 000 request/day for your free Cloudflare account and go scrape the world !
但這是個有趣的方法,加上信用卡盜刷之類的方式,這整包看起來就很有威力...
Related
Cloudflare Worker 進入 Open Beta 讓大家玩了...
去年 Cloudflare 宣佈了 Cloudflare Worker,讓使用者可以在 Edge 端跑 JavaScript (參考「Cloudflare 也能在各端點跑 JavaScript 了」),也就是可以在 Cloudflare 節點上面對 HTTP request 與 HTTP response 做更多事情,類似於 AWS 的 Lambda@Edge。 不過去年公佈的當時需要申請才有機會用,算是 Private Beta。現在則是開放讓大家玩 (Open Beta) 讓大家幫忙測試了:「Cloudflare Workers is now on Open Beta」。 文件在「Cloudflare Workers Docs」這邊可以取得,就如同去年 Cloudflare 所提到的,程式的撰寫上是透過 Service Worker 的界面,這樣就不用再學一套: Cloudflare Workers are modeled on the Service…
February 2, 2018In "CDN"
拿 Cloudflare Workers 跑 Geolocation API
在 Hacker News Daily 上看到拿 Cloudflare Workers 跑 Geolocation API:「How to make simple Geolocation service」。 作者想要做一個很簡單的 Geolocation API,一開始的想法是在 AWS Lambda 上用 MaxMind 的資料,但 latency 偏高: However, I quickly realized that the response time isn't what I've expected - on average the response took somewhere between from 200ms to 500ms. So…
July 26, 2020In "CDN"
Cloudflare 與 ISP 合作推出 ODoH 加強隱私,然後 Google 想要看 HTTPS 流量
Cloudflare 推出了 ODoH (目前是 IETF 的 draft:「Oblivious DNS Over HTTPS」):「Improving DNS Privacy with Oblivious DoH in 1.1.1.1」,在 Hacker News 上面也有討論:「 Improving DNS Privacy with Oblivious DoH (cloudflare.com)」 基本上就是 DNS over HTTPS 在上面架一層 Proxy,但這層 Proxy 不能是 Cloudflare 自己: 這樣一來 Cloudflare 知道 IP address 的機會就會比較小,藉以達到要求,先前要達到這樣的效果必須透過 ISP 提供的 HTTP/HTTPS Proxy (像是已經淘汰的 proxy.hinet.net:「HiNet 宣佈年底關閉…
December 9, 2020In "Cloud"
Author Gea-Suan LinPosted on April 5, 2021Categories CDN, Cloud, Computer, Murmuring, Network, Security, Service, WWWTags bot, bug, bypass, captcha, cloudflare, proection, proxy, security, server, workers Leave a Reply Cancel reply
Your email address will not be published. Required fields are marked *
Comment
Name *
Email *
Website
Notify me of follow-up comments by email.
Notify me of new posts by email.
Post navigation
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK