This extension provides the following features:
2 |If you are experiencing any issue at all, please file an issue on the GitHub project page or contact me personally via LinkedIn.
9 | -------------------------------------------------------------------------------- /.idea/modules/flarequench_test.iml: -------------------------------------------------------------------------------- 1 | 2 |
4 | 
5 |
6 | A Burp Suite plugin that adds additional checks to the passive scanner to reveal the origin IP(s) of Cloudflare-protected web applications.
7 |
8 | ## Installation
9 |
10 | ### Compilation
11 |
12 | 1. Install and configure [Gradle](https://gradle.org/).
13 |
14 | 2. Download this repository.
15 |
16 | ```bash
17 | git clone https://github.com/aress31/flarequench
18 | cd .\flarequench\
19 | ```
20 |
21 | 3. Create the standalone `jar`:
22 |
23 | ```bash
24 | gradle build shadowJar
25 | ```
26 |
27 | ### Loading the Extension Into the `Burp Suite`
28 |
29 | In `Burp Suite`, under the `Extender/Options` tab, click on the `Add` button and load the `fatJar` located in the `.\build\libs` folder.
30 |
31 | ## Roadmap
32 |
33 | - [ ] Improve the reliablity.
34 | - [x] Optimise the source code.
35 |
36 | ## Sponsor 💖
37 |
38 | If you want to support this project and appreciate the time invested in developping, maintening and extending it; consider donating toward my next cup of coffee. ☕
39 |
40 | It is easy, all you got to do is press the `Sponsor` button at the top of this page or alternatively [click this link](https://github.com/sponsors/aress31). 💸
41 |
42 | ## Reporting Issues
43 |
44 | Found a bug? I would love to squash it! 🐛
45 |
46 | Please report all issues on the GitHub [issues tracker](https://github.com/aress31/flarequench/issues).
47 |
48 | ## Contributing
49 |
50 | You would like to contribute to better this project? 🤩
51 |
52 | Please submit all `PRs` on the GitHub [pull requests tracker](https://github.com/aress31/flarequench/pulls).
53 |
54 | ## License
55 |
56 | See [LICENSE](LICENSE).
57 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | # Created by https://www.gitignore.io/api/java,gradle,intellij
2 | # Edit at https://www.gitignore.io/?templates=java,gradle,intellij
3 |
4 | ### Intellij ###
5 | # Covers JetBrains IDEs: IntelliJ, RubyMine, PhpStorm, AppCode, PyCharm, CLion, Android Studio and WebStorm
6 | # Reference: https://intellij-support.jetbrains.com/hc/en-us/articles/206544839
7 |
8 | # User-specific stuff
9 | .idea/**/workspace.xml
10 | .idea/**/tasks.xml
11 | .idea/**/usage.statistics.xml
12 | .idea/**/dictionaries
13 | .idea/**/shelf
14 |
15 | # Generated files
16 | .idea/**/contentModel.xml
17 |
18 | # Sensitive or high-churn files
19 | .idea/**/dataSources/
20 | .idea/**/dataSources.ids
21 | .idea/**/dataSources.local.xml
22 | .idea/**/sqlDataSources.xml
23 | .idea/**/dynamic.xml
24 | .idea/**/uiDesigner.xml
25 | .idea/**/dbnavigator.xml
26 |
27 | # Gradle
28 | .idea/**/gradle.xml
29 | .idea/**/libraries
30 |
31 | # Gradle and Maven with auto-import
32 | # When using Gradle or Maven with auto-import, you should exclude module files,
33 | # since they will be recreated, and may cause churn. Uncomment if using
34 | # auto-import.
35 | # .idea/modules.xml
36 | # .idea/*.iml
37 | # .idea/modules
38 | # *.iml
39 | # *.ipr
40 |
41 | # CMake
42 | cmake-build-*/
43 |
44 | # Mongo Explorer plugin
45 | .idea/**/mongoSettings.xml
46 |
47 | # File-based project format
48 | *.iws
49 |
50 | # IntelliJ
51 | out/
52 |
53 | # mpeltonen/sbt-idea plugin
54 | .idea_modules/
55 |
56 | # JIRA plugin
57 | atlassian-ide-plugin.xml
58 |
59 | # Cursive Clojure plugin
60 | .idea/replstate.xml
61 |
62 | # Crashlytics plugin (for Android Studio and IntelliJ)
63 | com_crashlytics_export_strings.xml
64 | crashlytics.properties
65 | crashlytics-build.properties
66 | fabric.properties
67 |
68 | # Editor-based Rest Client
69 | .idea/httpRequests
70 |
71 | # Android studio 3.1+ serialized cache file
72 | .idea/caches/build_file_checksums.ser
73 |
74 | ### Intellij Patch ###
75 | # Comment Reason: https://github.com/joeblau/gitignore.io/issues/186#issuecomment-215987721
76 |
77 | # *.iml
78 | # modules.xml
79 | # .idea/misc.xml
80 | # *.ipr
81 |
82 | # Sonarlint plugin
83 | .idea/**/sonarlint/
84 |
85 | # SonarQube Plugin
86 | .idea/**/sonarIssues.xml
87 |
88 | # Markdown Navigator plugin
89 | .idea/**/markdown-navigator.xml
90 | .idea/**/markdown-navigator/
91 |
92 | ### Java ###
93 | # Compiled class file
94 | *.class
95 |
96 | # Log file
97 | *.log
98 |
99 | # BlueJ files
100 | *.ctxt
101 |
102 | # Mobile Tools for Java (J2ME)
103 | .mtj.tmp/
104 |
105 | # Package Files #
106 | *.jar
107 | *.war
108 | *.nar
109 | *.ear
110 | *.zip
111 | *.tar.gz
112 | *.rar
113 |
114 | # virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml
115 | hs_err_pid*
116 |
117 | ### Gradle ###
118 | .gradle
119 | build/
120 |
121 | # Ignore Gradle GUI config
122 | gradle-app.setting
123 |
124 | # Avoid ignoring Gradle wrapper jar file (.jar files are usually ignored)
125 | !gradle-wrapper.jar
126 |
127 | # Cache of project
128 | .gradletasknamecache
129 |
130 | # # Work around https://youtrack.jetbrains.com/issue/IDEA-116898
131 | # gradle/wrapper/gradle-wrapper.properties
132 |
133 | ### Gradle Patch ###
134 | **/build/
135 |
136 | # End of https://www.gitignore.io/api/java,gradle,intellij
--------------------------------------------------------------------------------
/src/main/java/burp/ScannerCheck.java:
--------------------------------------------------------------------------------
1 | /*
2 | # Copyright (C) 2019 Alexandre Teyar
3 |
4 | # Licensed under the Apache License, Version 2.0 (the "License");
5 | # you may not use this file except in compliance with the License.
6 | # You may obtain a copy of the License at
7 |
8 | # http://www.apache.org/licenses/LICENSE-2.0
9 |
10 | # Unless required by applicable law or agreed to in writing, software
11 | # distributed under the License is distributed on an "AS IS" BASIS,
12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | # See the License for the specific language governing permissions and
14 | # limitations under the License.
15 | */
16 |
17 | package burp;
18 |
19 | import java.net.MalformedURLException;
20 | import java.net.URL;
21 | import java.util.ArrayList;
22 | import java.util.List;
23 |
24 | public class ScannerCheck implements IScannerCheck {
25 |
26 | private IBurpExtenderCallbacks burpExtenderCallbacks;
27 |
28 | private ListCloudflare is a web infrastructure and website security company, providing content " 71 | + "delivery network services, DDoS mitigation, Internet security, and distributed " 72 | + "domain name server services. Cloudflare's services sit between a website's visitor " 73 | + "and the Cloudflare customer's hosting provider, acting as a reverse proxy for " 74 | + "websites.
" 75 | + "" 76 | + "It was possible to obtain the application's origin IP(s) which represent the" 77 | + "server(s) sitting behind Cloudflare. With this information an attacker could" 78 | + "directly target the application server(s), effectively bypassing the layer of " 79 | + "protection offered by Cloudflare. To exploit this, an attacker would need to " 80 | + "redirect their network traffic to the discovered origin IP(s) and manipulate the " 81 | + "\"Host\" header of their HTTP(S) requests to the relevant hostname in order to " 82 | + "ensure that the application's origin server is still able to route the traffic " 83 | + "to the correct virtual host. This destination IP and host header manipulation " 84 | + "can be achieved automatically using the Target Redirector Burp extension " 85 | + "available in the Burp App Store.
" 86 | + "" 87 | + "When using this approach, keep in mind that behind Cloudflare, the naked " 88 | + "application might be hosted from a different TCP port than that which Cloudflare " 89 | + "presented it on. A port scan of the origin IP and a process of elimination can " 90 | + "help to identify the correct port. The Target Redirector extension can also " 91 | + "automatically change the port, as well as switch between HTTP and HTTPS " 92 | + "necessary.
"; 93 | } 94 | 95 | @Override 96 | public String getRemediationBackground() { 97 | return "It is strongly advised to set firewall rules on the application server(s) so that " 98 | + "only web requests from Cloudflare and IP addresses that the application may require " 99 | + "access to are authorised. This will prevent attackers from performing Denial of Service " 100 | + "(DoS) attacks or any other type of attacks that Cloudflare could hinder or prevent " 101 | + "altogether.
"; 102 | } 103 | 104 | @Override 105 | public String getIssueDetail() { 106 | return 107 | "The application is protected by Cloudflare. However, it appears that CrimeFlare was " 108 | + "able to determine the application server(s) origin IP address(es). This means that " 109 | + "bypassing Cloudflare using the application's origin IP(s) and HTTP \"Host\" header " 110 | + "should be possible. This can be achieved automatically using the Target Redirector " 111 | + "Burp extension available in the Burp App store.
" 112 | + "" 113 | + "Please visit " 114 | + "CrimeFlare to manually investigate and validate this issue.
"; 115 | } 116 | 117 | @Override 118 | public String getRemediationDetail() { 119 | return "Consider protecting the application server(s) with firewall rules which whitelist " 120 | + "Cloudflare's network and prevent access from any other IP ranges.
"; 121 | } 122 | 123 | @Override 124 | public IHttpRequestResponse[] getHttpMessages() { 125 | return new IHttpRequestResponse[0]; 126 | } 127 | 128 | @Override 129 | public IHttpService getHttpService() { 130 | return this.httpRequestResponse.getHttpService(); 131 | } 132 | } 133 | -------------------------------------------------------------------------------- /.idea/uiDesigner.xml: -------------------------------------------------------------------------------- 1 | 2 |