Cloudflare IUAM: Critical Bypass Vulnerability Report

Andrew Campi
August 23rd, 2024

Executive Summary

Introduction
This report details a critical vulnerability discovered in Cloudflare's "I'm Under Attack Mode" (IUAM) protection. My research has uncovered a method that consistently bypasses IUAM, allowing automated access to protected resources as if the IUAM protection was not present.

Vulnerability Overview

• Severity: Critical
• Affected Component: I'm Under Attack Mode (IUAM)
• Success Rate: Near 100% consistency in bypassing the protection
• Potential Impact: Nullification of IUAM's effectiveness against automated threats

Key Findings

• Complete Protection Bypass: This method enables automated tools to access IUAM-protected sites without triggering the intended security measures.
• High Consistency: The multi-part bypass technique works reliably, with a success rate near 100%.
• Sophisticated Evasion: The bypass method employs a combination of advanced techniques to circumvent Cloudflare's detection mechanisms:
• Rotating Residential Proxies:
  • Utilizes a diverse pool of residential IP addresses to mimic legitimate user traffic.
  • Constantly rotates proxies to avoid detection and IP-based blocking.
• Browser Emulation via Selenium-Driverless:
  • Employs the Selenium-driverless library to control a real Chrome browser instance.
  • Bypasses common WebDriver detection methods used by anti-bot systems.
• Avoidance of Headless Mode:
  • Runs the browser in full GUI mode to present a complete browser environment.
  • Passes sophisticated checks for screen properties, rendering capabilities, and other browser characteristics.
• Custom Dummy Browser Extensions:
  • Generates and implements random browser extensions for each session.
  • Alters the browser fingerprint to make each automated session appear unique.
• Random URL as Referrer:
  • Injects custom JavaScript to set a random referrer URL.
  • Simulates natural browsing patterns, making automated access appear as legitimate traffic from various sources.
• "Hit It With a Hammer" Challenge Bypass:
  • Forcibly removes Cloudflare's challenge elements from the page.
  • Exploits the challenge refresh mechanism to gain access without solving the challenge.
• Minimal Resource Requirements: The bypass can be executed with relatively modest computing resources, potentially enabling large-scale automated access.

Immediate Concerns
This vulnerability fundamentally undermines the protective capabilities of IUAM, potentially exposing Cloudflare customers to:

• Undetected web scraping activities
• Automated exploitation of web application vulnerabilities
• Large-scale credential stuffing or brute force attempts
• Bypass of rate limiting and anti-DDoS measures

Cloudflare's Critical Security Features

Cloudflare has established itself as a leader in web security, with a particular focus on protecting against Distributed Denial of Service (DDoS) attacks and unwanted web scraping. These security features are a primary reason for Cloudflare's widespread adoption among websites of all sizes.

DDoS Protection
Cloudflare's DDoS protection is one of its most critical and widely-used security features:
1. Massive Network Capacity

• Global Anycast Network: Cloudflare's vast network spans over 200 cities, allowing it to absorb and diffuse large-scale DDoS attacks effectively.
• Traffic Distribution: Automatically spreads attack traffic across its global network, preventing any single point of failure.

2. Multi-Layer Protection

• Layer 3 & 4 Protection: Mitigates network-layer attacks, including SYN floods, UDP floods, and DNS amplification attacks.
• Layer 7 Protection: Defends against application-layer attacks, such as HTTP floods, slow reads, and other sophisticated request-based attacks.

3. Intelligent Threat Detection

• Machine Learning Algorithms: Continuously analyzes traffic patterns to identify and mitigate emerging threats in real-time.
• Behavioral Analysis: Distinguishes between legitimate users and malicious bots based on behavior patterns.

4. Unmetered Mitigation

• Always-On Protection: Provides constant protection without charging extra for attack volume or duration.
• No Performance Impact: Maintains website performance even during large-scale attacks.

Anti-Scraping and Bot Protection
Cloudflare offers robust features to prevent unauthorized web scraping and bot activities:
1. Bot Fight Mode

• Automated Challenge Generation: Presents CAPTCHAs or JavaScript challenges to suspected bots.
• Progressive Difficulty: Increases challenge complexity for persistent or sophisticated bots.

2. Rate Limiting

• Customizable Rules: Allows setting specific thresholds for request rates from individual IP addresses.
• Flexible Response Options: Offers various actions for rate limit violations, including blocking, CAPTCHAs, or custom error pages.

3. User Agent Blocking

• Granular Control: Enables blocking or challenging requests based on specific user agent strings.
• Regular Expression Support: Allows for complex matching patterns to identify and block sophisticated scraping tools.

4. IP Reputation Database

• Known Threat Intelligence: Maintains a constantly updated database of IP addresses associated with malicious activities.
• Proactive Blocking: Automatically blocks or challenges requests from IPs with poor reputations.

5. JavaScript Detection

• Browser Integrity Check: Verifies if the client can execute JavaScript, a common method to distinguish between real users and basic bots.
• Dynamic Challenges: Generates unique JavaScript challenges to prevent bypass through pre-computed responses.

6. "I'm Under Attack" Mode (IUAM)

• Challenge Page: Presents a brief delay and challenge to all visitors when activated.
• Effectively Stops Bots: Highly effective at preventing automated access during periods of suspected attack.

7. API Shield

• Schema Validation: Ensures incoming API requests conform to predefined schemas, preventing malformed requests often used in scraping attempts.
• Mutual TLS: Provides an additional layer of authentication for API clients, making unauthorized scraping significantly more difficult.

The Importance and Usage of Cloudflare's “I'm Under Attack Mode” (IUAM)

Cloudflare's "I'm Under Attack" Mode (IUAM) is a critical security feature designed to provide an additional layer of protection during intense periods of suspected automated attacks. Its significance in web security cannot be overstated, particularly for sites facing persistent threats from bots, scrapers, and DDoS attacks.

Core Functionality of IUAM
1. Challenge Page

• Temporary Barrier: When activated, IUAM presents all visitors with an intermediate page before allowing access to the protected website.
• Short Delay: Implements a brief waiting period (typically 5 seconds) coupled with a JavaScript challenge.
• Browser Verification: Ensures that the client can execute JavaScript and behaves like a genuine web browser.

2. Advanced Bot Detection

• Behavioral Analysis: Analyzes visitor behavior patterns to distinguish between human users and automated scripts.
• Fingerprinting Techniques: Utilizes various browser and device characteristics to identify potential threats.
• Machine Learning Integration: Employs AI algorithms to adapt to evolving bot behaviors and attack patterns.

3. Adaptive Challenge Difficulty

• Progressive Complexity: Increases the difficulty of challenges for clients exhibiting suspicious behavior.
• Dynamic Challenge Generation: Creates unique challenges for each session to prevent replay attacks.

Importance in Web Security
1. Last Line of Defense

• Emergency Response: Acts as a critical measure when standard protections are overwhelmed or bypassed.
• Rapid Deployment: Can be activated instantly, providing immediate protection against sudden surges in malicious traffic.

2. Minimal Impact on Legitimate Users

• Brief Interruption: Designed to minimally inconvenience real users while significantly impeding automated threats.
• Transparent Protection: Most legitimate users experience only a short delay, often unaware of the robust security check occurring.

3. Effective Against Various Threats

• DDoS Mitigation: Helps absorb and filter out traffic from DDoS attacks by adding an additional verification layer.
• Anti-Scraping Measure: Presents a formidable obstacle to most scraping tools and bots.
• Brute Force Prevention: Effectively slows down automated attempts at credential stuffing or password guessing.

4. Protects Origin Servers

• Traffic Filtering: Significantly reduces the volume of malicious requests reaching the origin server.
• Resource Conservation: Helps maintain server performance and availability during attack periods.

Usage Scenarios
1. During Active Attacks

• DDoS Incidents: Often activated when a site is experiencing a Distributed Denial of Service attack.
• Scraping Campaigns: Employed when unusual patterns of data harvesting are detected.

2. Preventive Measures

• High-Risk Periods: Activated during anticipated times of increased threat, such as major sales events or after public controversies.
• Sensitive Content Protection: Used to safeguard access to particularly valuable or sensitive areas of a website.

3. Customized Deployment

• Selective Activation: Can be applied to specific URLs or sections of a website requiring extra protection.
• Geolocation-Based: May be triggered for traffic originating from specific geographic regions associated with higher threat levels.

Technical Deep Dive and Vulnerability Details

Introduction
The vulnerability discovered in Cloudflare's "I'm Under Attack" Mode (IUAM) represents a significant breach in what is widely regarded as one of the most robust anti-bot and anti-scraping systems available today. This bypass is not the result of a single flaw or oversight, but rather a sophisticated combination of multiple techniques that, when employed together, create a consistently successful method for circumventing IUAM protections.
The effectiveness of this bypass method lies in its multifaceted approach, addressing various aspects of IUAM's detection mechanisms simultaneously. By leveraging a synergistic set of techniques, this method exploits gaps in IUAM's defense layers, effectively rendering the protection mechanism ineffective against a well-implemented attack.

Key aspects of this bypass include:

• Holistic Approach: Rather than targeting a single vulnerability, this method combines multiple strategies to create a comprehensive bypass solution.
• Consistency in Results: The bypass technique demonstrates a very high success rate, consistently allowing unauthorized automated access to protected resources.
• Scalability: The method can be implemented at scale, potentially allowing for large-scale automated access to IUAM-protected websites.
• Adaptability: The techniques used are flexible enough to potentially adapt to minor changes in IUAM's protection mechanisms, suggesting a robust and resilient bypass method.
• Resource Efficiency: Despite its sophistication, the bypass method is relatively efficient in terms of computational resources required, making it feasible for widespread use.

The implications of this vulnerability are very significant. IUAM is often employed as a last line of defense against determined attackers, particularly during high-stress scenarios such as active DDoS attacks or aggressive scraping attempts. A reliable method to bypass IUAM essentially nullifies this critical layer of protection, potentially exposing Cloudflare's clients to the very threats they rely on IUAM to mitigate.

In the following sections, I will detail the technical details of each component, hereon referred to as “techniques”, of this comprehensive bypass method. The following will explore how these techniques work individually and, more importantly, how their combination creates a synergistic effect that successfully circumvents IUAM's multi-layered defenses. This analysis will cover the underlying principles, implementation details, and the rationale behind each aspect of the bypass method.

Understanding the intricacies of this vulnerability is crucial not only for addressing the immediate security concern but also for insights into potential improvements in anti-bot technologies. The sophistication of this multi-part bypass method highlights the ongoing challenges in the field of web security and the constant evolution required to stay ahead of potential threats.

Technique #1: Rotating Residential Proxies

Overview
The use of rotating residential proxies is a critical component of this multi-part bypass method. This technique is particularly effective due to its ability to mimic legitimate user traffic, making it difficult for Cloudflare's security systems to distinguish between authentic users and automated requests.

Why It's Effective

• IP Diversity: Residential proxies provide access to a wide range of IP addresses associated with real Internet Service Providers (ISPs). This diversity makes it challenging for Cloudflare to identify and block traffic based on IP reputation alone.
• Geographical Distribution: Residential proxies are typically spread across various geographical locations. This distribution helps in bypassing any geolocation-based filtering that Cloudflare might employ.
• Legitimate IP Reputation: Unlike data center IPs, which are often flagged as potential sources of automated traffic, residential IPs generally have a better reputation. They are less likely to be pre-emptively blocked or subjected to stringent challenges.
• Dynamic Nature: The rotating aspect of these proxies means that each request can potentially come from a different IP address. This rotation makes it difficult for Cloudflare to detect patterns typically associated with automated access from a single source.
• Believable User Behavior: When combined with appropriate request timing and browsing patterns, requests through residential proxies can closely mimic the behavior of real users accessing the site from home networks.
• Bypass Rate Limiting: Cloudflare's rate limiting is often based on the IP address specifically. Rotating proxies effectively distribute requests across multiple IPs, potentially bypassing these limits.
• Evasion of IP-Based Challenges: Cloudflare increases the challenge difficulty for IPs exhibiting suspicious behavior. Rotating the residential proxies reduces the likelihood of any single IP accumulating enough 'suspicion' to trigger enhanced challenges.

Implementation Code

from fp.fp import FreeProxy def random_proxy(from_list=False): if from_list: good_proxies \= read_json("good_proxies.json")["proxies"] if len(good_proxies) > 0: return random.choice(good_proxies) try: return FreeProxy(rand=True, country_id=['CA'], https=True, timeout=4).get() # Default search except: sleep(5) try: return FreeProxy(rand=True, country_id=['US', 'CA'], https=True, timeout=6).get() # Expand search except: sleep(4) return FreeProxy(rand=True, timeout=10).get() # At this point, any proxy will do

Code Breakdown

• Proxy Source Flexibility: The function first checks if it should use a predefined list of "good" proxies, allowing for the use of known reliable proxies. If not using the predefined list, it attempts to fetch a random proxy using the FreeProxy library.
• Geographical Targeting: The initial attempt focuses on Canadian (CA) proxies, which may have a good reputation and lower likelihood of being blocked. If that fails, it expands to include US proxies, increasing the pool while still maintaining a North American focus.
• Fallback Mechanism: If both targeted attempts fail, it resorts to fetching any available proxy globally.
• Error Handling and Retries: The code includes waiting (i.e. sleep) intervals between attempts, reducing the likelihood of triggering rate limits on the proxy service. Multiple try-except blocks ensure that the function almost always returns a proxy, enhancing reliability.
• HTTPS and Timeout Configuration: The code specifically requests HTTPS proxies, which is crucial for accessing most modern websites, especially those protected by Cloudflare. Timeout values are set and increased in subsequent attempts, balancing between speed and the likelihood of finding a working proxy.

Technique #2: Usage of The Selenium-Driverless Library

Overview
This technique involves using a heavily modified version of Selenium that interacts directly with the Chrome DevTools Protocol, allowing for browser automation that closely mimics human-like behavior and bypasses common bot detection mechanisms.

Why It's Effective

• Evasion of WebDriver Detection: Traditional Selenium uses WebDriver, which leaves detectable traces. Selenium-driverless operates without WebDriver, making it much harder for anti-bot systems to detect automation. Cloudflare's IUAM often checks for the presence of WebDriver to identify automated browsers. Selenium-driverless bypasses this check effectively.
• Authentic Browser Fingerprint: By controlling a fully installed Chrome instance, Selenium-driverless presents a genuine browser fingerprint, complete with all the expected properties and behaviors of a real Chrome browser. This authentic fingerprint is crucial in bypassing Cloudflare's sophisticated browser integrity checks.
• JavaScript Execution: Selenium-driverless fully supports JavaScript execution, allowing it to interact with and pass Cloudflare's JavaScript-based challenges seamlessly. It can handle dynamic content and complex AJAX requests, which are often used in IUAM's verification process.
• Mimicking Human-like Interactions: The library allows for the implementation of realistic mouse movements, typing patterns, and navigation behaviors that closely resemble human actions. These human-like interactions are critical in bypassing behavioral analysis algorithms employed by Cloudflare.
• Header and Cookie Management: Selenium-driverless provides fine-grained control over HTTP headers and cookies, allowing for the maintenance of consistent session data. This control is essential for navigating through Cloudflare's multi-step verification process without triggering suspicion.
• Stealth Capabilities: The library can be configured to mask common automation indicators, such as user agent strings, screen dimensions, and other browser characteristics. This stealth approach helps in evading Cloudflare's fingerprinting techniques that look for more obvious signs of automation.
• Performance Advantages: Selenium-driverless often performs faster than traditional Selenium, allowing for more efficient large-scale operations against Cloudflare-protected sites. The improved performance helps in maintaining a natural browsing speed, further enhancing the appearance of legitimate traffic.

Technique #3: Strictly Avoiding "Headless" Mode

Overview
Headless browsers, which operate without a graphical user interface, are commonly used in web scraping and automation tasks due to their lower resource requirements. However, in the context of bypassing sophisticated anti-bot systems like Cloudflare's IUAM, using a full browser instance with a complete graphical rendering pipeline is essential.

This technique involves running the browser in its standard mode, complete with full rendering capabilities, just as it would appear on a user's screen. By doing so, the automated browsing session presents itself as indistinguishable from a genuine user interaction from Cloudflare's perspective.

Why It's Effective

• Evasion of Headless Detection: Cloudflare, like many advanced anti-bot systems, has specific checks to detect headless browser usage. By avoiding headless mode, this bypass technique circumvents these detection mechanisms entirely. Many of the more obvious signs of headless browsers, such as missing or default values for certain browser properties, are avoided when using a full browser instance.
• Complete Browser Fingerprint: A full browser instance provides a complete and authentic browser fingerprint, including properties related to screen resolution, color depth, and graphics capabilities. This comprehensive fingerprint is crucial in passing Cloudflare's browser environment checks.
• Realistic Rendering Behavior: Non-headless browsers fully execute CSS and render the page, which can be detected by sophisticated fingerprinting techniques. Some anti-bot systems use techniques like invisible elements or CSS-based traps to detect if a page is being fully rendered. A complete browser passes these tests naturally.
• JavaScript Execution Environment: Full browsers provide a complete JavaScript execution environment, including access to all standard Web APIs. This ensures that any JavaScript-based challenges or checks by Cloudflare are executed in an environment indistinguishable from a real user's browser..
• Support for Advanced Web Features: Features like WebGL, which are sometimes used in advanced fingerprinting techniques, are fully supported in non-headless modes. Cloudflare may use checks for these advanced features to distinguish between real and automated browsers.
• Realistic Resource Loading: Full browsers load all resources, including images, stylesheets, and scripts, in a manner consistent with real user behavior. This complete resource loading process can be crucial in passing certain types of behavioral analysis employed by anti-bot systems.
• Compatibility with Browser Extensions: Standard browser modes allow for the use of extensions, which can be an important part of creating a realistic and diverse browser profile. The presence and behavior of certain extensions can contribute to the overall appearance of a legitimate user session.

Technique #4: Crafting and Employing Custom Dummy Browser Extensions

Overview
The core idea of this novel technique is to manipulate the browser's fingerprint by introducing unique, dynamically generated extensions. This approach exploits the fact that Cloudflare's fingerprinting algorithm appears to consider installed browser extensions when generating a browser fingerprint.

By creating a dummy extension with a randomly generated name and description for each session, this technique aims to present a unique browser profile to Cloudflare's detection systems, making each automated session appear as a distinct, legitimate user.

Why It's Effective

• Unique Fingerprint Generation: Each randomly generated extension creates a unique aspect of the browser's fingerprint, making it more challenging for Cloudflare to correlate multiple requests coming from the same automated source.
• Mimicking Diverse User Behavior: Real users often have various extensions installed. By generating random extensions, this technique simulates the diversity seen in genuine user browsers.
• Evasion of Pattern Recognition: The randomness in extension names and descriptions helps avoid any pattern that Cloudflare might use to identify automated or repetitive browsing behavior.
• Exploitation of Fingerprinting Limitations: This technique takes advantage of the fact that fingerprinting algorithms often treat the presence and details of extensions as a signal of browser uniqueness.
• Dynamic Session Characteristics: By changing the extension for each session, it creates a dynamic browsing environment that appears to be a new, unique user each time, even if other factors remain constant.
• Minimal Performance Impact: These dummy extensions have no actual functionality, ensuring that they don't interfere with the browsing process or add unnecessary overhead.
• Customizable Complexity: The technique allows for adjusting the complexity of the generated extensions, potentially creating more sophisticated dummy extensions if needed to bypass more advanced detection methods.

Implementation Code

import os import json import random import names def generate_random_extension(): try: # Define the extension directory extension_dir \= "resources/dummy_extension" # Create the directory if it doesn't exist if not os.path.exists(extension_dir): os.makedirs(extension_dir) # Generate random name for the extension extension_name \= " ".join([names.get_first_name(), names.get_first_name(), names.get_last_name()]) # Generate random description with 5-10 names description \= " ".join([names.get_full_name() for _ in range(random.randint(5, 10))]) # Create manifest.json content manifest_content \= { "manifest_version": 3, "name": extension_name, "version": "1.0", "description": description, "background": { "service_worker": "background.js" }, "permissions": [] } # Write manifest.json manifest_path \= os.path.join(extension_dir, "manifest.json") with open(manifest_path, 'w') as manifest_file: json.dump(manifest_content, manifest_file, indent=4) # Create an empty background.js file background_js_path \= os.path.join(extension_dir, "background.js") with open(background_js_path, 'w') as background_js_file: background_js_file.write("// Empty background script\n") return True except Exception as e: print(f"Error: {e}") return False

Code Breakdown

• Import Statements: The code uses standard Python libraries (os, json, random) and a third-party library (names) for generating random names.
• Function Definition: generate_random_extension() is the main function that creates the dummy extension.
• Extension Directory Setup: Defines a directory path for the extension and creates it if it doesn't exist.
• Random Name Generation: Uses the names library to generate a random three-part name for the extension.
• Random Description Generation: Creates a description by combining 5-10 random full names.
• Manifest Creation: Constructs a dictionary representing the manifest.json file required for browser extensions. It uses Manifest V3, the latest standard for browser extensions. It includes basic required fields: name, version, description. Additionally, it specifies an empty background script, giving the appearance of functionality without actual operations.
• File Writing: Writes the generated manifest content to a manifest.json file in the extension directory. It creates an empty background.js file, further simulating a real extension.
• Error Handling: Wraps the entire process in a try-except block to handle any potential errors during extension creation.
• Return Value: Returns True if the extension is successfully created, False otherwise.

Technique #5: Hit It With a Hammer

Overview
The "Hit It With a Hammer" technique is another novel approach to bypassing Cloudflare's "I'm Under Attack" Mode (IUAM) challenge, particularly when faced with the "I'm not a robot" button. This method exploits a vulnerability in how Cloudflare handles the challenge when certain elements are removed from the page. Instead of solving the challenge conventionally, this technique forcibly removes the challenge element, causing Cloudflare to repeatedly refresh the challenge until it eventually allows access as if the challenge was legitimately solved.

Why It's Effective

• Bypasses Interaction Requirement: Eliminates the need to interact with the "I'm not a robot" button, which is typically difficult for automated systems to click due to its placement in a closed shadow DOM.
• Exploits Challenge Refresh Mechanism: Forces Cloudflare's system to continuously refresh the challenge, seemingly confusing the protection mechanism.
• High Success Rate: Works 99% of the time within two cycles, making it a reliable bypass method.
• Adaptability: Includes a fallback mechanism (rotating proxies and extensions) for the very rare cases when the initial attempt fails.
• Simplicity in Execution: Relies on basic DOM manipulation, which is easier to implement than complex challenge-solving algorithms.
• Avoids Pattern Recognition: The forceful removal of elements is suspected to be harder for Cloudflare to detect as a pattern compared to consistent, predictable challenge-solving behavior.
• Scalability: Can be easily integrated into larger automated systems due to its programmatic nature.

Implementation Code

import asyncio from selenium_driverless import webdriver import json import random import re import time from time import sleep import base64 async def cloudflare_bypass(driver, current_url): try: print("Starting Cloudflare bypass...") initial_page_source \= await driver.page_source if "you have been blocked" in initial_page_source: print("Blacklisted by cloudflare. Try a different proxy.") return None if ("erify you are human" in initial_page_source) or ("erifying you are human" in initial_page_source): print("Cloudflare page detected.") attempts \= 0 while attempts \< 2: print("Attempting to remove Turnstile wrapper element...") remove_script \= """ var element \= document.getElementById('turnstile-wrapper'); if (element) { element.parentNode.removeChild(element); console.log('Turnstile wrapper element removed'); return true; } else { console.log('Turnstile wrapper element not found'); return false; } """ result \= await driver.execute_script(remove_script) if result: print("Turnstile wrapper element successfully removed.") else: print("Failed to remove the element. Trying a different way...") remove_script \= """ var elements \= document.getElementsByClassName('spacer'); if (elements.length > 0) { elements[0].parentNode.removeChild(elements[0]); console.log('Turnstile wrapper element removed'); return true; } else { console.log('Turnstile wrapper element not found'); return false; } """ result \= await driver.execute_script(remove_script) if result: print("Turnstile wrapper element successfully removed.") else: print("Failed to remove Turnstile wrapper element. Element might not exist or have a different ID.") # Wait a bit for any potential page updates await asyncio.sleep(8) # Check if the challenge is completed new_page_source \= await driver.page_source if "erify you are human" not in new_page_source and "erifying you are human" not in new_page_source: print("Cloudflare challenge appears to be bypassed successfully.") return driver else: print("Cloudflare challenge may still be active. Trying again") attempts += 1 print("Cloud not bypass. Returning driver as None.") return None else: print("No Cloudflare page detected. Moving on.") return driver except Exception as e: print(f"Error bypassing Cloudflare: {e}") return driver

Code Breakdown

• Initial Check: The function first checks if the page source contains indicators of being blocked or facing a Cloudflare challenge.
• Challenge Detection: Looks for phrases like "verify you are human" or "verifying you are human" to identify the Cloudflare challenge page, but without the starting “v” character, to remain case insensitive.
• Element Removal Attempt: The code attempts to remove the Turnstile wrapper element (Cloudflare's challenge container) using JavaScript. It first tries to find an element with the ID 'turnstile-wrapper'. If that fails, it attempts to remove an element with the class 'spacer'.
• Multiple Attempts: The removal process is attempted up to two times.
• Waiting Period: After each removal attempt, the code waits for 8 seconds, specifically in the code await asyncio.sleep(8), to allow for any page updates or refreshes.
• Success Check: After waiting, it checks if the challenge phrases are no longer present in the page source. If the phrases are gone, it considers the bypass successful and returns the driver.
• Fallback and Reporting: If the bypass fails after two attempts, it returns None, indicating failure. Various print statements throughout the function provide debugging information about the process.
• Error Handling: The entire process is wrapped in a try-except block to catch and report any unexpected errors.

Technique #6: Using a Random URL as a Referrer

Overview
This technique involves manipulating the HTTP referrer header to make the traffic appear more legitimate to Cloudflare's "I'm Under Attack" Mode (IUAM) protection. The method works by first navigating to a neutral site (like http://example.com), then using injected JavaScript to redirect to the target site while setting a random URL as the referrer. This approach aims to mimic the behavior of a user naturally navigating from one site to another, rather than directly accessing the protected site.

Why It's Effective

• Mimics Natural Browsing Behavior: By simulating a user coming from another site, it appears more like natural web browsing behavior rather than a direct bot attack.
• Diversifies Traffic Patterns: Random referrers make it harder for Cloudflare to identify patterns typically associated with automated access.
• Bypasses Direct Access Flags: Some protection systems flag direct access to protected pages as suspicious. A referrer suggests the user found the link elsewhere.
• Complicates Traffic Analysis: Varied referrers make it more challenging for security systems to correlate multiple requests as coming from the same source.
• Emulates Search Engine Traffic: Random referrers can make the traffic appear similar to users coming from search engine results, which is typically considered legitimate.
• Adds Realism to Automated Requests: In combination with other techniques, this adds another layer of 'realism' to the automated requests, making them harder to distinguish from genuine user traffic.

Implementation Code

from selenium_driverless import webdriver import asyncio import os from time import sleep async def access_site_via_bypass(url): # Get a random proxy this_proxy \= random_proxy() print("Using proxy:", this_proxy) options \= webdriver.ChromeOptions() options.add_argument('--proxy-server=%s' % this_proxy) generate_random_extension() options.add_argument(f"--load-extension={os.path.abspath('resources/dummy_extension')}") # Allow all third-party cookies options.add_argument("--disable-features=SameSiteByDefaultCookies") options.add_argument("--disable-features=CookiesWithoutSameSiteMustBeSecure") async with webdriver.Chrome(options=options) as driver: try: await driver.get("https://example.com", wait_load=True) page_source \= await driver.page_source sleep(3) if "Example" not in page_source: return "Try a different proxy" # Use JavaScript to change the referrer and navigate to the final URL script \= f""" Object.defineProperty(document, 'referrer', {{get: () \=> '{random_url()}'}}); window.location.href \= "{url}"; """ await driver.execute_script(script) await asyncio.sleep(6) # Handle Cloudflare challenge driver \= await cloudflare_bypass(driver, url) if driver is None: return "Try a different proxy" page_source \= await driver.page_source if "been blocked" in page_source: return "Try a different proxy" # Access the site directly from here except Exception as e: print(f"An error occurred: {e}") return "An error occurred"

Code Breakdown

• Initial Navigation: The code await driver.get("https://example.com", wait_load=True) navigates to a neutral site (example.com) first. This step is crucial as it sets up a realistic browsing scenario.
• Verifying Successful Load: Checks if "Example" is in the page source to ensure the initial page loaded correctly. If not, it suggests trying a different proxy, which is part of the broader evasion strategy.
• Referrer Manipulation and Redirection: A JavaScript snippet is prepared to modify the document's referrer and redirect to the target URL. The Object.defineProperty(document, 'referrer', {{get: () \=> '{random_url()}'}}); line overwrites the default referrer property of the document with a getter that returns a random URL. The window.location.href \= "{url}"; line performs the actual redirection to the target URL.
• Executing the Script: The line await driver.execute_script(script) executes the prepared JavaScript in the context of the current page.
• Handling Post-Redirect: The line await asyncio.sleep(6) waits for 6 seconds, allowing time for the redirection and any initial Cloudflare checks to occur, and the line driver \= await cloudflare_bypass(driver, url) uses the “Hit It With a Hammer” technique that was previously detailed in this report.
• Final Check: Verifies that the page hasn't been blocked by Cloudflare after the redirection and bypass attempt.

Conclusion

The six-part technique approach detailed in this report represents a sophisticated and alarmingly effective method for bypassing Cloudflare's "I'm Under Attack" Mode (IUAM) protection. By combining multiple strategies, this approach creates a synergistic effect that renders Cloudflare's advanced security measures largely ineffective.

Synergy of Techniques

• Rotating Residential Proxies: Provides a constantly changing, geographically diverse set of IP addresses that appear as legitimate user traffic.
• Selenium-Driverless Library: Emulates real browser behavior, bypassing common automation detection methods.
• Avoiding Headless Mode: Presents a full browser environment, complete with all the characteristics Cloudflare checks for in identifying real users.
• Custom Dummy Browser Extensions: Alters the browser fingerprint dynamically, making each session appear unique.
• "Hit It With a Hammer": Provides a last-resort method to bypass challenges when other techniques fail to prevent detection.
• Random URL as Referrer: Simulates natural browsing patterns, making automated access appear as legitimate traffic from various sources.

When combined, these techniques create a formidable, very successful bypass method:

• The use of residential proxies with random referrers makes the traffic appear to come from diverse, legitimate sources.
• The Selenium-driverless library in non-headless mode presents a convincing browser environment that can handle complex JavaScript and render pages fully.
• Custom extensions further differentiate each session, while the "Hit It With a Hammer" technique provides a fallback for dealing with direct challenges.

This layered approach addresses multiple aspects of Cloudflare's detection mechanisms simultaneously, making it extremely difficult for the protection system to identify the traffic as automated.

Impact on Cloudflare's Protection Efficacy
The discovery and implementation of this bypass method have severe implications for the efficacy of Cloudflare's IUAM protection:

• Undermined Core Security Feature: IUAM is often the last line of defense against automated attacks. Its bypass fundamentally compromises Cloudflare's security offering.
• Scalable Threat: The method's high success rate (reported 99% effectiveness) and its ability to be automated at scale present a significant threat to websites relying on Cloudflare for protection.
• Broad Applicability: The techniques used are not specific to any particular website, potentially affecting a wide range of Cloudflare-protected sites.
• Challenge to Bot Detection Paradigms: This bypass demonstrates the limitations of current bot detection methods, calling for a reevaluation of anti-automation strategies.
• Potential for Abuse: In the wrong hands, this method could be used for large-scale scraping, DDoS attacks, or other malicious activities that Cloudflare is designed to prevent.
• Erosion of Trust: The existence of such a reliable bypass could erode trust in Cloudflare's services, potentially impacting their market position and the security posture of their clients.