In the post, the author suggests a way to bypass Cloudflare’s protection and directly access the origin server. They propose using the ‘Forgot Password’ feature of a web app to find the server’s IP address. If that fails, they recommend sending an email to a non-existent address to receive a bounce notification with the server’s IP. That will expose the server IP and it’s possible to bypass Cloudflare’s security measures unless additional restrictions are in place.

Here’s how both scenarios can be visualized:

The author’s research very well points out a configuration vulnerability that is really difficult to visualize. If the Origin Server IP is exposed, there is no point in having CloudFlare. And this is the same issue with any Cloud Firewall / CDN that works in Proxy mode.

Suggested Workaround

As suggested in the comments, the most popular workaround would be to use a 3rd party email server. In that way when the mail server’s IP address is exposed, the Origin Server IP is still hidden behind the proxy.

However, what if someone wants to use the mail server on the same server? Is there no way out?

Actual Workaround – Bypass Prevention

Let’s look at the situation from a different perspective.

Our Origin Server IP is exposed via a mail server. We may circumvent this issue by moving the mail server out of our hosting infrastructure.

But the fact is, there might be more than one way to expose the Origin Server IP! And we may not have discovered all of them, while attackers might have. So it’s best to assume that the IP will be exposed anyway, and work on a strategy that prevents any incident based on the exposure. The solution can be called ‘Bypass Prevention’.

Bypass Prevention is very simple – we disable direct IP access to the web application hosted on the server. To do that, we need to simply restrict the access to IP range of CloudFlare.

For that, we need the current Cloudflare IP ranges list. Visit the Cloudflare IP Lists page or utilize their API to obtain the latest IP range list.

Once we have the list, we can use the .htaccess file to provide Bypass Prevention functionality.

To configure IP restrictions in the .htaccess file, follow these steps:

1. Create or edit your .htaccess file in the root directory of your website.
2. Add the following lines to the file:

# Block direct access to all files except from Cloudflare IPs
<Files *>
    Order Deny,Allow
    Deny from all
    # Whitelist Cloudflare IP ranges
    Allow from 103.21.244.0/22
    Allow from 103.22.200.0/22
    # Add more IP ranges here if needed
</Files>

3. Replace the example IP ranges (103.21.244.0/22 and 103.22.200.0/22) with the actual Cloudflare IP ranges you obtained from the sources mentioned earlier.
4. Save the .htaccess file.

These rules will deny access to all files on the website for requests from IP addresses outside the specified Cloudflare IP ranges. Only requests originating from Cloudflare IPs will be allowed.

Dreaming isn’t bad – unless we have a dream, there’s no worth living. But dreams have to be backed up with execution, and when we go to execute, we find out how naive that dream is.

The decision to shift to cybersecurity

Before BUGSKAN I was running a software development company with a small team of 5. However, I was always interested in security. In fact, I started by career by “cleaning” viruses from computers while I was still at college. I also used to manage servers on AWS and Azure for our customers and I knew security was the big thing in the next decade or so. Later, I moved to software development.

Running a software company was difficult then (and it is even more difficult at this moment, but more on this later), and honestly, I was getting bored. I wanted a new career. So, I created a poll titled “What do you think I am good at?” and messaged the link to about 20 people who knew me for the last 5-10 years. The most popular options were “Security” and “Teaching”. Since my financial calculation for running a training center did not turn out so well, I decided to go with Security – it was my passion and I was also pursuing my PhD in this area.

I had previous experience

In 2015, when I was going through this process, I was actually working at a Deep-Tech startup as a CTO and the pay was good. But the CEO/Founder was a brute. He was a bachelor and used to eat-sleep-whatever in the office. I was “just married” and I needed family time. Plus, we had creative differences. At one point of time in the investor meeting, the investor asked when they will see ROI or even any revenue. We were building something related to storage performance optimization and the code was supposed to be done in native C/C++ but I had no clue how to get it working (in fact it still isn’t working) so I suggested that while we figure out our main product, we can start selling “optimized VPS” and get revenues coming.
The investor was okay with it but the CEO was not. And that created a gap between him and me. I rarely received any credit for the suggestions I made, even if they were actually implemented. One day the CEO asked me for a 1-1 and said I was too slow for the company. At that point, I knew I had to quit.

During this short stint, I learned about product planning, management, investor relations, and many other concepts which I may have never learned in my software development consultancy.

The return to consulting

Just when I had left the previous company, one of my friends, who was now a CTO of a US-based product company, had a security incident. I reached out to him and offered him some help, and did a basic security audit for free. The next thing I remember is signing an NDA and a contract with the company for a security audit. I was ready to roll! I loved talking to their developers since I was one of them, and knowledge of security made me a great combo. At that time, I was also watching Mr. Robot. The company in Mr. Robot was “All Safe Systems” and I was really inspired by the operations of the company.

I took that as an inspiration and borrowing branding concepts from by customer, I registered “bugskan.com”.

Soon, I started taking “Dev Sec” sessions (DevSecOps was still not a thing yet) and enjoyed the attention I received. But there was a problem – the US office of my first client stopped renewing my contract. I got to know that “periodic audits are expensive”. The fact was, they were rapidly growing and the list of endpoints were growing so they needed a “fix-price annual contract”.

I looked at the problem – the entire security audit industry worked in “man-hour” pricing which was retrospectively priced to suit the customer budget. This made security audits for small companies unaffordable.

I decided to put an end to this – a Security-as-a-service platform with fixed monthly cost per application. That’s what BUGSKAN was going to be!

The launch

We created the first version and launched it online. Our platform allowed website owners to scan their web applications for security vulnerabilities. The basic free report checked for OWASP Top 10 vulnerabilities and a deep scan required paid service. At that time, I was competing with Tinfoil Security, Detectify, and so on.

The project was selected as a case study for using open-source technologies on Azure and I was invited to showcase the same at Microsoft Openness Days, Hyderabad. I got feedback from senior tech architects and developers who were also facing similar problems in their daily routines. I was excited – finally, I had the product market fit, I thought.

At one point, we had about 30 daily free scans. Despite that, we were not seeing any takes for the paid product and the company was surviving from my consulting revenue only.

The Pivot

I was frantically looking for insights, and for some platform that does not have large user interaction, it meant I needed to reach out to my users personally instead of running an analytics script. One of the users for Mahendra Sharma, CTO of Matrubharti – India’s largest ebook platform. After training their development team I was sitting with Mahendra Sharma and he told me the golden words:

You send us a report but our developers will never fix each bug. I want something automatic that I can control

This got my head spinning and I went to the whiteboard AGAIN. This was December 2016, almost a year after I started BUGSKAN. If we are doing something, and not getting results, we are doing something wrong, I thought. I remembered my research on ModSecurity in 2011 while I was teaching – ModSecurity has something called “Virtual Patching” that allows a quick fix for the vulnerability.
The VP is not a solution, it is just a bandage to stop infection while the wound is healing, but it happens at the click of a button so – this seemed a perfect addition to our arsenal.

So we registered bugshield.io domain and started working on a WAF-as-a-service platform with vulnerability scanning and automatic virtual patching. This meant more time in research and development. This also meant, less time for consulting.

In all, this pivot turned out to be really expensive… but how? I will share in the next part. Thanks for reading!

You may be knowing from the past or maybe you just landed here from a search engine. Either way, I feel excited to share my journey with you.

My name is Kaushal Bhavsar – I am a Ph.D. in Computer Science with a specialization in security. Like most geeks, I am passionate about new technology and like sharing what I learn.

A decade ago, blogging was my passion. I used to blog about anything and everything I experienced in life. But I forgot blogging – why?

Fast forward >> Present day

While I am thinking why my blog looks empty, it reminds me of the key events that happened in the past ten years that got me in this situation

1. I got married – Now before you frown upon me like, “How dare you use your life partner as an excuse to do something you were to lazy to do!”, let me tell you – my partner gives me sufficient time to use the computer. She knows that it’s my “second wife” and she has well accepted the fact that sometimes, tech can get too much on my head and I forget everything else around me. The problem is me – I became introverted and secretive. I probably didn’t want to share too much of my life, and the content creation became increasingly lesser from that point. I guess, this was a behavioural change as I began a new phase in life. Even today, I would not want to share “everything” that happens around me, but at least I can share a good part of what is helpful to my readers!
2. We got a child – So this is where I was busy most of the time. We (obviously, me and my wife) were done changing his diapers a long time ago but still, the child was our focus and in fact, we even lost focus from ourselves (and that’s how we realized that we look horrible now – but that’s for another post). Our every day was centered around the child – partly because it was exciting to recollect how we might have grown up some 25-30 years ago.
3. I was working on a startup – It was called BUGSKAN (more about what went wrong with it, later). We made tools and tech to automate security operations for developers. This was while we were raising a 2-year-old child. So practically, I had two children – one was genetic and another was ideological. And then, at one point I had a team of 10 people including interns while I was running a one-man show both at home and work. Believe me, it is much tougher than it sounds.
4. My mother expired – This was a year before COVID-19 started. I was off for a client meeting and she just collapsed while reaching a hospital. This was just a day after I fired my entire team so it was extremely difficult to handle two major setbacks in life. I was really shocked (all of us were) and we took about two years to come over the fact.
5. We were infected by COVID-19 – For those of you who have been infected, you know how this feels like. Living for 14 days in the same house and being unable to talk to our child (we used to do video calls to the “ground floor”) gave me a faint picture of what an unhealthy life would look like. The experience was life-changing on a negative note.
6. I finally finished my Ph.D. Thesis – Well, this deserves a separate blog post altogether so I am not going to write anything here. But I realized there’s something called “Post Ph.D. Depression” which you don’t know until you get out of it.

What now?

Well, now that I have given an update on what I have been up to for the last few years, I am going to restart blogging. In my journey till now, I have developed my interest in the wide spectrum of machine learning and the use of AI in cybersecurity, along with scientific research. I will be blogging on cybersecurity, startups, machine learning, and wellness based on what I have learned so far.

Until the next post, this is Kaushal Bhavsar signing off