From 9c396f3e499487cf56ddec4de52de23c5e4f9e86 Mon Sep 17 00:00:00 2001 From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com> Date: Mon, 23 Sep 2024 18:09:46 +0100 Subject: [PATCH] [WAF] Detections section (#17027) --------- Co-authored-by: marciocloudflare <83226960+marciocloudflare@users.noreply.github.com> --- public/_redirects | 10 +- src/content/changelogs/waf-general.yaml | 4 +- .../architectures/security.mdx | 173 +++++++++--------- .../managed-transforms/configure.mdx | 5 + .../transform/managed-transforms/index.mdx | 13 +- .../managed-transforms/reference.mdx | 19 ++ .../rules-language/fields/dynamic-fields.mdx | 62 ++++++- .../content-types/concept.mdx | 5 +- .../docs/waf/analytics/security-analytics.mdx | 6 +- .../waf/{about/index.mdx => concepts.mdx} | 27 +-- src/content/docs/waf/custom-rules/index.mdx | 15 +- .../attack-score.mdx} | 12 +- src/content/docs/waf/detections/index.mdx | 41 +++++ .../leaked-credentials/api-calls.mdx | 123 +++++++++++++ .../leaked-credentials/examples.mdx | 59 ++++++ .../leaked-credentials/get-started.mdx | 171 +++++++++++++++++ .../detections/leaked-credentials/index.mdx | 97 ++++++++++ src/content/docs/waf/detections/link-bots.mdx | 7 + .../malicious-uploads}/api-calls.mdx | 0 .../malicious-uploads}/example-rules.mdx | 23 ++- .../malicious-uploads}/get-started.mdx | 6 +- .../malicious-uploads}/index.mdx | 15 +- src/content/docs/waf/get-started.mdx | 10 +- src/content/docs/waf/index.mdx | 4 +- .../configure-api.mdx | 5 +- .../how-checks-work.mdx | 13 +- .../check-for-exposed-credentials/index.mdx | 43 ++--- .../monitor-events.mdx | 10 +- .../test-configuration.mdx | 5 +- .../reference/exposed-credentials-check.mdx | 10 +- src/content/glossary/waf.yaml | 4 +- .../fundamentals/cloudflare-security.mdx | 3 +- .../product-limitations.mdx | 95 +++++----- ...leaked-credentials-recommend-detection.mdx | 7 + .../partials/waf/waf-managed-rules-intro.mdx | 9 +- src/content/plans/index.json | 58 +++++- src/content/products/exposed-credentials.yaml | 8 - src/content/products/leaked-credentials.yaml | 8 + 38 files changed, 903 insertions(+), 282 deletions(-) rename src/content/docs/waf/{about/index.mdx => concepts.mdx} (53%) rename src/content/docs/waf/{about/waf-attack-score.mdx => detections/attack-score.mdx} (83%) create mode 100644 src/content/docs/waf/detections/index.mdx create mode 100644 src/content/docs/waf/detections/leaked-credentials/api-calls.mdx create mode 100644 src/content/docs/waf/detections/leaked-credentials/examples.mdx create mode 100644 src/content/docs/waf/detections/leaked-credentials/get-started.mdx create mode 100644 src/content/docs/waf/detections/leaked-credentials/index.mdx create mode 100644 src/content/docs/waf/detections/link-bots.mdx rename src/content/docs/waf/{about/content-scanning => detections/malicious-uploads}/api-calls.mdx (100%) rename src/content/docs/waf/{about/content-scanning => detections/malicious-uploads}/example-rules.mdx (77%) rename src/content/docs/waf/{about/content-scanning => detections/malicious-uploads}/get-started.mdx (93%) rename src/content/docs/waf/{about/content-scanning => detections/malicious-uploads}/index.mdx (92%) create mode 100644 src/content/partials/waf/leaked-credentials-recommend-detection.mdx delete mode 100644 src/content/products/exposed-credentials.yaml create mode 100644 src/content/products/leaked-credentials.yaml diff --git a/public/_redirects b/public/_redirects index 70589baf477297..e5247341cf5cea 100644 --- a/public/_redirects +++ b/public/_redirects @@ -1180,8 +1180,14 @@ /turnstile/concepts/widget-types/ /turnstile/concepts/widget/ 301 # waf -/waf/about/file-scanning/ /waf/about/content-scanning/ 301 -/waf/about/waf-ml/ /waf/about/waf-attack-score/ 301 +/waf/about/ /waf/concepts/ 301 +/waf/about/content-scanning/ /waf/detections/malicious-uploads/ 301 +/waf/about/content-scanning/get-started/ /waf/detections/malicious-uploads/get-started/ 301 +/waf/about/content-scanning/example-rules/ /waf/detections/malicious-uploads/example-rules/ 301 +/waf/about/content-scanning/api-calls/ /waf/detections/malicious-uploads/api-calls/ 301 +/waf/about/file-scanning/ /waf/detections/malicious-uploads/ 301 +/waf/about/waf-attack-score/ /waf/detections/attack-score/ 301 +/waf/about/waf-ml/ /waf/detections/attack-score/ 301 /waf/alerts/ /waf/reference/alerts/ 301 /waf/custom-rules/custom-firewall/ /waf/custom-rules/ 301 /waf/custom-rules/custom-firewall/create-api/ /waf/custom-rules/create-api/ 301 diff --git a/src/content/changelogs/waf-general.yaml b/src/content/changelogs/waf-general.yaml index f5d23b15b84818..d4bc9afba385e9 100644 --- a/src/content/changelogs/waf-general.yaml +++ b/src/content/changelogs/waf-general.yaml @@ -10,8 +10,8 @@ entries: - publish_date: "2024-08-29" title: Fixed occasional attack score mismatches description: |- - Fixed an issue causing score mismatches between the global [WAF attack score](/waf/about/waf-attack-score/) and subscores. In certain cases, subscores were higher (not an attack) than expected while the global attack score was lower than expected (attack), leading to false positives. + Fixed an issue causing score mismatches between the global [WAF attack score](/waf/detections/attack-score/) and subscores. In certain cases, subscores were higher (not an attack) than expected while the global attack score was lower than expected (attack), leading to false positives. - publish_date: "2024-05-23" title: Improved detection capabilities description: |- - [WAF attack score](/waf/about/waf-attack-score/) now automatically detects and decodes Base64 and JavaScript (Unicode escape sequences) in HTTP requests. This update is available for all customers with access to WAF attack score (Business customers with access to a single field and Enterprise customers). + [WAF attack score](/waf/detections/attack-score/) now automatically detects and decodes Base64 and JavaScript (Unicode escape sequences) in HTTP requests. This update is available for all customers with access to WAF attack score (Business customers with access to a single field and Enterprise customers). diff --git a/src/content/docs/reference-architecture/architectures/security.mdx b/src/content/docs/reference-architecture/architectures/security.mdx index c2d016513c7b44..a875521e1f89a4 100644 --- a/src/content/docs/reference-architecture/architectures/security.mdx +++ b/src/content/docs/reference-architecture/architectures/security.mdx @@ -13,10 +13,9 @@ description: This document provides insight into how this network and platform are architected from a security perspective, how they are operated, and what services are available for businesses to address their own security challenges. - --- -import { Render } from "~/components" +import { Render } from "~/components"; ## Introduction @@ -26,8 +25,8 @@ However, as Internet bandwidth increased and more people needed to do work outsi Since 2010, Cloudflare has been building a unique, large-scale network on which we run a set of security services that allow organizations to build improved connectivity and better protect their public and private networks, applications, users, and data. This document provides insight into how this network and platform are architected from a security perspective, how they are operated, and what services are available for businesses to address their own security challenges. The document comprises two main sections: -* How Cloudflare builds and operates its secure global network. -* How to protect your business infrastructure and assets using Cloudflare services built on the network. +- How Cloudflare builds and operates its secure global network. +- How to protect your business infrastructure and assets using Cloudflare services built on the network. ### Who is this document for and what will you learn? @@ -37,7 +36,7 @@ To build a stronger baseline understanding of Cloudflare, we recommend the follo -* [How Cloudflare strengthens security everywhere you do business](https://cf-assets.www.cloudflare.com/slt3lc6tev37/is7XGR7xZ8CqW0l9EyHZR/1b4311823f602f72036385a66fb96e8c/Everywhere_Security-Cloudflare-strengthens-security-everywhere-you_do-business.pdf) (10 minutes) +- [How Cloudflare strengthens security everywhere you do business](https://cf-assets.www.cloudflare.com/slt3lc6tev37/is7XGR7xZ8CqW0l9EyHZR/1b4311823f602f72036385a66fb96e8c/Everywhere_Security-Cloudflare-strengthens-security-everywhere-you_do-business.pdf) (10 minutes) ## Secure global network @@ -63,14 +62,14 @@ Every level of the network conforms to strict hardened security controls. Proces Cloudflare designs and owns all the servers in our network. There are two main types. -* **Private core servers**: The control plane where all customer configuration, logging, and other data lives. -* **Public edge servers**: Where Internet and privately tunneled traffic terminates to the Cloudflare network, to be inspected and then routed to its destination. +- **Private core servers**: The control plane where all customer configuration, logging, and other data lives. +- **Public edge servers**: Where Internet and privately tunneled traffic terminates to the Cloudflare network, to be inspected and then routed to its destination. Server hardware is designed by Cloudflare and built by industry-respected manufacturers that complete a comprehensive supply chain and security review. Every server runs an identical software stack, allowing for consistent hardware design. The operating system on edge servers is also a single design and built from a highly modified Linux distribution, tailored for the scale and speed of our platform. Cloudflare is a significant contributor to the Linux kernel, and we regularly share information on how we secure our [servers and services](https://blog.cloudflare.com/the-linux-kernel-key-retention-service-and-why-you-should-use-it-in-your-next-application), helping the Linux community and the rest of the Internet benefit from our [engineering](https://blog.cloudflare.com/linux-kernel-hardening). #### Services -Every server runs all Cloudflare products and services that customers use to secure their networks and applications. Later in this document we provide an overview of these services, but for the moment it's important to provide insight into the development of the software. From the initial design of every product, the engineering team works hand in hand with security, compliance, and risk teams to review all aspects of the service. These teams can be viewed as part of the engineering and product teams, not an external group. They are essential to the development of everything we do at Cloudflare and we have some of the most respected professionals in the industry. Code is reviewed by security teams at every stage of development, and we implement many automated systems to analyze software looking for vulnerabilities. Threat modeling and penetration testing frameworks such as [OWASP](https://owasp.org/www-project-web-security-testing-guide/latest/3-The_OWASP_Testing_Framework/), [STRIDE](https://en.wikipedia.org/wiki/STRIDE_\(security\)), and [DREAD](https://en.wikipedia.org/wiki/DREAD_\(risk_assessment_model\)) are used during design, development, and the release process. +Every server runs all Cloudflare products and services that customers use to secure their networks and applications. Later in this document we provide an overview of these services, but for the moment it's important to provide insight into the development of the software. From the initial design of every product, the engineering team works hand in hand with security, compliance, and risk teams to review all aspects of the service. These teams can be viewed as part of the engineering and product teams, not an external group. They are essential to the development of everything we do at Cloudflare and we have some of the most respected professionals in the industry. Code is reviewed by security teams at every stage of development, and we implement many automated systems to analyze software looking for vulnerabilities. Threat modeling and penetration testing frameworks such as [OWASP](https://owasp.org/www-project-web-security-testing-guide/latest/3-The_OWASP_Testing_Framework/), [STRIDE](), and [DREAD]() are used during design, development, and the release process. Many of our products run on our [serverless runtime](/workers/) environment, which leverages the very latest techniques in service isolation. We anticipated this secure runtime environment could be very valuable to our customers, so we productized it, allowing them to [build](/workers/reference/how-workers-works/) and [run](https://blog.cloudflare.com/cloud-computing-without-containers) their own applications on our network. More about that at the very end of this document. @@ -84,11 +83,11 @@ Not only must the design of the network be secure, but so should how we run and Customers send sensitive information to our products and services. The mission for the Cloudflare compliance team is to ensure the underlying infrastructure that supports these services meets [industry compliance standards](https://www.cloudflare.com/trust-hub/compliance-resources/) such as FedRAMP, SOC II, ISO, PCI certifications, C5, privacy, and regulatory frameworks. The compliance team works with all engineering organizations to help integrate these requirements as part of the way we work. From a compliance perspective, our areas of focus include: -* Privacy and security of customer data -* Maintaining compliance validations -* Helping customers with their own compliance -* Monitoring the changes to the regulatory landscape -* Providing feedback to regulatory bodies on upcoming changes +- Privacy and security of customer data +- Maintaining compliance validations +- Helping customers with their own compliance +- Monitoring the changes to the regulatory landscape +- Providing feedback to regulatory bodies on upcoming changes We also run a [bug bounty program](https://hackerone.com/cloudflare), giving incentives for the community to find and report vulnerabilities to us for financial reward. @@ -144,12 +143,12 @@ The reason the Cloudflare network exists is to provide services to customers to In general, what customers need to effectively combat and protect against the growing breadth and complexity of threats is a unified security solution that provides visibility, analytics, detection, and mitigation in an operationally consistent and efficient manner. Cloudflare addresses these needs in several ways: -* Operational consistency: Cloudflare has a single dashboard/UI for all administrative tasks. -* Operational simplicity: Cloudflare is well-known for minimizing operational complexity with well-designed user interfaces that minimize manual configurations and UI workflows. Additionally, cross-product integrations allow for automating configurations and policies. -* Continuous innovation: Cloudflare continues to innovate across its broad security portfolio with unique differentiating capabilities such as its CAPTCHA replacement product, Turnstile, and the industry-first API Sequence Mitigation capability. -* Workload location agnostic: Cloudflare was built first and foremost around performance and security services. As such, it was built from the ground up to be workload location agnostic with multi-cloud inherently being a top use case. Customers can deploy workloads in multiple clouds and/or on-prem and get the same operational consistency. -* Performance and scale: All Cloudflare services run on every server in every data center on the same global cloud, allowing for maximum performance in terms of global reachability and latency and ability to scale out, leveraging the full capacity of Cloudflare’s global infrastructure. -* API first: Cloudflare is API first. All configurations and capabilities available from the UI/dashboard are also available from the API. Cloudflare can easily be configured with Terraform to support automation for customer workflows/processes. +- Operational consistency: Cloudflare has a single dashboard/UI for all administrative tasks. +- Operational simplicity: Cloudflare is well-known for minimizing operational complexity with well-designed user interfaces that minimize manual configurations and UI workflows. Additionally, cross-product integrations allow for automating configurations and policies. +- Continuous innovation: Cloudflare continues to innovate across its broad security portfolio with unique differentiating capabilities such as its CAPTCHA replacement product, Turnstile, and the industry-first API Sequence Mitigation capability. +- Workload location agnostic: Cloudflare was built first and foremost around performance and security services. As such, it was built from the ground up to be workload location agnostic with multi-cloud inherently being a top use case. Customers can deploy workloads in multiple clouds and/or on-prem and get the same operational consistency. +- Performance and scale: All Cloudflare services run on every server in every data center on the same global cloud, allowing for maximum performance in terms of global reachability and latency and ability to scale out, leveraging the full capacity of Cloudflare’s global infrastructure. +- API first: Cloudflare is API first. All configurations and capabilities available from the UI/dashboard are also available from the API. Cloudflare can easily be configured with Terraform to support automation for customer workflows/processes. Cloudflare’s security services that protect networks, applications, devices, users, and data can be grouped into the following categories. @@ -161,8 +160,8 @@ Note this list is focused on security and doesn't include products such as our c There are two main types of resources our customers are trying to secure: -* **Public resources** are defined as any content, asset, or infrastructure that has an interface available and accessible to the general Internet, such as brand websites, ecommerce sites, and APIs. They can also be defined by the fact they are accessible by anonymous users or people who register themselves to gain access, such as social media websites, video streaming services, and banking services. -* **Private resources** are defined as content, assets, or infrastructure with the intended set of users constrained to a single company, organization, or set of customers. These services typically require accounts and credentials to gain access. Examples of such resources are the company HR system, source code repositories, and a point of sale (POS) system residing on a retail branch network. These resources are typically accessible only by employees, partners, and other trusted, known identities. +- **Public resources** are defined as any content, asset, or infrastructure that has an interface available and accessible to the general Internet, such as brand websites, ecommerce sites, and APIs. They can also be defined by the fact they are accessible by anonymous users or people who register themselves to gain access, such as social media websites, video streaming services, and banking services. +- **Private resources** are defined as content, assets, or infrastructure with the intended set of users constrained to a single company, organization, or set of customers. These services typically require accounts and credentials to gain access. Examples of such resources are the company HR system, source code repositories, and a point of sale (POS) system residing on a retail branch network. These resources are typically accessible only by employees, partners, and other trusted, known identities. Public and private resources can also include both infrastructure-level components like servers and consumed resources like websites and API endpoints. Communication over networks and the Internet happens in different stages and levels as shown in the open systems interconnection (OSI) model diagram below. @@ -170,12 +169,12 @@ Public and private resources can also include both infrastructure-level componen Cloudflare can protect at multiple layers of the OSI model, and in this document we are primarily concerned with protecting resources at layers 3, 4, and 7. -* Layer 3, referred to as the “network layer,” is responsible for facilitating data transfer between two different networks. The network layer breaks up segments from the transport layer into smaller units, called packets, on the sender’s device and reassembles these packets on the receiving device. The network layer is where routing takes place — finding the best physical path for the data to reach its destination. -* Layer 4, referred to as the “transport layer,” is responsible for end-to-end communication between the two devices. This includes taking data from the session layer and breaking it up into chunks called “segments” before sending it to layer 3. +- Layer 3, referred to as the “network layer,” is responsible for facilitating data transfer between two different networks. The network layer breaks up segments from the transport layer into smaller units, called packets, on the sender’s device and reassembles these packets on the receiving device. The network layer is where routing takes place — finding the best physical path for the data to reach its destination. +- Layer 4, referred to as the “transport layer,” is responsible for end-to-end communication between the two devices. This includes taking data from the session layer and breaking it up into chunks called “segments” before sending it to layer 3. Cloudflare security products that can be used for L3 and L4 security include Cloudflare’s network services offerings, including [Magic Transit](/magic-transit/), [Magic Firewall](/magic-firewall/), [Magic WAN](/magic-wan/), [Magic Network Monitoring](/magic-network-monitoring/), and [Spectrum](/spectrum/). -* Layer 7, referred to as the “application layer,” is the top layer of the data processing that occurs just below the surface or behind the scenes of the software applications that users interact with. HTTP and API requests/responses are layer 7 events. +- Layer 7, referred to as the “application layer,” is the top layer of the data processing that occurs just below the surface or behind the scenes of the software applications that users interact with. HTTP and API requests/responses are layer 7 events. Cloudflare has a suite of application security products that includes [Web Application Firewall](/waf/) (WAF), [Rate Limiting](/waf/rate-limiting-rules/), [L7 DDoS](/ddos-protection/managed-rulesets/http/), [API Gateway](/api-shield/api-gateway/), [Bot Management](/bots/), and [Page Shield](/page-shield/). @@ -195,12 +194,12 @@ The diagram below shows a typical request for a public asset going through the C The diagram highlights the following: -* The [world's fastest DNS service](https://www.dnsperf.com/) provides fast resolution of public hostnames -* Ensure data compliance by [choosing geographic locations](https://www.cloudflare.com/data-localization/) for the inspection and storage of data -* Spectrum extends Cloudflare security capabilities to all UDP/TCP applications -* Security services inspect a request in one pass -* Application performance services also act on the request in the same pass -* [Smart routing](/argo-smart-routing/) finds the lowest latency path between Cloudflare and the public destination +- The [world's fastest DNS service](https://www.dnsperf.com/) provides fast resolution of public hostnames +- Ensure data compliance by [choosing geographic locations](https://www.cloudflare.com/data-localization/) for the inspection and storage of data +- Spectrum extends Cloudflare security capabilities to all UDP/TCP applications +- Security services inspect a request in one pass +- Application performance services also act on the request in the same pass +- [Smart routing](/argo-smart-routing/) finds the lowest latency path between Cloudflare and the public destination #### Common attacks and protection @@ -222,14 +221,14 @@ A zero-day exploit (also called a zero-day threat) is an attack that takes advan Web Application Firewall (WAF) [Managed Rules](/waf/managed-rules/) allow you to deploy pre-configured managed rulesets that provide immediate protection against the following: -* Zero-day vulnerabilities -* Top 10 attack techniques -* Use of stolen/exposed credentials -* Extraction of sensitive data +- Zero-day vulnerabilities +- Top 10 attack techniques +- Use of stolen/exposed credentials +- Extraction of sensitive data WAF checks incoming web requests and filters undesired traffic based on sets of rules (rulesets) deployed at the edge. These managed rulesets are maintained and regularly updated by Cloudflare. From the extensive threat intelligence obtained from across our global network, Cloudflare is able to quickly detect and classify threats. As new attacks/threats are identified, Cloudflare will automatically push WAF rules to customers to ensure they are protected against the latest zero-day attacks. -Additionally, Cloudflare provides for [WAF Attack Score](/waf/about/waf-attack-score/), which complements Cloudflare managed rules by detecting attack variations. These variations are typically achieved by malicious actors via fuzzing techniques that are trying to identify ways to bypass existing security policies. WAF classifies each request using a machine learning algorithm, assigning an attack score from 1 to 99 based on the likelihood that the request is malicious. Rules can then be written which use these scores to determine what traffic is permitted to the application. +Additionally, Cloudflare provides for [WAF Attack Score](/waf/detections/attack-score/), which complements Cloudflare managed rules by detecting attack variations. These variations are typically achieved by malicious actors via fuzzing techniques that are trying to identify ways to bypass existing security policies. WAF classifies each request using a machine learning algorithm, assigning an attack score from 1 to 99 based on the likelihood that the request is malicious. Rules can then be written which use these scores to determine what traffic is permitted to the application. ![Machine learning maintains lists of managed rules to determine if the request should be let through the WAF or not.](~/assets/images/reference-architecture/security/security-ref-arch-6.svg) @@ -253,10 +252,10 @@ Page Shield uses threat-feed detections of malicious JavaScript domains and URLs Page Shield [Content Security policies](/page-shield/policies/) can be created and applied to add an additional level of security that helps detect and mitigate certain types of attacks, including: -* Content/code injection -* Cross-site scripting (XSS) -* Embedding malicious resources -* Malicious iframes (clickjacking) +- Content/code injection +- Cross-site scripting (XSS) +- Embedding malicious resources +- Malicious iframes (clickjacking) Products: [Page Shield](/page-shield/) @@ -332,7 +331,7 @@ Malware can refer to viruses, worms, trojans, ransomware, spyware, adware, and o When Uploaded Content Scanning is enabled, content scanning attempts to detect items such as uploaded files, and scans them for malicious signatures like malware. The scan results, along with additional metadata, are exposed as fields available in WAF custom rules, allowing customers to implement fine-grained mitigation rules. -Products: [WAF - Uploaded Content Scanning](/waf/about/content-scanning/) +Products: [WAF - Uploaded Content Scanning](/waf/detections/malicious-uploads/) #### Cloudflare application security products @@ -350,10 +349,10 @@ Using Cloudflare [WAF](/waf/), customers can deploy custom rules based on very g [WAF Managed Rules](/waf/managed-rules/) allow customers to deploy pre-configured managed rulesets that provide immediate protection against: -* Zero-day vulnerabilities -* Top 10 attack techniques -* Use of stolen/exposed credentials -* Extraction of sensitive data +- Zero-day vulnerabilities +- Top 10 attack techniques +- Use of stolen/exposed credentials +- Extraction of sensitive data ##### Rate limiting @@ -395,9 +394,9 @@ Additionally, Cloudflare can take the action of challenging clients if it suspec Depending on the characteristics of a request, Cloudflare will choose an appropriate type of challenge, which may include but is not limited to: -* A non-interactive challenge page (similar to the current JS Challenge). -* A custom interactive challenge (such as clicking a button). -* Private Access Tokens (using recent Apple operating systems). +- A non-interactive challenge page (similar to the current JS Challenge). +- A custom interactive challenge (such as clicking a button). +- Private Access Tokens (using recent Apple operating systems). With [Turnstile](/turnstile/), Cloudflare has completely moved away from CAPTCHA. Turnstile is Cloudflare’s smart CAPTCHA alternative. It can be embedded into any website without sending traffic through Cloudflare and works without showing visitors a CAPTCHA. Turnstile allows you to run challenges anywhere on your site in a less intrusive way and uses APIs to communicate with Cloudflare’s Managed Challenge platform. @@ -427,10 +426,10 @@ Customers can also enable [mutual Transport Layer Security (mTLS)](/ssl/client-c Key capabilities offered: -* Inventory and review IT infrastructure assets like domains, ASNs, and IPs. -* Manage an always up-to-date list of misconfigurations and risks in Cloudflare IT assets. -* Query threat data gathered from the Cloudflare network to investigate and respond to security risks. -* Gain full control over who sends email on your organization's behalf with DMARC Management. +- Inventory and review IT infrastructure assets like domains, ASNs, and IPs. +- Manage an always up-to-date list of misconfigurations and risks in Cloudflare IT assets. +- Query threat data gathered from the Cloudflare network to investigate and respond to security risks. +- Gain full control over who sends email on your organization's behalf with DMARC Management. ##### Cloudflare for SaaS @@ -470,9 +469,9 @@ Private resources typically contain highly sensitive, company confidential infor The following are typical attributes of private resources: -* Users have been pre-authorized and provisioned. They can't just sign up. They need to be given specific access to the resource either directly or via access control mechanisms such as certificates, group membership, or role assignment. -* Network access to a self-hosted resource is typically over-managed, private network routes and not accessible via the general Internet. -* Private resources that live in data centers (physical or virtual) and are connected to networks that are hosted and managed by the business, which are either on-premises or virtual private networks running in public cloud infrastructure. +- Users have been pre-authorized and provisioned. They can't just sign up. They need to be given specific access to the resource either directly or via access control mechanisms such as certificates, group membership, or role assignment. +- Network access to a self-hosted resource is typically over-managed, private network routes and not accessible via the general Internet. +- Private resources that live in data centers (physical or virtual) and are connected to networks that are hosted and managed by the business, which are either on-premises or virtual private networks running in public cloud infrastructure. As mentioned, traditional access to private resources required physical access to the network by being in the office connected via Ethernet. As remote access needs increased, companies installed on-premises VPN servers that allowed users and devices to "dial in" to these private networks. Many applications have left these private networks and instead migrated to SaaS applications or are hosted in public cloud infrastructure. This traditional approach has become unmanageable and costly, with a variety of technologies providing network connectivity and access control. @@ -484,12 +483,12 @@ As we describe the following Cloudflare services, you will learn how the Cloudfl Protecting internal resources can be broken down into the following areas. -* Securing connectivity between the user and the application/network. -* Identity systems providing authentication and maintaining user identities and group membership. -* Policies controlling user access to applications/data. -* Data protection controls to identify and protect sensitive and confidential data. -* Protecting users and devices from attacks (malware, phishing, etc.) that originate from access to the Internet. -* Operational visibility to IT and security teams. +- Securing connectivity between the user and the application/network. +- Identity systems providing authentication and maintaining user identities and group membership. +- Policies controlling user access to applications/data. +- Data protection controls to identify and protect sensitive and confidential data. +- Protecting users and devices from attacks (malware, phishing, etc.) that originate from access to the Internet. +- Operational visibility to IT and security teams. #### Securing connectivity to private resources @@ -546,17 +545,17 @@ This centralization of identity into a common access control layer allows you to The focus on this document is about security, and now that applications, devices, identities, and networks are all connected, every request to and from any resource on the network, and also to the Internet, is now subject to Cloudflare's access control and firewall services. There are two services that apply policy-based controls to traffic. -* **Zero Trust Network Access**: Our [Access](/cloudflare-one/policies/access/) product manages access to specific networks or applications that are deemed private. It enforces authentication either for users via an existing identity provider, or for other applications via service tokens or mTLS. -* **Secure Web Gateway**: Our [Gateway](/cloudflare-one/policies/gateway/) product is used to analyze traffic and apply policies, no matter the destination. It is most commonly used to allow, block, or isolate traffic that is destined for the Internet. This can be used to apply access controls to SaaS applications, but any traffic flowing through Cloudflare can be inspected and acted upon by Gateway. Therefore it can also be used to add additional access controls to non-Internet, private tunneled applications. +- **Zero Trust Network Access**: Our [Access](/cloudflare-one/policies/access/) product manages access to specific networks or applications that are deemed private. It enforces authentication either for users via an existing identity provider, or for other applications via service tokens or mTLS. +- **Secure Web Gateway**: Our [Gateway](/cloudflare-one/policies/gateway/) product is used to analyze traffic and apply policies, no matter the destination. It is most commonly used to allow, block, or isolate traffic that is destined for the Internet. This can be used to apply access controls to SaaS applications, but any traffic flowing through Cloudflare can be inspected and acted upon by Gateway. Therefore it can also be used to add additional access controls to non-Internet, private tunneled applications. ![Cloudflare's ZTNA and SWG services can be combined to secure both private and Internet access.](~/assets/images/reference-architecture/security/security-ref-arch-21.svg) Both of these technologies can be combined to ensure appropriate access to private applications. For users with our [device agent](/cloudflare-one/connections/connect-devices/warp/) installed, the policies can also include device-level requirements. When combined with identity data, policies such as the following can be written to control access to, for example, an internal database administration tool. -* User must have authenticated via the company IdP, and used MFA as part of the authentication -* User must be in the "Database Administrators" group in the IdP -* User device must have a Crowdstrike risk score above 70 -* User device must be on the very latest release of the operating system +- User must have authenticated via the company IdP, and used MFA as part of the authentication +- User must be in the "Database Administrators" group in the IdP +- User device must have a Crowdstrike risk score above 70 +- User device must be on the very latest release of the operating system It is possible to define access groups of users that can be applied across multiple policies. This allows IT and security administrators to create a single definition of what a secure administrator looks like, which is then reusable across many policies. @@ -590,31 +589,31 @@ In summary, the following diagram details how Cloudflare's SASE services can con ## Developer platform -Many of Cloudflare's security services are built on a highly optimized serverless compute platform based on [V8 Isolates](https://blog.cloudflare.com/cloud-computing-without-containers) which powers our developer platform. Like all our services, serverless compute workloads run on all servers in our global network. While our security services offer a wide range of features, customers always want the ultimate flexibility of writing their own custom solution. Customers therefore can use Cloudflare Workers and its accompanying services (R2, D1, KV, Queues) to interact with network traffic as it flows to and from their resources, as well as implementing complex security logic. +Many of Cloudflare's security services are built on a highly optimized serverless compute platform based on [V8 Isolates](https://blog.cloudflare.com/cloud-computing-without-containers) which powers our developer platform. Like all our services, serverless compute workloads run on all servers in our global network. While our security services offer a wide range of features, customers always want the ultimate flexibility of writing their own custom solution. Customers therefore can use Cloudflare Workers and its accompanying services (R2, D1, KV, Queues) to interact with network traffic as it flows to and from their resources, as well as implementing complex security logic. The following use cases show how our customers’ security teams have used our [developer platform](https://workers.cloudflare.com/): -* In our ZTNA service, Cloudflare Access, when a request is made to access a private resource, that request can include a call to a Cloudflare Worker, passing in everything known about the user. Custom business logic can then be implemented to determine access. For example: - * Only allow access during employee working hours. Check via API calls to employee systems. - * Allow access only if an incident has been declared in PagerDuty. -* Implement honeypots for bots: Because Workers can be attached to routes of any Cloudflare-protected resource, you can examine the bot score of a request and then redirect or modify the request if you suspect it's not legitimate traffic. For example, execute the request but modify the response to redact information or change values to protect data. -* Write complex web application firewall (WAF) type rules: As described above, our WAF is very powerful for protecting your public-facing applications. But with Workers, you can write incredibly complex rules based on information provided in the [IncomingRequestCfProperties](/workers/runtime-apis/request/#incomingrequestcfproperties), which expose metadata for every request. These properties contain extensive information and can be expressed as code for effective rule implementation. -* Enhance traffic with extra security information: Your downstream application may have other security products in front of it, or maybe provides other security if certain HTTP headers exist. Using Workers, you can enhance any requests to the application and add in headers to help the downstream application implement greater security controls. -* Write your own authentication service: Some customers have extreme requirements, and the power of Workers allows you, as we have with our own product suite, to write entire authentication stacks. One such customer [did just this](https://www.cloudflare.com/case-studies/epam/). While this isn't common, it's an example of the flexibility of using Cloudflare. You can mix complex code that you write with our own products to fine-tune exactly the right security outcome. +- In our ZTNA service, Cloudflare Access, when a request is made to access a private resource, that request can include a call to a Cloudflare Worker, passing in everything known about the user. Custom business logic can then be implemented to determine access. For example: + - Only allow access during employee working hours. Check via API calls to employee systems. + - Allow access only if an incident has been declared in PagerDuty. +- Implement honeypots for bots: Because Workers can be attached to routes of any Cloudflare-protected resource, you can examine the bot score of a request and then redirect or modify the request if you suspect it's not legitimate traffic. For example, execute the request but modify the response to redact information or change values to protect data. +- Write complex web application firewall (WAF) type rules: As described above, our WAF is very powerful for protecting your public-facing applications. But with Workers, you can write incredibly complex rules based on information provided in the [IncomingRequestCfProperties](/workers/runtime-apis/request/#incomingrequestcfproperties), which expose metadata for every request. These properties contain extensive information and can be expressed as code for effective rule implementation. +- Enhance traffic with extra security information: Your downstream application may have other security products in front of it, or maybe provides other security if certain HTTP headers exist. Using Workers, you can enhance any requests to the application and add in headers to help the downstream application implement greater security controls. +- Write your own authentication service: Some customers have extreme requirements, and the power of Workers allows you, as we have with our own product suite, to write entire authentication stacks. One such customer [did just this](https://www.cloudflare.com/case-studies/epam/). While this isn't common, it's an example of the flexibility of using Cloudflare. You can mix complex code that you write with our own products to fine-tune exactly the right security outcome. Using Workers for implementing some of your security controls has the following advantages: -* **Advanced logic and testability**: Enables the implementation of highly sophisticated logic that's easily testable through unit tests. -* **Accessibility to developers**: Security features are accessible to a broader audience due to native support in languages like JavaScript, TypeScript, Rust, and Python, catering to developers' familiarity. -* **Granularity and flexibility**: Offers unparalleled granularity, with support for regex, JSON parsing, and easy access to request/response headers and bodies enriched by Cloudflare. Policies can be designed based on any feature of the request/response. -* **Response modification**: While traditional security stacks often focus solely on requests, Workers empowers effortless modification of responses. For instance, verbose error messages can be obscured to enhance security. -* **Implement DevSecOps lifecycles**: Workers makes it very easy to adhere to DevSecOps best practices like version control, code audits, automated tests, gradual roll-outs, and rollback capabilities. +- **Advanced logic and testability**: Enables the implementation of highly sophisticated logic that's easily testable through unit tests. +- **Accessibility to developers**: Security features are accessible to a broader audience due to native support in languages like JavaScript, TypeScript, Rust, and Python, catering to developers' familiarity. +- **Granularity and flexibility**: Offers unparalleled granularity, with support for regex, JSON parsing, and easy access to request/response headers and bodies enriched by Cloudflare. Policies can be designed based on any feature of the request/response. +- **Response modification**: While traditional security stacks often focus solely on requests, Workers empowers effortless modification of responses. For instance, verbose error messages can be obscured to enhance security. +- **Implement DevSecOps lifecycles**: Workers makes it very easy to adhere to DevSecOps best practices like version control, code audits, automated tests, gradual roll-outs, and rollback capabilities. However, you should also consider the following: -* **Cost**: By adding Workers into the request process, you will incur extra costs. However, this might be acceptable for the scenarios where the significant security outcome is highly beneficial. -* **Latency**: While minimal, there will always be some impact on traffic latency because you are running your own logic on every request. -* **Requires developer skill set**: This is a bit obvious, but worth mentioning. Using Workers requires a development team to create, test, and maintain whatever code is implemented. +- **Cost**: By adding Workers into the request process, you will incur extra costs. However, this might be acceptable for the scenarios where the significant security outcome is highly beneficial. +- **Latency**: While minimal, there will always be some impact on traffic latency because you are running your own logic on every request. +- **Requires developer skill set**: This is a bit obvious, but worth mentioning. Using Workers requires a development team to create, test, and maintain whatever code is implemented. You can review some examples of how our Workers platform can be used for [security](/workers/examples/?tags=Security) or [authentication](/workers/examples/?tags=Authentication) use cases. @@ -624,10 +623,10 @@ You should now have a good understanding of the massive scale of the Cloudflare In summary, the benefits of using Cloudflare for your business’s security are: -* Protect all your business assets, public or private. -* Leverage a comprehensive range of security services on a single platform. -* Rely on a massively scaled network with high performance and reliability. -* Implement security controls once, in a single dashboard, and impact traffic from anywhere. -* Empower DevSecOps teams with full API and Terraform support. +- Protect all your business assets, public or private. +- Leverage a comprehensive range of security services on a single platform. +- Rely on a massively scaled network with high performance and reliability. +- Implement security controls once, in a single dashboard, and impact traffic from anywhere. +- Empower DevSecOps teams with full API and Terraform support. We have a very simple [self-service signup](https://dash.cloudflare.com/sign-up), where many of our services can be evaluated for free. If you wish to work with our expert team to evaluate Cloudflare, please [reach out](https://www.cloudflare.com/plans/enterprise/contact/). diff --git a/src/content/docs/rules/transform/managed-transforms/configure.mdx b/src/content/docs/rules/transform/managed-transforms/configure.mdx index c74d19cdf45dd6..56aae3beeae4b3 100644 --- a/src/content/docs/rules/transform/managed-transforms/configure.mdx +++ b/src/content/docs/rules/transform/managed-transforms/configure.mdx @@ -68,6 +68,11 @@ curl https://api.cloudflare.com/client/v4/zones/{zone_id}/managed_headers \ "enabled": false, "has_conflict": false, "conflicts_with": ["add_true_client_ip_headers"] + }, + { + "id": "add_waf_credential_check_status_header", + "enabled": false, + "has_conflict": false } ], "managed_response_headers": [ diff --git a/src/content/docs/rules/transform/managed-transforms/index.mdx b/src/content/docs/rules/transform/managed-transforms/index.mdx index b9586fc384877a..dc8b30777c5172 100644 --- a/src/content/docs/rules/transform/managed-transforms/index.mdx +++ b/src/content/docs/rules/transform/managed-transforms/index.mdx @@ -3,15 +3,15 @@ title: Managed Transforms pcx_content_type: concept sidebar: order: 4 - --- Managed Transforms allow you to perform common adjustments to HTTP request and response headers with the click of a button. The available adjustments include: -* Add bot protection request headers. -* Remove or add headers related to the visitor's IP address. -* Add security-related response headers. -* Remove "X-Powered-By" response headers. +- Add bot protection request headers. +- Remove or add headers related to the visitor's IP address. +- Add request header when the WAF detects leaked credentials. +- Add security-related response headers. +- Remove "X-Powered-By" response headers. For a complete list, refer to [Available Managed Transforms](/rules/transform/managed-transforms/reference/). @@ -20,8 +20,7 @@ When you enable a Managed Transform, Cloudflare internally deploys one or more T Enabled Managed Transforms will apply to all inbound requests for the zone. :::note - -The generated internal Transform Rules will not appear in the Transform Rules list in the Cloudflare dashboard. +The generated internal Transform Rules will not appear in the Transform Rules list in the Cloudflare dashboard. ::: ## Next steps diff --git a/src/content/docs/rules/transform/managed-transforms/reference.mdx b/src/content/docs/rules/transform/managed-transforms/reference.mdx index a7e2fb7c4508db..4d09d1503920cd 100644 --- a/src/content/docs/rules/transform/managed-transforms/reference.mdx +++ b/src/content/docs/rules/transform/managed-transforms/reference.mdx @@ -106,6 +106,25 @@ For example, consider an incoming request proxied by two CDNs (`CDN_1` and `CDN_ With **Remove visitor IP headers** enabled, the `x-forwarded-for` header sent to the origin server will be:
`x-forwarded-for: ` +### Add Leaked Credentials Checks Header + +Adds an `Exposed-Credential-Check` request header whenever the WAF detects leaked credentials in the incoming request. + +The header can have these values: + +| Header + Value | Description | Availability | +| ----------------------------- | ----------------------------------------------------------------------- | ------------------ | +| `Exposed-Credential-Check: 1` | Previously leaked username and password detected | Pro plan and above | +| `Exposed-Credential-Check: 2` | Previously leaked username detected | Enterprise plan | +| `Exposed-Credential-Check: 3` | Similar combination of previously leaked username and password detected | Enterprise plan | +| `Exposed-Credential-Check: 4` | Previously leaked password detected | All plans | + +You will only receive this managed header at your origin server if: + +- The [leaked credentials detection](/waf/detections/leaked-credentials/) in the WAF is turned on. +- The **Add Leaked Credentials Checks Header** managed transform is turned on. +- Your Cloudflare plan supports the type of credentials detection. For example, Free plans can only know if a password was previously leaked. In this situation, Cloudflare will add an `Exposed-Credential-Check: 4` header to the request. + ## HTTP response headers ### Remove "X-Powered-By" headers diff --git a/src/content/docs/ruleset-engine/rules-language/fields/dynamic-fields.mdx b/src/content/docs/ruleset-engine/rules-language/fields/dynamic-fields.mdx index 2d3fc454c7ba96..f6de4da0e8bb85 100644 --- a/src/content/docs/ruleset-engine/rules-language/fields/dynamic-fields.mdx +++ b/src/content/docs/ruleset-engine/rules-language/fields/dynamic-fields.mdx @@ -16,7 +16,9 @@ Dynamic fields represent computed or derived values, typically related to threat - Access to `cf.bot_management.*` fields requires a Cloudflare Enterprise plan with [Bot Management](/bots/plans/bm-subscription/) enabled. -- Access to `cf.waf.content_scan.*` fields requires a Cloudflare Enterprise plan with [WAF content scanning](/waf/about/content-scanning/) enabled. +- Access to `cf.waf.content_scan.*` fields requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/) enabled. + +- Access to fields `cf.waf.auth_detected` and `cf.waf.credential_check.*` depends on your Cloudflare plan and add-ons. For more information, refer to [Leaked credentials detection](/waf/detections/leaked-credentials/). - The `cf.tls_client_auth.*` string fields are only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/). @@ -372,7 +374,7 @@ Example: When `true`, the request contains at least one [content object](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/). -For more details, refer to [Uploaded content scanning](/waf/about/content-scanning/). +For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/). ## `cf.waf.content_scan.has_malicious_obj` @@ -380,7 +382,7 @@ For more details, refer to [Uploaded content scanning](/waf/about/content-scanni When `true`, the request contains at least one malicious content object. -For more details, refer to [Uploaded content scanning](/waf/about/content-scanning/). +For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/). ## `cf.waf.content_scan.num_malicious_obj` @@ -388,7 +390,7 @@ For more details, refer to [Uploaded content scanning](/waf/about/content-scanni The number of malicious content objects detected in the request (zero or greater). -For more details, refer to [Uploaded content scanning](/waf/about/content-scanning/). +For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/). ## `cf.waf.content_scan.has_failed` @@ -396,7 +398,7 @@ For more details, refer to [Uploaded content scanning](/waf/about/content-scanni When `true`, the file scanner was unable to scan all the content objects detected in the request. -For more details, refer to [Uploaded content scanning](/waf/about/content-scanning/). +For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/). ## `cf.waf.content_scan.num_obj` @@ -404,7 +406,7 @@ For more details, refer to [Uploaded content scanning](/waf/about/content-scanni The number of content objects detected in the request (zero or greater). -For more details, refer to [Uploaded content scanning](/waf/about/content-scanning/). +For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/). ## `cf.waf.content_scan.obj_sizes` @@ -412,7 +414,7 @@ For more details, refer to [Uploaded content scanning](/waf/about/content-scanni An array of file sizes in bytes, in the order the content objects were detected in the request. -For more details, refer to [Uploaded content scanning](/waf/about/content-scanning/). +For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/). ## `cf.waf.content_scan.obj_types` @@ -420,7 +422,7 @@ For more details, refer to [Uploaded content scanning](/waf/about/content-scanni An array of file types in the order the content objects were detected in the request. If Cloudflare cannot determine the file type of a content object, the corresponding value in the `obj_types` array will be `application/octet-stream`. -For more details, refer to [Uploaded content scanning](/waf/about/content-scanning/). +For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/). ## `cf.waf.content_scan.obj_results` @@ -428,13 +430,13 @@ For more details, refer to [Uploaded content scanning](/waf/about/content-scanni An array of scan results in the order the content objects were detected in the request. The possible values are: `clean`, `suspicious`, `infected`, and `not scanned`. -For more details, refer to [Uploaded content scanning](/waf/about/content-scanning/). +For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/). ## `cf.waf.score` `cf.waf.score` `Number` -A global score from 1 to 99 that combines the score of each WAF attack vector into a single score. This is the standard [WAF attack score](/waf/about/waf-attack-score/) to detect variants of attack patterns. +A global score from 1 to 99 that combines the score of each WAF attack vector into a single score. This is the standard [WAF attack score](/waf/detections/attack-score/) to detect variants of attack patterns. ## `cf.waf.score.sqli` @@ -460,6 +462,46 @@ An attack score from 1 to 99 classifying the command injection or Remote Code Ex The attack score class of the current request, based on the WAF attack score. Can have one of the following values: `attack`, `likely_attack`, `likely_clean`, `clean`. +## `cf.waf.auth_detected` + +`cf.waf.auth_detected` `Boolean` + +When `true`, the Cloudflare WAF detected authentication credentials in the request. + +Only available when [leaked credentials detection](/waf/detections/leaked-credentials/) is enabled. + +## `cf.waf.credential_check.password_leaked` + +`cf.waf.credential_check.password_leaked` `Boolean` + +When `true`, the password detected in the request was previously leaked. + +Only available when [leaked credentials detection](/waf/detections/leaked-credentials/) is enabled. + +## `cf.waf.credential_check.username_leaked` + +`cf.waf.credential_check.username_leaked` `Boolean` + +When `true`, the username detected in the request was previously leaked. + +Only available when [leaked credentials detection](/waf/detections/leaked-credentials/) is enabled. + +## `cf.waf.credential_check.username_and_password_leaked` + +`cf.waf.credential_check.username_and_password_leaked` `Boolean` + +When `true`, the authentication credentials detected in the request (username and password pair) were previously leaked. + +Only available when [leaked credentials detection](/waf/detections/leaked-credentials/) is enabled. + +## `cf.waf.credential_check.username_password_similar` + +`cf.waf.credential_check.username_password_similar` `Boolean` + +When `true`, a similar version of the username and password credentials detected in the request were previously leaked. + +Only available when [leaked credentials detection](/waf/detections/leaked-credentials/) is enabled. + ## `cf.worker.upstream_zone` `cf.worker.upstream_zone` `String` diff --git a/src/content/docs/style-guide/documentation-content-strategy/content-types/concept.mdx b/src/content/docs/style-guide/documentation-content-strategy/content-types/concept.mdx index aac422db96b8b3..b9fb73cc9d6f54 100644 --- a/src/content/docs/style-guide/documentation-content-strategy/content-types/concept.mdx +++ b/src/content/docs/style-guide/documentation-content-strategy/content-types/concept.mdx @@ -1,7 +1,6 @@ --- pcx_content_type: concept title: Concept - --- ## Purpose @@ -12,7 +11,7 @@ The purpose of a concept is to provide conceptual or descriptive information so instructional, descriptive, approachable, supportive -## content\_type +## content_type `concept` @@ -51,6 +50,6 @@ Do not recreate information that's already available online. Instead, consider w [Load Balancing](/load-balancing/) -[WAF](/waf/about/) +[WAF](/waf/) [Magic Transit](/magic-transit/about/) diff --git a/src/content/docs/waf/analytics/security-analytics.mdx b/src/content/docs/waf/analytics/security-analytics.mdx index 18b2ef76e97cf5..a41edd8eb98ec7 100644 --- a/src/content/docs/waf/analytics/security-analytics.mdx +++ b/src/content/docs/waf/analytics/security-analytics.mdx @@ -18,7 +18,7 @@ Use the Security Analytics dashboard to: - View the traffic distribution for your domain. - Understand which traffic is being mitigated by Cloudflare security products, and where non-mitigated traffic is being served from (Cloudflare global network or origin server). - Analyze suspicious traffic and create tailored WAF custom rules based on applied filters. -- Learn more about Cloudflare’s security scores (attack score, [bot score](/bots/concepts/bot-score/), [uploaded content scanning](/waf/about/content-scanning/) results) with real data. +- Learn more about Cloudflare’s security scores (attack score, [bot score](/bots/concepts/bot-score/), [uploaded content scanning](/waf/detections/malicious-uploads/) results) with real data. - [Find an appropriate rate limit](/waf/rate-limiting-rules/find-rate-limit/) for incoming traffic. If you need to modify existing security-related rules you already configured, consider also using the [Security Events](/waf/analytics/security-events/) dashboard. This dashboard displays information about requests affected by Cloudflare security products. @@ -92,7 +92,7 @@ To apply the filters for an insight to the data displayed in the Security Analyt The **Attack likelihood**, **Bot likelihood**, and **Malicious uploads** sections display statistics related to WAF attack scores, bot scores, and WAF content scanning scores of incoming requests for the selected time frame. -You can examine different traffic segments according to the current metric (attack, bot, or content scanning). To apply score filters for different segments, select the buttons below the traffic chart. For example, select **Likely attack** under **Attack likelihood** to filter requests that are likely an attack (requests with WAF attack score values between 21 and 50). +You can examine different traffic segments according to the current metric (attack score, bot score, or content scanning). To apply score filters for different segments, select the buttons below the traffic chart. For example, select **Likely attack** under **Attack likelihood** to filter requests that are likely an attack (requests with WAF attack score values between 21 and 50). Additionally, you can use the slider tool below the chart to filter incoming requests according to the current metric. This allows you to filter traffic groups outside the predefined segments. @@ -106,7 +106,7 @@ The main chart displays the following data for the selected time frame, accordin - **Served by Cloudflare**: Requests served by the Cloudflare global network such as cached content and redirects. - **Served by origin**: Requests served by your origin server. -- **Attack likelihood**: [WAF attack score](/waf/about/waf-attack-score/) analysis of incoming requests, classifying them as _Clean_, _Likely clean_, _Likely attack_, or _Attack_. +- **Attack likelihood**: [WAF attack score](/waf/detections/attack-score/) analysis of incoming requests, classifying them as _Clean_, _Likely clean_, _Likely attack_, or _Attack_. - **Bot likelihood**: [Bot score](/bots/concepts/bot-score/) analysis of incoming requests, classifying them as _Automated_, _Likely automated_, or _Likely human_. diff --git a/src/content/docs/waf/about/index.mdx b/src/content/docs/waf/concepts.mdx similarity index 53% rename from src/content/docs/waf/about/index.mdx rename to src/content/docs/waf/concepts.mdx index 4064e7005f7369..efec5d9281931e 100644 --- a/src/content/docs/waf/about/index.mdx +++ b/src/content/docs/waf/concepts.mdx @@ -25,18 +25,19 @@ A [ruleset](/ruleset-engine/about/rulesets/) is an ordered set of rules that you The Cloudflare WAF includes: - [Managed Rules](/waf/managed-rules/) (for example, the [Cloudflare Managed Ruleset](/waf/managed-rules/reference/cloudflare-managed-ruleset/)), which are signature-based rules created by Cloudflare that provide immediate protection against known attacks. -- [Traffic detections](#available-traffic-detections) (for example, bot score and attack score) that enrich requests with metadata. +- [Traffic detections](/waf/detections/) (for example, bot score and attack score) that enrich requests with metadata. - User-defined rules for your specific needs, including [custom rules](/waf/custom-rules/) and rate limiting rules. ## Detection versus mitigation The two main roles of the Cloudflare WAF are the following: -- **Detection**: Run incoming requests through one or more [traffic detections](#available-traffic-detections) to find malicious or potentially malicious activity. The scores from enabled detections are available in the [Security Analytics](/waf/analytics/security-analytics/) dashboard, where you can analyze your security posture and determine the most appropriate mitigation rules. +- **Detection**: Run incoming requests through one or more [traffic detections](/waf/detections/) to find malicious or potentially malicious activity. The scores from enabled detections are available in the [Security Analytics](/waf/analytics/security-analytics/) dashboard, where you can analyze your security posture and determine the most appropriate mitigation rules. -- **Mitigation**: Blocks, challenges, or throttles requests through different [mitigation features](#waf-mitigation-features) such as custom rules, WAF Managed Rules, and rate limiting rules. Rules that mitigate traffic can include scores from traffic scans in their expressions to better address possibly malicious requests. +- **Mitigation**: Blocks, challenges, or throttles requests through different mitigation features such as [custom rules](/waf/custom-rules/), [Managed Rules](/waf/managed-rules/), and [rate limiting rules](/waf/rate-limiting-rules/). Rules that mitigate traffic can include scores from traffic scans in their expressions to better address possibly malicious requests. + +:::caution[Warning] -:::caution Enabling traffic detections will not apply any mitigation measures to incoming traffic; detections only provide signals that you can use to define your attack mitigation strategy. ::: @@ -44,26 +45,16 @@ Enabling traffic detections will not apply any mitigation measures to incoming t The WAF currently provides the following detections for finding security threats in incoming requests: -- [**Bots**](/bots/reference/bot-management-variables/#ruleset-engine-fields): Scores traffic on a scale from 1 (likely to be a bot) to 99 (likely to be human). -- [**Attacks**](/waf/about/waf-attack-score/): Checks for known attack variations and malicious payloads. Scores traffic on a scale from 1 (likely to be malicious) to 99 (unlikely to be malicious). -- [**Malicious uploads**](/waf/about/content-scanning/): Scans content objects, such as uploaded files, for malicious signatures like malware. +- [**Bot score**](/bots/concepts/bot-score/): Scores traffic on a scale from 1 (likely to be a bot) to 99 (likely to be human). +- [**Attack score**](/waf/detections/attack-score/): Checks for known attack variations and malicious payloads. Scores traffic on a scale from 1 (likely to be malicious) to 99 (unlikely to be malicious). +- [**Malicious uploads**](/waf/detections/malicious-uploads/): Scans content objects, such as uploaded files, for malicious signatures like malware. To enable traffic detections in the Cloudflare dashboard, go to your domain > **Security** > **Settings**. :::note -Currently, you cannot manage the [Bots](/bots/reference/bot-management-variables/#ruleset-engine-fields) and [Attacks](/waf/about/waf-attack-score/) detections from the **Security** > **Settings** page. Refer to the documentation of each feature for availability details. +Currently, you cannot manage the [bot score](/bots/concepts/bot-score/) and [attack score](/waf/detections/attack-score/) detections from the **Security** > **Settings** page. Refer to the documentation of each feature for availability details. ::: -### WAF mitigation features - -The WAF provides the following mitigation features for traffic posing as a security threat: - -- [**Custom rules**](/waf/custom-rules/): Allow you to control incoming traffic by filtering requests to a zone. You can perform actions like Block or Managed Challenge on incoming requests according to rules you define. -- [**Rate limiting rules**](/waf/rate-limiting-rules/): Allow you to define rate limits for requests matching an expression, and the action to perform when those rate limits are reached. -- [**Managed rules**](/waf/managed-rules/): Allow you to deploy pre-configured managed rulesets that provide immediate protection against common attacks. - -To configure these mitigation features in the Cloudflare dashboard, go to your domain > **Security** > **WAF**. - --- ## Rule execution order diff --git a/src/content/docs/waf/custom-rules/index.mdx b/src/content/docs/waf/custom-rules/index.mdx index ffd2b83081a050..d446a1cbda7300 100644 --- a/src/content/docs/waf/custom-rules/index.mdx +++ b/src/content/docs/waf/custom-rules/index.mdx @@ -2,27 +2,26 @@ pcx_content_type: concept title: Custom rules sidebar: - order: 4 - + order: 5 --- -Custom rules allow you to control incoming traffic by filtering requests to a zone. You can perform actions like *Block* or *Managed Challenge* on incoming requests according to rules you define. +Custom rules allow you to control incoming traffic by filtering requests to a zone. You can perform actions like _Block_ or _Managed Challenge_ on incoming requests according to rules you define. Like other rules evaluated by Cloudflare's [Ruleset Engine](/ruleset-engine/), custom rules have the following basic parameters: -* An [expression](/ruleset-engine/rules-language/expressions/) that specifies the criteria you are matching traffic on using the [Rules language](/ruleset-engine/rules-language/). -* An [action](/ruleset-engine/rules-language/actions/) that specifies what to perform when there is a match for the rule. +- An [expression](/ruleset-engine/rules-language/expressions/) that specifies the criteria you are matching traffic on using the [Rules language](/ruleset-engine/rules-language/). +- An [action](/ruleset-engine/rules-language/actions/) that specifies what to perform when there is a match for the rule. -Custom rules are evaluated in order, and some actions like *Block* will stop the evaluation of other rules. For more details on actions and their behavior, refer to the [actions reference](/ruleset-engine/rules-language/actions/). +Custom rules are evaluated in order, and some actions like _Block_ will stop the evaluation of other rules. For more details on actions and their behavior, refer to the [actions reference](/ruleset-engine/rules-language/actions/). :::note[Did you migrate from Cloudflare Firewall Rules?] -Refer to the [migration guide](/waf/reference/migration-guides/firewall-rules-to-custom-rules/#main-differences) to learn more about the differences between firewall rules and custom rules. +Refer to the [migration guide](/waf/reference/migration-guides/firewall-rules-to-custom-rules/#main-differences) to learn more about the differences between firewall rules and custom rules. ::: To define sets of custom rules that apply to more than one zone, use [custom rulesets](/waf/custom-rules/custom-rulesets/), which require an Enterprise plan with a paid add-on. -*** +--- ## Next steps diff --git a/src/content/docs/waf/about/waf-attack-score.mdx b/src/content/docs/waf/detections/attack-score.mdx similarity index 83% rename from src/content/docs/waf/about/waf-attack-score.mdx rename to src/content/docs/waf/detections/attack-score.mdx index b52d2df2f66e2f..08fc433ec13c70 100644 --- a/src/content/docs/waf/about/waf-attack-score.mdx +++ b/src/content/docs/waf/detections/attack-score.mdx @@ -3,20 +3,20 @@ title: WAF attack score pcx_content_type: concept sidebar: order: 2 + label: Attack score --- import { GlossaryTooltip } from "~/components"; -WAF attack score is a feature that complements [WAF Managed Rules](/waf/managed-rules/). +The attack score [traffic detection](/waf/concepts/#detection-versus-mitigation) helps identify variations of known attacks and their malicious payloads. This detection complements [WAF Managed Rules](/waf/managed-rules/). WAF's managed rulesets contain rules that are continuously updated to better detect malicious payloads. They target specific patterns of established attack vectors and have a very low rate of false positives. However, managed rulesets are not optimized for attacks based on variations of the original signature introduced, for example, by fuzzing techniques. -WAF attack score allows you to identify these attack variations and their malicious payloads. It classifies each request using a machine learning algorithm, assigning an attack score from 1 to 99 based on the likelihood that the request is malicious. Just like [Bot Management](/bots/plans/bm-subscription/), you can use this score to identify potentially malicious traffic that is not an exact match to any of the rules in WAF Managed Rules. +Attack score allows you to identify these attack variations and their malicious payloads. It classifies each request using a machine learning algorithm, assigning an attack score from 1 to 99 based on the likelihood that the request is malicious. Just like [Bot Management](/bots/plans/bm-subscription/), you can use this score to identify potentially malicious traffic that is not an exact match to any of the rules in WAF Managed Rules. -To maximize protection, Cloudflare recommends that you use both Managed Rules and WAF attack score. +To maximize protection, Cloudflare recommends that you use both Managed Rules and attack score. :::note - This feature is available to Enterprise customers. Business plans have access to a single field (WAF Attack Score Class). ::: @@ -32,7 +32,7 @@ The Cloudflare WAF provides the following attack scores: | WAF RCE Attack Score | Enterprise | Remote Code Execution (RCE) | [`cf.waf.score.rce`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfwafscorerce) | | WAF Attack Score Class | Business | N/A (global classification) | [`cf.waf.score.class`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfwafscoreclass) | -You can use the fields for these scores in expressions of [custom rules](/waf/custom-rules/) and [rate limiting rules](/waf/rate-limiting-rules/) where: +You can use these fields in expressions of [custom rules](/waf/custom-rules/) and [rate limiting rules](/waf/rate-limiting-rules/) where: - A score of `1` indicates that the request is almost certainly malicious. - A score of `99` indicates that the request is likely clean. @@ -55,7 +55,7 @@ Attack score automatically detects and decodes Base64, JavaScript (Unicode escap --- -## Start using the WAF attack score +## Start using WAF attack score ### 1. Create a custom rule diff --git a/src/content/docs/waf/detections/index.mdx b/src/content/docs/waf/detections/index.mdx new file mode 100644 index 00000000000000..f311d6ee355800 --- /dev/null +++ b/src/content/docs/waf/detections/index.mdx @@ -0,0 +1,41 @@ +--- +pcx_content_type: concept +title: Traffic detections +sidebar: + order: 4 +head: + - tag: title + content: Traffic detections +--- + +import { DirectoryListing, FeatureTable } from "~/components"; + +WAF traffic detections check incoming requests for malicious or potentially malicious activity. Each enabled detection provides one or more scores — available in the [Security Analytics](/waf/analytics/security-analytics/) dashboard — that you can use in WAF rule expressions. + +The WAF currently provides the following detections for finding security threats in incoming requests: + + + +## Availability + + + +For more information on bot score, refer to the [Bots documentation](/bots/concepts/bot-score/). + +## Turn on a detection + +To turn on a traffic detection: + +1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain. +2. Go to **Security** > **Settings**. +3. Under **Incoming traffic detections**, turn on the desired detections. + +Enabled detections will run for all incoming traffic. + +:::note +Currently, you cannot manage the [bot score](/bots/concepts/bot-score/) and [attack score](/waf/detections/attack-score/) detections from the **Security** > **Settings** page. Refer to the documentation of each feature for availability details. +::: + +## More resources + +For more information on detection versus mitigation, refer to [Concepts](/waf/concepts/#detection-versus-mitigation). diff --git a/src/content/docs/waf/detections/leaked-credentials/api-calls.mdx b/src/content/docs/waf/detections/leaked-credentials/api-calls.mdx new file mode 100644 index 00000000000000..3f20577c6a5f37 --- /dev/null +++ b/src/content/docs/waf/detections/leaked-credentials/api-calls.mdx @@ -0,0 +1,123 @@ +--- +title: Common API calls +pcx_content_type: configuration +sidebar: + order: 3 +head: + - tag: title + content: Common API calls | Leaked credentials detection +--- + +## Required API token permissions + +The API token used in API requests to manage the leaked credentials detection and custom detection locations must have one of the following [permissions](/fundamentals/api/reference/permissions/): + +- Zone WAF Edit +- Account WAF Edit + +--- + +## General operations + +The following API examples cover basic operations such as enabling and disabling the leaked credentials detection. + +### Turn on leaked credentials detection + +To turn on leaked credentials detection, use a `POST` request similar to the following: + +```bash +curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/leaked-credential-checks" \ +--header "X-Auth-Email: " \ +--header "X-Auth-Key: " \ +--header "Content-Type: application/json" \ +--data '{ "enabled": true }' +``` + +### Turn off leaked credentials detection + +To turn off leaked credentials detection, use a `POST` request similar to the following: + +```bash +curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/leaked-credential-checks" \ +--header "X-Auth-Email: " \ +--header "X-Auth-Key: " \ +--header "Content-Type: application/json" \ +--data '{ "enabled": false }' +``` + +### Get status of leaked credentials detection + +To obtain the current status of the leaked credentials detection, use a `GET` request similar to the following: + +```bash +curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/leaked-credential-checks" \ +--header "X-Auth-Email: " \ +--header "X-Auth-Key: " +``` + +```json output +{ + "result": { + "enabled": true + }, + "success": true, + "errors": [], + "messages": [] +} +``` + +## Custom detection location operations + +The following API examples cover operations on custom detection locations for leaked credentials detection. + +### Get existing custom detection locations + +To get a list of existing custom detection locations, use a `GET` request similar to the following: + +```bash +curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/leaked-credential-checks/detections" \ +--header "X-Auth-Email: " \ +--header "X-Auth-Key: " +``` + +```json output +{ + "result": [ + { + "id": "", + "username": "lookup_json_string(http.request.body.raw, \"user\")", + "password": "lookup_json_string(http.request.body.raw, \"secret\")" + } + // (...) + ], + "success": true, + "errors": [], + "messages": [] +} +``` + +### Add a custom detection location + +Use a `POST` request similar to the following: + +```bash +curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/leaked-credential-checks/detections" \ +--header "X-Auth-Email: " \ +--header "X-Auth-Key: " \ +--header "Content-Type: application/json" \ +--data '{ + "username": "lookup_json_string(http.request.body.raw, \"user\")", + "password": "lookup_json_string(http.request.body.raw, \"secret\")" +}' +``` + +### Delete a custom detection location + +Use a `DELETE` request similar to the following: + +```bash +curl --request DELETE \ +"https://api.cloudflare.com/client/v4/zones/{zone_id}/leaked-credential-checks/detections/{item_id}" \ +--header "X-Auth-Email: " \ +--header "X-Auth-Key: " +``` diff --git a/src/content/docs/waf/detections/leaked-credentials/examples.mdx b/src/content/docs/waf/detections/leaked-credentials/examples.mdx new file mode 100644 index 00000000000000..e10ac2950f77a6 --- /dev/null +++ b/src/content/docs/waf/detections/leaked-credentials/examples.mdx @@ -0,0 +1,59 @@ +--- +title: Mitigation examples +pcx_content_type: configuration +sidebar: + order: 4 + label: Mitigation examples +head: + - tag: title + content: Leaked credentials mitigation examples +description: Examples of rules for mitigating requests containing leaked credentials. +--- + +import { Example } from "~/components"; + +## Rate limit suspicious logins with leaked credentials + +:::note +Access to the `cf.waf.credential_check.username_and_password_leaked` field requires a Pro plan or above. +::: + +Create a [rate limiting rule](/waf/rate-limiting-rules/) using [account takeover (ATO) detection](/bots/concepts/detection-ids/#account-takeover-detections) and leaked credentials fields to limit volumetric attacks from particular IP addresses, JA4 Fingerprints, or countries. + +The following example rule applies rate limiting to requests with a specific [ATO detection ID](/bots/concepts/detection-ids/#account-takeover-detections) (corresponding to `Observes all login traffic to the zone`) that contain a previously leaked username and password: + + + +**When incoming requests match**:
+`(any(cf.bot_management.detection_ids[*] eq 201326593 and cf.waf.credential_check.username_and_password_leaked))` + +**With the same characteristics**: _IP_ + +When rate exceeds: + +- **Requests**: `5` +- **Period**: _1 minute_ + + + +## Challenge requests containing leaked credentials + +:::note +Access to the _User and Password Leaked_ (`cf.waf.credential_check.username_and_password_leaked`) field requires a Pro plan or above. +::: + +Create a [custom rule](/waf/custom-rules/) that challenges requests containing a previously leaked set of credentials (username and password). + +- **Expression**: If you use the Expression Builder, configure the following expression: + + | Field | Operator | Value | + | ------------------------ | -------- | ----- | + | User and Password Leaked | equals | True | + + If you use the Expression Editor, enter the following expression: + + ```txt + (cf.waf.credential_check.username_and_password_leaked) + ``` + +- **Action**: _Managed Challenge_ diff --git a/src/content/docs/waf/detections/leaked-credentials/get-started.mdx b/src/content/docs/waf/detections/leaked-credentials/get-started.mdx new file mode 100644 index 00000000000000..2eeda618ab7ef7 --- /dev/null +++ b/src/content/docs/waf/detections/leaked-credentials/get-started.mdx @@ -0,0 +1,171 @@ +--- +title: Get started +pcx_content_type: get-started +sidebar: + order: 2 +head: + - tag: title + content: Get started with leaked credentials detection +--- + +import { TabItem, Tabs, Details } from "~/components"; + +## 1. Turn on leaked credentials detection + +On Free plans, the leaked credentials detection is enabled by default, and no action is required. On paid plans, you can turn on the detection in the Cloudflare dashboard or via API. + + + +1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain. +2. Go to **Security** > **Settings**. +3. Under **Incoming traffic detections**, turn on **Leaked credentials**. + + + +Enable the feature using a `POST` request similar to the following: + +```bash +curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/leaked-credential-checks" \ +--header "X-Auth-Email: " \ +--header "X-Auth-Key: " \ +--header "Content-Type: application/json" \ +--data '{ "enabled": true }' +``` + + + +:::note +To achieve optimal latency performance, Cloudflare recommends that you turn off [Exposed Credentials Checks](/waf/managed-rules/reference/exposed-credentials-check/) (a previous implementation) after turning on leaked credentials detection and setting up your mitigation strategy as described in the next steps. +::: + +## 2. Validate the leaked credentials detection behavior + +Use [Security Analytics](/waf/analytics/security-analytics/) and HTTP logs to validate that the WAF is correctly detecting leaked credentials in incoming requests. + +Refer to [Test your configuration](#test-your-configuration) for more information on the test credentials you can use to validate your configuration. + +Alternatively, create a WAF custom rule like the one described in the next step using a _Log_ action (only available to Enterprise customers). This rule will generate firewall events (available in **Security** > **Events**) that will allow you to validate your configuration. + +## 3. Mitigate requests with leaked credentials + +If you are on a Free plan, deploy the suggested [rate limiting rule](/waf/rate-limiting-rules/) template available in **WAF** > **Rate limiting rules**. When you deploy a rule using this template, you get instant protection against IPs attempting to access your application with a leaked password more than five times per 10 seconds. This rule can delay attacks by blocking them for a period of time. Alternatively, you can create a custom rule. + +Paid plans have access to more granular controls when creating a WAF rule. If you are on a paid plan, create a [custom rule](/waf/custom-rules/) that challenges requests containing leaked credentials: + +| Field | Operator | Value | +| ------------------------ | -------- | ----- | +| User and Password Leaked | equals | True | + +If you use the Expression Editor, enter the following expression: + +```txt +(cf.waf.credential_check.username_and_password_leaked) +``` + +Rule action: _Managed Challenge_ + +This rule will match requests where the WAF detects a previously leaked set of credentials (username and password). For a list of fields provided by leaked credentials detection, refer to [Leaked credentials fields](/waf/detections/leaked-credentials/#leaked-credentials-fields). + +
+ +You can combine the previous expression with other [fields](/ruleset-engine/rules-language/fields/) and [functions](/ruleset-engine/rules-language/functions/) of the Rules language. This allows you to customize the rule scope or combine leaked credential checking with other security features. For example: + +- The following expression will match requests containing leaked credentials addressed at an authentication endpoint: + + | Field | Operator | Value | Logic | + | ------------------------ | -------- | ------------------ | ----- | + | User and Password Leaked | equals | True | And | + | URI Path | contains | `/admin/login.php` | | + + Expression when using the editor:
+ `(cf.waf.credential_check.username_and_password_leaked and http.request.uri.path contains "/admin/login.php")` + +- The following expression will match requests coming from bots that include authentication credentials: + + | Field | Operator | Value | Logic | + | ----------------------- | --------- | ----- | ----- | + | Authentication detected | equals | True | And | + | Bot Score | less than | `10` | | + + Expression when using the editor:
+ `(cf.waf.auth_detected and cf.bot_management.score lt 10)` + +
+ +For additional examples, refer to [Mitigation examples](/waf/detections/leaked-credentials/examples/). + +### Handle detected leaked credentials at the origin server + +Additionally, you may want to handle leaked credentials detected by Cloudflare at your origin server. + +1. Turn on the [**Add Leaked Credentials Checks Header** managed transform](/rules/transform/managed-transforms/reference/#add-leaked-credentials-checks-header). + +2. For requests received at your origin server containing the `Exposed-Credential-Check` header, you could redirect your end users to your reset password page when detecting previously leaked credentials. + +## 4. (Optional) Configure a custom detection location + +To check for leaked credentials in a way that is not covered by the default configuration, add a custom detection location. + + + +1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain. +2. Go to **Security** > **Settings**. +3. Under **Incoming traffic detections**, select **Leaked credentials** and then select the three dots to add a custom detection. +4. In **Username location**, enter an expression for obtaining the username in the HTTP request. For example: + + ```txt + lookup_json_string(http.request.body.raw, "user") + ``` + +5. In **Password location**, enter an expression for obtaining the password in the HTTP request. For example: + + ```txt + lookup_json_string(http.request.body.raw, "secret") + ``` + +6. Select **Save**. + + + +Use a `POST` request similar to the following: + +```bash +curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/leaked-credential-checks/detections" \ +--header "X-Auth-Email: " \ +--header "X-Auth-Key: " \ +--header "Content-Type: application/json" \ +--data '{ + "username": "lookup_json_string(http.request.body.raw, \"user\")", + "password": "lookup_json_string(http.request.body.raw, \"secret\")" +}' +``` + +This pair of lookup expressions (for username and password) will scan incoming HTTP requests containing a JSON body with a structure similar to the following: + +```js +{"user": "", "secret": ""} +``` + + + +You only need to provide an expression for the username in custom detection locations. + +--- + +## Test your configuration + +Cloudflare provides a special set of case-sensitive credentials for testing the configuration of the leaked credentials detection. + +After enabling and configuring the detection, you can use the credentials mentioned in this section in your test HTTP requests. + +Test credentials for users on a Free plan (will also work in paid plans): + +- Username: `CF_LEAKED_USERNAME_FREE` +- Password: `CF_LEAKED_PASSWORD` + +Test credentials for users on paid plans (will not work on Free plans): + +- Username: `CF_EXPOSED_USERNAME` or `CF_EXPOSED_USERNAME@example.com` +- Password: `CF_EXPOSED_PASSWORD` + +The Cloudflare WAF considers these specific credentials as having been previously leaked. Use them in your tests to check the behavior of your current configuration. diff --git a/src/content/docs/waf/detections/leaked-credentials/index.mdx b/src/content/docs/waf/detections/leaked-credentials/index.mdx new file mode 100644 index 00000000000000..f8330909f10d4c --- /dev/null +++ b/src/content/docs/waf/detections/leaked-credentials/index.mdx @@ -0,0 +1,97 @@ +--- +title: Leaked credentials detection +pcx_content_type: concept +sidebar: + order: 3 + group: + label: Leaked credentials +--- + +The leaked credentials [traffic detection](/waf/detections/) scans incoming requests for previously leaked credentials (usernames and passwords) previously leaked from data breaches. + +## How it works + +Once enabled, leaked credentials detection will scan incoming HTTP requests for known authentication patterns from common web apps and any custom detection locations you configure. + +If Cloudflare detects authentication credentials in the request, those credentials are checked against a list of known leaked credentials. This list of credentials consists of Cloudflare-collected credentials, in addition to the [Have I been Pwned (HIBP)](https://haveibeenpwned.com) matched passwords dataset. + +Cloudflare will populate the existing [leaked credentials fields](#leaked-credentials-fields) based on the scan results. You can check these results in the Security Analytics dashboard, and use these fields in rule expressions ([custom rules](/waf/custom-rules/) or [rate limiting rules](/waf/rate-limiting-rules/)) to protect your application against the usage of compromised credentials by your end users, and also against leaked credential attacks. + +In addition, leaked credentials detection provides a [managed transform](/rules/transform/managed-transforms/reference/#add-leaked-credentials-checks-header) that adds an `Exposed-Credential-Check` request header with a value indicating which field was leaked. For example, if both username and password were previously leaked, the header value will be `1`; if only the password was leaked, the value will be `4`. + +One common approach used in web applications when detecting the use of stolen credentials is to warn end users about the situation and ask them to update their password. You can do this based on the managed header received at your origin server. + +:::note +Cloudflare may detect leaked credentials either because an attacker is performing a credential stuffing attack or because a legitimate end user is reusing a previously leaked password. +::: + +## Availability + +For details on available features per plan, refer to [Availability](/waf/detections/#availability) in the traffic detections page. + +## Default scan locations + +Leaked credentials detection includes rules for identifying credentials in HTTP requests for the following well-known web applications: + +- Drupal +- Joomla +- Ghost +- Magento +- Plone +- WordPress +- Microsoft Exchange OWA + +Additionally, the scan includes generic rules for other common web authentication patterns. + +You can also configure custom detection locations to address the specific authentication mechanism used in your web applications. A custom detection location tells the Cloudflare WAF where to find usernames and passwords in HTTP requests of your web application. + +## Custom detection locations + +:::note +Only available for Enterprise customers. +::: + +Sometimes, you may wish to specify where to find credentials in HTTP requests for the specific case of your web applications. + +For example, if the JSON body of an HTTP authenticating a user looked like the following in your web application: + +```json +{ "user": "", "secret": "" } +``` + +You could configure a custom detection location with the following settings: + +- Custom location for username:
+ `lookup_json_string(http.request.body.raw, "user")` +- Custom location for password:
+ `lookup_json_string(http.request.body.raw, "secret")` + +When specifying a custom detection location, only the location of the username field is required. + +Expressions used to specify custom detection locations can include the following fields and functions: + +- Fields: + - [`http.request.body.raw`](/ruleset-engine/rules-language/fields/http-request-body/#httprequestbodyraw) + - [`http.request.headers`](/ruleset-engine/rules-language/fields/http-request-header/#httprequestheaders) + - [`http.request.uri.query`](/ruleset-engine/rules-language/fields/standard-fields/#httprequesturiquery) +- Functions: + - [`lookup_json_string()`](/ruleset-engine/rules-language/functions/#lookup_json_string) + - [`lower()`](/ruleset-engine/rules-language/functions/#lower) + +For instructions on configuring a custom detection location, refer to [Get started](/waf/detections/leaked-credentials/get-started/#4-optional-configure-a-custom-detection-location). + +## Leaked credentials fields + +| Field name in the dashboard | Field | Availability | +| --------------------------- | ----------------------------------------------------------- | ------------------ | +| Password Leaked | [`cf.waf.credential_check.password_leaked`][1] | All plans | +| User and Password Leaked | [`cf.waf.credential_check.username_and_password_leaked`][2] | Pro plan and above | +| Username Leaked | [`cf.waf.credential_check.username_leaked`][3] | Enterprise plan | +| Similar Password Leaked | [`cf.waf.credential_check.username_password_similar`][4] | Enterprise plan | +| Authentication detected | [`cf.waf.auth_detected`][5] | Enterprise plan | + +[1]: /ruleset-engine/rules-language/fields/dynamic-fields/#cfwafcredential_checkpassword_leaked +[2]: /ruleset-engine/rules-language/fields/dynamic-fields/#cfwafcredential_checkusername_and_password_leaked +[3]: /ruleset-engine/rules-language/fields/dynamic-fields/#cfwafcredential_checkusername_leaked +[4]: /ruleset-engine/rules-language/fields/dynamic-fields/#cfwafcredential_checkusername_password_similar +[5]: /ruleset-engine/rules-language/fields/dynamic-fields/#cfwafauth_detected diff --git a/src/content/docs/waf/detections/link-bots.mdx b/src/content/docs/waf/detections/link-bots.mdx new file mode 100644 index 00000000000000..1d032b0984ace5 --- /dev/null +++ b/src/content/docs/waf/detections/link-bots.mdx @@ -0,0 +1,7 @@ +--- +pcx_content_type: navigation +title: Bot score +external_link: /bots/concepts/bot-score/ +sidebar: + order: 4 +--- diff --git a/src/content/docs/waf/about/content-scanning/api-calls.mdx b/src/content/docs/waf/detections/malicious-uploads/api-calls.mdx similarity index 100% rename from src/content/docs/waf/about/content-scanning/api-calls.mdx rename to src/content/docs/waf/detections/malicious-uploads/api-calls.mdx diff --git a/src/content/docs/waf/about/content-scanning/example-rules.mdx b/src/content/docs/waf/detections/malicious-uploads/example-rules.mdx similarity index 77% rename from src/content/docs/waf/about/content-scanning/example-rules.mdx rename to src/content/docs/waf/detections/malicious-uploads/example-rules.mdx index 4602f4c25b57a6..d889c17654f877 100644 --- a/src/content/docs/waf/about/content-scanning/example-rules.mdx +++ b/src/content/docs/waf/detections/malicious-uploads/example-rules.mdx @@ -5,43 +5,42 @@ sidebar: order: 3 head: - tag: title - content: Example rules for content scanning - + content: Example rules checking uploaded content objects --- ## Log requests with an uploaded content object This [custom rule](/waf/custom-rules/) example logs all requests with at least one uploaded content object: -* Expression: `cf.waf.content_scan.has_obj` -* Action: *Log* +- Expression: `cf.waf.content_scan.has_obj` +- Action: _Log_ ## Block requests to URI path with a malicious content object This custom rule example blocks requests addressed at `/upload.php` that contain at least one uploaded content object considered malicious: -* Expression: `cf.waf.content_scan.has_malicious_obj and http.request.uri.path eq "/upload.php"` -* Action: *Block* +- Expression: `cf.waf.content_scan.has_malicious_obj and http.request.uri.path eq "/upload.php"` +- Action: _Block_ ## Block requests with non-PDF file uploads This custom rule example blocks requests addressed at `/upload` with uploaded content objects that are not PDF files: -* Expression: `any(cf.waf.content_scan.obj_types[*] != "application/pdf") and http.request.uri.path eq "/upload"` -* Action: *Block* +- Expression: `any(cf.waf.content_scan.obj_types[*] != "application/pdf") and http.request.uri.path eq "/upload"` +- Action: _Block_ ## Block requests with uploaded files over 500 KB This custom rule example blocks requests addressed at `/upload` with uploaded content objects over 500 KB in size: -* Expression: `any(cf.waf.content_scan.obj_sizes[*] > 500000) and http.request.uri.path eq "/upload"` -* Action: *Block* +- Expression: `any(cf.waf.content_scan.obj_sizes[*] > 500000) and http.request.uri.path eq "/upload"` +- Action: _Block_ ## Block requests with uploaded files over the content scanning limit (15 MB) This custom rule example blocks requests with uploaded content objects over 15 MB in size (the current content scanning limit): -* Expression: `any(cf.waf.content_scan.obj_sizes[*] >= 15000000)` -* Action: *Block* +- Expression: `any(cf.waf.content_scan.obj_sizes[*] >= 15000000)` +- Action: _Block_ In this example, you must also test for equality because currently any file over 15 MB will be handled internally as if it had a size of 15 MB. This means that using the `>` (greater than) [comparison operator](/ruleset-engine/rules-language/operators/#comparison-operators) would not work for this particular rule — you should use `>=` (greater than or equal) instead. diff --git a/src/content/docs/waf/about/content-scanning/get-started.mdx b/src/content/docs/waf/detections/malicious-uploads/get-started.mdx similarity index 93% rename from src/content/docs/waf/about/content-scanning/get-started.mdx rename to src/content/docs/waf/detections/malicious-uploads/get-started.mdx index 873f55e61275fc..2a3f8e881b2c59 100644 --- a/src/content/docs/waf/about/content-scanning/get-started.mdx +++ b/src/content/docs/waf/detections/malicious-uploads/get-started.mdx @@ -60,7 +60,7 @@ If you use the Expression Editor, enter the following expression: (cf.waf.content_scan.has_malicious_obj) ``` -This rule will match requests where the WAF detects a suspicious or malicious content object. For a list of fields provided by WAF content scanning, refer to [Content scanning fields](/waf/about/content-scanning/#content-scanning-fields). +This rule will match requests where the WAF detects a suspicious or malicious content object. For a list of fields provided by WAF content scanning, refer to [Content scanning fields](/waf/detections/malicious-uploads/#content-scanning-fields).
@@ -94,11 +94,11 @@ You can combine the previous expression with other [fields](/ruleset-engine/rule
-For additional examples, refer to [Example rules](/waf/about/content-scanning/example-rules/). +For additional examples, refer to [Example rules](/waf/detections/malicious-uploads/example-rules/). ## 4. (Optional) Configure a custom scan expression -To check uploaded content in a way that is not covered by the default configuration, add a [custom scan expression](/waf/about/content-scanning/#custom-scan-expressions). +To check uploaded content in a way that is not covered by the default configuration, add a [custom scan expression](/waf/detections/malicious-uploads/#custom-scan-expressions). diff --git a/src/content/docs/waf/about/content-scanning/index.mdx b/src/content/docs/waf/detections/malicious-uploads/index.mdx similarity index 92% rename from src/content/docs/waf/about/content-scanning/index.mdx rename to src/content/docs/waf/detections/malicious-uploads/index.mdx index aecb464614b7bf..8058c6fda9434c 100644 --- a/src/content/docs/waf/about/content-scanning/index.mdx +++ b/src/content/docs/waf/detections/malicious-uploads/index.mdx @@ -1,18 +1,19 @@ --- -title: Uploaded content scanning +title: Malicious uploads detection pcx_content_type: concept sidebar: order: 3 + group: + label: Malicious uploads --- import { GlossaryTooltip } from "~/components"; -WAF content scanning is a WAF [traffic detection](/waf/about/#detection-versus-mitigation) that scans content being uploaded to your application. +The malicious uploads detection, also called uploaded content scanning, is a WAF [traffic detection](/waf/concepts/#detection-versus-mitigation) that scans content being uploaded to your application. When enabled, content scanning attempts to detect content objects, such as uploaded files, and scans them for malicious signatures like malware. The scan results, along with additional metadata, are exposed as fields available in WAF [custom rules](/waf/custom-rules/), allowing you to implement fine-grained mitigation rules. :::note - This feature is available to customers on an Enterprise plan with a paid add-on. ::: @@ -28,7 +29,7 @@ Cloudflare uses the same [anti-virus (AV) scanner used in Cloudflare Zero Trust] Content scanning will not apply any mitigation actions to requests with content objects considered malicious. It only provides a signal that you can use to define your attack mitigation strategy. You must create rules — [custom rules](/waf/custom-rules/) or [rate limiting rules](/waf/rate-limiting-rules/) — to perform actions based on detected signals. -For more information on detection versus mitigation, refer to [Concepts](/waf/about/#detection-versus-mitigation). +For more information on detection versus mitigation, refer to [Concepts](/waf/concepts/#detection-versus-mitigation). ::: @@ -68,9 +69,9 @@ Sometimes, you may wish to specify where to find the content objects, such as wh { "file": "" } ``` -In these situations, configure a custom scan expression to tell the content scanner where to find the content objects. For more information, refer to [Configure a custom scan expression](/waf/about/content-scanning/get-started/#4-optional-configure-a-custom-scan-expression). +In these situations, configure a custom scan expression to tell the content scanner where to find the content objects. For more information, refer to [Configure a custom scan expression](/waf/detections/malicious-uploads/get-started/#4-optional-configure-a-custom-scan-expression). -## ​​Content scanning fields +## Content scanning fields When content scanning is enabled, you can use the following fields in WAF rules: @@ -85,4 +86,4 @@ When content scanning is enabled, you can use the following fields in WAF rules: | Content object type | [`cf.waf.content_scan.obj_types`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfwafcontent_scanobj_types) | | Content object result
Values: `clean`, `suspicious`,
`infected`, and `not scanned` | [`cf.waf.content_scan.obj_results`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfwafcontent_scanobj_results) | -For examples of rule expressions using these fields, refer to [Example rules](/waf/about/content-scanning/example-rules/). +For examples of rule expressions using these fields, refer to [Example rules](/waf/detections/malicious-uploads/example-rules/). diff --git a/src/content/docs/waf/get-started.mdx b/src/content/docs/waf/get-started.mdx index 2453033d25e4d2..55c4e2fb5937fb 100644 --- a/src/content/docs/waf/get-started.mdx +++ b/src/content/docs/waf/get-started.mdx @@ -11,7 +11,7 @@ The Cloudflare Web Application Firewall (Cloudflare WAF) checks incoming web and This page will guide you through the recommended initial steps for configuring the WAF to get immediate protection against the most common attacks. -Refer to [Concepts](/waf/about/) for more information on WAF concepts, main components, and roles. +Refer to [Concepts](/waf/concepts/) for more information on WAF concepts, main components, and roles. :::note This guide focuses on configuring WAF for individual domains, known as zones. The WAF configuration is also available at the account level for Enterprise customers with a paid add-on. @@ -52,7 +52,7 @@ For more information on configuring the Cloudflare Managed Ruleset in the dashbo WAF attack score is only available to Business customers (limited access to a single field) and Enterprise customers (full access). ::: -[WAF attack score](/waf/about/waf-attack-score/) is a machine-learning layer that complements Cloudflare's managed rulesets, providing additional protection against SQL injection (SQLi), Cross-site scripting (XSS), and many remote code execution (RCE) attacks. It helps identify rule bypasses and potentially new, undiscovered attacks. +[WAF attack score](/waf/detections/attack-score/) is a machine-learning layer that complements Cloudflare's managed rulesets, providing additional protection against SQL injection (SQLi), Cross-site scripting (XSS), and many remote code execution (RCE) attacks. It helps identify rule bypasses and potentially new, undiscovered attacks. If you are an Enterprise customer, do the following: @@ -71,7 +71,7 @@ If you are an Enterprise customer, do the following: - **Choose action**: Block -If you are on a Business plan, create a custom rule as mentioned above but use the [WAF Attack Score Class](/waf/about/waf-attack-score/#available-scores) field instead. For example, you could use the following rule expression: `WAF Attack Score Class equals Attack`. +If you are on a Business plan, create a custom rule as mentioned above but use the [WAF Attack Score Class](/waf/detections/attack-score/#available-scores) field instead. For example, you could use the following rule expression: `WAF Attack Score Class equals Attack`. ## 3. Create custom rule based on bot score @@ -133,7 +133,7 @@ Users on the Free plan only have access to Security Events. After setting up your WAF configuration, review how incoming traffic is being affected by your current settings using the following dashboards: -- Use [Security Analytics](/waf/analytics/security-analytics/) to explore all traffic, including traffic not affected by WAF mitigation measures. All data provided by [traffic detections](/waf/about/#available-traffic-detections) is available in this dashboard. +- Use [Security Analytics](/waf/analytics/security-analytics/) to explore all traffic, including traffic not affected by WAF mitigation measures. All data provided by [traffic detections](/waf/concepts/#available-traffic-detections) is available in this dashboard. - Use [Security Events](/waf/analytics/security-events/) to get more information about requests that are being mitigated by Cloudflare security products. Enterprise customers can also obtain data about HTTP requests and security events using [Cloudflare Logs](/logs/). @@ -166,7 +166,7 @@ Use [leaked credential checks](/waf/managed-rules/check-for-exposed-credentials/ Available to Enterprise customers with a paid add-on. ::: -[Use WAF content scanning](/waf/about/content-scanning/get-started/) to scan content being uploaded to your application, searching for malicious content. +[Use WAF content scanning](/waf/detections/malicious-uploads/get-started/) to scan content being uploaded to your application, searching for malicious content. ### Get additional security for your APIs diff --git a/src/content/docs/waf/index.mdx b/src/content/docs/waf/index.mdx index 9568506056b0cb..89eddcc7a21c9b 100644 --- a/src/content/docs/waf/index.mdx +++ b/src/content/docs/waf/index.mdx @@ -37,8 +37,8 @@ Learn how to [get started](/waf/get-started/). Create your own custom rules to protect your website and your APIs from malicious incoming traffic. Use advanced features like [WAF attack - score](/waf/about/waf-attack-score/) and [uploaded content - scanning](/waf/about/content-scanning/) in your custom rules. + score](/waf/detections/attack-score/) and [malicious uploads + detection](/waf/detections/malicious-uploads/) in your custom rules. diff --git a/src/content/docs/waf/managed-rules/check-for-exposed-credentials/configure-api.mdx b/src/content/docs/waf/managed-rules/check-for-exposed-credentials/configure-api.mdx index 5e0d9c24669cd4..bc94af87c7a72f 100644 --- a/src/content/docs/waf/managed-rules/check-for-exposed-credentials/configure-api.mdx +++ b/src/content/docs/waf/managed-rules/check-for-exposed-credentials/configure-api.mdx @@ -8,15 +8,18 @@ head: content: Configure exposed credentials checks via API --- +import { Render } from "~/components"; + Configure exposed credentials checks using the [Rulesets API](/ruleset-engine/rulesets-api/). You can do the following: - [Deploy the Cloudflare Exposed Credentials Check Managed Ruleset](/waf/managed-rules/reference/exposed-credentials-check/#configure-via-api). - Create custom rules that check for exposed credentials. + + ## Create a custom rule checking for exposed credentials :::note - This feature requires account-level WAF, which is available to Enterprise customers with a paid add-on. ::: diff --git a/src/content/docs/waf/managed-rules/check-for-exposed-credentials/how-checks-work.mdx b/src/content/docs/waf/managed-rules/check-for-exposed-credentials/how-checks-work.mdx index 9f86497bf49b7d..e549742c162237 100644 --- a/src/content/docs/waf/managed-rules/check-for-exposed-credentials/how-checks-work.mdx +++ b/src/content/docs/waf/managed-rules/check-for-exposed-credentials/how-checks-work.mdx @@ -6,15 +6,18 @@ sidebar: head: - tag: title content: How exposed credentials checks work - --- -import { Example } from "~/components" +import { Render, Example } from "~/components"; WAF rules can include a check for exposed credentials. When enabled in a given rule, exposed credentials checking happens when there is a match for the rule expression (that is, the rule expression evaluates to `true`). At this point, the WAF looks up the username/password pair in the request against a database of publicly available stolen credentials. When both the rule expression and the exposed credentials check are true, there is a rule match, and Cloudflare performs the action configured in the rule. + + +## Example + For example, the following rule matches `POST` requests to the `/login.php` URI when Cloudflare identifies the submitted credentials as previously exposed: @@ -26,10 +29,10 @@ Rule expression:
Exposed credentials check with the following configuration: -* Username expression: `http.request.body.form["user_id"]` -* Password expression: `http.request.body.form["password"]` +- Username expression: `http.request.body.form["user_id"]` +- Password expression: `http.request.body.form["password"]` -Action: *Interactive Challenge* +Action: _Interactive Challenge_ diff --git a/src/content/docs/waf/managed-rules/check-for-exposed-credentials/index.mdx b/src/content/docs/waf/managed-rules/check-for-exposed-credentials/index.mdx index 117115ed494bc5..4ce562356b69d5 100644 --- a/src/content/docs/waf/managed-rules/check-for-exposed-credentials/index.mdx +++ b/src/content/docs/waf/managed-rules/check-for-exposed-credentials/index.mdx @@ -3,53 +3,50 @@ pcx_content_type: concept title: Check for exposed credentials sidebar: order: 12 - --- -import { GlossaryTooltip } from "~/components" +import { GlossaryTooltip, Render } from "~/components"; -Many web applications have suffered credential stuffing attacks in the recent past. In these attacks there is a massive number of login attempts using username/password pairs from databases of exposed credentials. +Many web applications have suffered credential stuffing attacks in the recent past. In these attacks there is a massive number of login attempts using username/password pairs from databases of exposed credentials. Cloudflare offers you automated checks for exposed credentials using Cloudflare Web Application Firewall (WAF). -:::note - - -This feature is available to all paid plans. - - -::: + The WAF provides two mechanisms for this check: -* The [Exposed Credentials Check Managed Ruleset](/waf/managed-rules/reference/exposed-credentials-check/), which contains predefined rules for popular CMS applications. By enabling this ruleset for a given zone, you immediately enable checks for exposed credentials for these well-known applications. +- The [Exposed Credentials Check Managed Ruleset](/waf/managed-rules/reference/exposed-credentials-check/), which contains predefined rules for popular CMS applications. By enabling this ruleset for a given zone, you immediately enable checks for exposed credentials for these well-known applications. The managed ruleset is available to all paid plans. -* The ability to [write custom rules](#exposed-credentials-checks-in-custom-rules) at the account level that check for exposed credentials according to your criteria. +- The ability to [write custom rules](#exposed-credentials-checks-in-custom-rules) at the account level that check for exposed credentials according to your criteria. This configuration option is available to Enterprise customers with a paid add-on. Cloudflare updates the databases of exposed credentials supporting the exposed credentials check feature on a regular basis. -The username and password credentials in clear text never leave the Cloudflare network. The WAF only uses an anonymized version of the username and password when determining if there are previously exposed credentials. Cloudflare follows the approach based on the *k*-Anonymity mathematical property described in the following blog post: [Validating Leaked Passwords with k-Anonymity](https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/). +The username and password credentials in clear text never leave the Cloudflare network. The WAF only uses an anonymized version of the username and password when determining if there are previously exposed credentials. Cloudflare follows the approach based on the _k_-Anonymity mathematical property described in the following blog post: [Validating Leaked Passwords with k-Anonymity](https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/). ## Available actions The WAF can perform one of the following actions when it detects exposed credentials: -* **Exposed-Credential-Check Header**: Adds a new HTTP header to HTTP requests with exposed credentials. Your application at the origin can then force a password reset, start a two-factor authentication process, or perform any other action. The name of the added HTTP header is `Exposed-Credential-Check` and its value is `1`. -* **Managed Challenge**: Helps reduce the lifetimes of human time spent solving CAPTCHAs across the Internet. Depending on the characteristics of a request, Cloudflare will dynamically choose the appropriate type of challenge based on specific criteria. -* **Block**: Blocks HTTP requests containing exposed credentials. -* **JS Challenge**: Presents a non-interactive challenge to the clients making HTTP requests with exposed credentials. -* **Log**: Only available on Enterprise plans. Logs requests with exposed credentials in the Cloudflare logs. Recommended for validating a rule before committing to a more severe action. -* **Interactive Challenge**: Presents an interactive challenge to the clients making HTTP requests with exposed credentials. +- **Exposed-Credential-Check Header**: Adds a new HTTP header to HTTP requests with exposed credentials. Your application at the origin can then force a password reset, start a two-factor authentication process, or perform any other action. The name of the added HTTP header is `Exposed-Credential-Check` and its value is `1`. + + :::caution + While the header name is the same as when using the [**Add Leaked Credentials Checks Header** managed transform](/rules/transform/managed-transforms/reference/#add-leaked-credentials-checks-header), the header can have different values when using the managed transform (from `1` to `4`), depending on your Cloudflare plan. + ::: -The default action for the rules in the Exposed Credentials Check Managed Ruleset is *Exposed-Credential-Check Header* (named `rewrite` in the API). +- **Managed Challenge**: Helps reduce the lifetimes of human time spent solving CAPTCHAs across the Internet. Depending on the characteristics of a request, Cloudflare will dynamically choose the appropriate type of challenge based on specific criteria. +- **Block**: Blocks HTTP requests containing exposed credentials. +- **JS Challenge**: Presents a non-interactive challenge to the clients making HTTP requests with exposed credentials. +- **Log**: Only available on Enterprise plans. Logs requests with exposed credentials in the Cloudflare logs. Recommended for validating a rule before committing to a more severe action. +- **Interactive Challenge**: Presents an interactive challenge to the clients making HTTP requests with exposed credentials. -Cloudflare recommends that you only use the following actions: *Exposed-Credential-Check Header* (named `rewrite` in the API) and *Log* (`log`). +The default action for the rules in the Exposed Credentials Check Managed Ruleset is _Exposed-Credential-Check Header_ (named `rewrite` in the API). + +Cloudflare recommends that you only use the following actions: _Exposed-Credential-Check Header_ (named `rewrite` in the API) and _Log_ (`log`). ## Exposed credentials checks in custom rules :::note - -Exposed credentials checks in custom rules are only available via API and require account-level WAF, which is available to Enterprise customers with a paid add-on. +Exposed credentials checks in custom rules are only available via API and require account-level WAF, which is available to Enterprise customers with a paid add-on. ::: Besides enabling the [Exposed Credentials Check Managed Ruleset](/waf/managed-rules/reference/exposed-credentials-check/), you can also check for exposed credentials in [custom rules](/waf/custom-rules/). One common use case is to create custom rules on the end user authentication endpoints of your application to check for exposed credentials. Rules that check for exposed credentials run before rate limiting rules. diff --git a/src/content/docs/waf/managed-rules/check-for-exposed-credentials/monitor-events.mdx b/src/content/docs/waf/managed-rules/check-for-exposed-credentials/monitor-events.mdx index da899973534576..f8b69196be6e4d 100644 --- a/src/content/docs/waf/managed-rules/check-for-exposed-credentials/monitor-events.mdx +++ b/src/content/docs/waf/managed-rules/check-for-exposed-credentials/monitor-events.mdx @@ -5,14 +5,16 @@ sidebar: order: 6 --- +import { Render } from "~/components"; + The **Activity log** in Security Events shows entries for requests with exposed credentials identified by rules with the _Log_ action. Check for exposed credentials events in the Security Events dashboard (**Security** > **Events** tab), filtering by a specific Rule ID. For more information on filtering security events, refer to [Adjusting displayed data](/waf/analytics/security-events/paid-plans/#adjusting-displayed-data). -:::caution + -- Exposed credentials events are only logged after you activate the Exposed Credentials Check Managed Ruleset or create a custom rule checking for exposed credentials. +## Important notes -- The log entries will not contain the values of the exposed credentials (username, email, or password). However, if [matched payload logging](/waf/managed-rules/payload-logging/) is enabled, the log entries will contain the values of the fields in the rule expression that triggered the rule. These values might be the values of credential fields, depending on your rule configuration. +Exposed credentials events are only logged after you activate the Exposed Credentials Check Managed Ruleset or create a custom rule checking for exposed credentials. -::: +The log entries will not contain the values of the exposed credentials (username, email, or password). However, if [matched payload logging](/waf/managed-rules/payload-logging/) is enabled, the log entries will contain the values of the fields in the rule expression that triggered the rule. These values might be the values of credential fields, depending on your rule configuration. diff --git a/src/content/docs/waf/managed-rules/check-for-exposed-credentials/test-configuration.mdx b/src/content/docs/waf/managed-rules/check-for-exposed-credentials/test-configuration.mdx index 03bea1308b05d6..2cfc7fb72110ac 100644 --- a/src/content/docs/waf/managed-rules/check-for-exposed-credentials/test-configuration.mdx +++ b/src/content/docs/waf/managed-rules/check-for-exposed-credentials/test-configuration.mdx @@ -6,13 +6,14 @@ sidebar: head: - tag: title content: Test your exposed credentials checks configuration - --- -import { Render } from "~/components" +import { Render } from "~/components"; After enabling and configuring exposed credentials checks, you may want to test if the checks are working properly. + + Cloudflare provides a special set of case-sensitive credentials for this purpose: diff --git a/src/content/docs/waf/managed-rules/reference/exposed-credentials-check.mdx b/src/content/docs/waf/managed-rules/reference/exposed-credentials-check.mdx index a10ea4c291dd87..904f7edd0431f9 100644 --- a/src/content/docs/waf/managed-rules/reference/exposed-credentials-check.mdx +++ b/src/content/docs/waf/managed-rules/reference/exposed-credentials-check.mdx @@ -5,11 +5,11 @@ sidebar: order: 4 --- +import { Render } from "~/components"; + The Cloudflare Exposed Credentials Check Managed Ruleset is a set of pre-configured rules for well-known CMS applications that perform a lookup against a public database of stolen credentials. -:::note -The Cloudflare Exposed Credentials Check Managed Ruleset is only available in the Cloudflare WAF announced on March 2021. -::: + The managed ruleset includes rules for the following CMS applications: @@ -28,9 +28,7 @@ Additionally, this managed ruleset also includes generic rules for other common The default action for the rules in managed ruleset is _Exposed-Credential-Check Header_ (named `rewrite` in the API). -:::note[Note] -The managed ruleset contains an additional rule that blocks HTTP requests already containing the `Exposed-Credential-Check` HTTP header used by the _Exposed-Credential-Check Header_ action. These requests could be used to trick the origin into believing that a request contained (or did not contain) exposed credentials. -::: +The managed ruleset also contains a rule that blocks HTTP requests already containing the `Exposed-Credential-Check` HTTP header used by the _Exposed-Credential-Check Header_ action. These requests could be used to trick the origin into believing that a request contained (or did not contain) exposed credentials. For more information on exposed credential checks, refer to [Check for exposed credentials](/waf/managed-rules/check-for-exposed-credentials/). diff --git a/src/content/glossary/waf.yaml b/src/content/glossary/waf.yaml index fd470e78de8b9f..a1bb4f6832d775 100644 --- a/src/content/glossary/waf.yaml +++ b/src/content/glossary/waf.yaml @@ -23,9 +23,9 @@ entries: general_definition: |- credential stuffing is the automated injection of stolen username and password pairs (known as "credentials") into website login forms, trying to gain access to user accounts. - - term: exposed credentials + - term: leaked credentials general_definition: |- - exposed credentials refers to sensitive authentication information disclosed in some way (for example, due to misconfigurations, data breaches, or simple human error), allowing other parties to gain access to digital resources. + leaked credentials refers to sensitive authentication information disclosed in some way (for example, due to misconfigurations, data breaches, or simple human error), allowing other parties to gain access to digital resources. Credentials may include usernames, passwords, API keys, authentication tokens, or private keys. diff --git a/src/content/partials/fundamentals/cloudflare-security.mdx b/src/content/partials/fundamentals/cloudflare-security.mdx index 7892588ac12f9e..4953a86fc31c1f 100644 --- a/src/content/partials/fundamentals/cloudflare-security.mdx +++ b/src/content/partials/fundamentals/cloudflare-security.mdx @@ -1,10 +1,9 @@ --- {} - --- Beyond hiding your origin's IP address from potential attackers, Cloudflare also stops malicious traffic before it reaches your origin web server. -Cloudflare automatically mitigates security risks using our [WAF](/waf/about/) and [DDoS protection](/ddos-protection/). +Cloudflare automatically mitigates security risks using our [WAF](/waf/) and [DDoS protection](/ddos-protection/). For additional details on security, refer to our guide on how to [Secure your website](/learning-paths/application-security/). diff --git a/src/content/partials/version-management/product-limitations.mdx b/src/content/partials/version-management/product-limitations.mdx index b3f03ac931d16e..2c91147ea04f6d 100644 --- a/src/content/partials/version-management/product-limitations.mdx +++ b/src/content/partials/version-management/product-limitations.mdx @@ -1,118 +1,117 @@ --- {} - --- -import { Details } from "~/components" +import { Details } from "~/components"; Version Management does not currently support or have limited support for the following products or features: -
-* Some [API Shield](/api-shield/) configurations are not cloned when a new zone version is created. -* Customers are allowed to opt-in to remove the UI block that prevents enabling Version Management. -
+- Some [API Shield](/api-shield/) configurations are not cloned when a new zone version is created. +- Customers are allowed to opt-in to remove the UI block that prevents enabling Version Management. +
-* [Authenticated Origin Pull](/ssl/origin-configuration/authenticated-origin-pull/) does not work with Zone Versioning. -* Accessing your domain from an allowlisted IP returns a Cloudflare 520 error. -
+- [Authenticated Origin Pull](/ssl/origin-configuration/authenticated-origin-pull/) does not work with Zone Versioning. +- Accessing your domain from an allowlisted IP returns a Cloudflare 520 error. +
-* [Cache](/workers/runtime-apis/cache/) configurations are versioned, but cache keys are not. -* Caching a new URL on staging would cache it for production as well. -* Purging cache on staging would purge it on production too. -* Promoting a new version to production would wipe all exiting cache. -
+- [Cache](/workers/runtime-apis/cache/) configurations are versioned, but cache keys are not. +- Caching a new URL on staging would cache it for production as well. +- Purging cache on staging would purge it on production too. +- Promoting a new version to production would wipe all exiting cache. +
-* [Image Resizing](/images/) does not work with the `additional_cacheable_ports` [Cache Rule](/cache/how-to/cache-rules/) setting and Zone Versioning. -* If you use `additional_cacheable_ports` with Image Resizing, the image will be resized every time it is requested and will result in low performance. -
+- [Image Resizing](/images/) does not work with the `additional_cacheable_ports` [Cache Rule](/cache/how-to/cache-rules/) setting and Zone Versioning. +- If you use `additional_cacheable_ports` with Image Resizing, the image will be resized every time it is requested and will result in low performance. +
-* [Workers Cache API](/workers/runtime-apis/cache/) does not work with Version Management. -* If you use the Workers Cache API with Zone Versioning, you might encounter unexpected caching behaviours. -
+- [Workers Cache API](/workers/runtime-apis/cache/) does not work with Version Management. +- If you use the Workers Cache API with Zone Versioning, you might encounter unexpected caching behaviours. +
-* Regardless of the version deployed to production, traffic in China will always target the root zone. -* Other incompatibility issues with Access and ICP licenses. -
+- Regardless of the version deployed to production, traffic in China will always target the root zone. +- Other incompatibility issues with Access and ICP licenses. +
-* Zone Version Management does not currently expose a public [API](/api/). -* Customers can only use Version Management through the [Cloudflare dashboard](https://dash.cloudflare.com/). -
+- Zone Version Management does not currently expose a public [API](/api/). +- Customers can only use Version Management through the [Cloudflare dashboard](https://dash.cloudflare.com/). +
-* [Domain-scoped Roles](/fundamentals/setup/manage-members/roles/#domain-scoped-roles) apply only to your root zone. -* Once a new version is created, these roles do not copy over and they lose access to versions. -
+- [Domain-scoped Roles](/fundamentals/setup/manage-members/roles/#domain-scoped-roles) apply only to your root zone. +- Once a new version is created, these roles do not copy over and they lose access to versions. +
-* Changes made to [Image Transformations](/images/transform-images/#transform-images) are not cloned when a new zone version is created. -
+- Changes made to [Image Transformations](/images/transform-images/#transform-images) are not cloned when a new zone version is created. +
-* [Network Error Logging](/network-error-logging/) configurations are not cloned when a new version is created. -
+- [Network Error Logging](/network-error-logging/) configurations are not cloned when a new version is created. +
-* [Page Shield](/page-shield/) is not available for versioning and is only configurable under your Global Configuration. -
+- [Page Shield](/page-shield/) is not available for versioning and is only configurable under your Global Configuration. +
-* [Security Insights](/security-center/security-insights/) are not shown when Zone Versioning is enabled and the first version is deployed to production. -
+- [Security Insights](/security-center/security-insights/) are not shown when Zone Versioning is enabled and the first version is deployed to production. +
-* Zone Version Management does not currently support [Terraform](/terraform/). -* Customers should either use Terraform or Version Management. -
+- Zone Version Management does not currently support [Terraform](/terraform/). +- Customers should either use Terraform or Version Management. +
-* [WAF Attack Score](/waf/about/waf-attack-score/) configurations are not cloned when a new zone version is created. -
+- [WAF Attack Score](/waf/detections/attack-score/) configurations are not cloned when a new zone version is created. +
-* [Waiting Room](/waiting-room/) users active on the site may be placed back in the queue. -* Waiting Room users in the queue may lose their place in line. -* Traffic may exceed limits. -
+- [Waiting Room](/waiting-room/) users active on the site may be placed back in the queue. +- Waiting Room users in the queue may lose their place in line. +- Traffic may exceed limits. +
-* If a version has a Worker route, it might disappear when a Worker is deployed via [Wrangler](/workers/wrangler/). -* If two versions have the same custom domains, the Worker might randomly choose between them. +- If a version has a Worker route, it might disappear when a Worker is deployed via [Wrangler](/workers/wrangler/). +- If two versions have the same custom domains, the Worker might randomly choose between them. +
diff --git a/src/content/partials/waf/leaked-credentials-recommend-detection.mdx b/src/content/partials/waf/leaked-credentials-recommend-detection.mdx new file mode 100644 index 00000000000000..5c70ec5bb26e88 --- /dev/null +++ b/src/content/partials/waf/leaked-credentials-recommend-detection.mdx @@ -0,0 +1,7 @@ +--- +{} +--- + +:::note[Recommendation: Use leaked credentials detection instead] +Cloudflare recommends that you use [leaked credentials detection](/waf/detections/leaked-credentials/) instead of Cloudflare Exposed Credentials Check, which refers to a previous implementation. +::: diff --git a/src/content/partials/waf/waf-managed-rules-intro.mdx b/src/content/partials/waf/waf-managed-rules-intro.mdx index 72d85027a855e7..35bcde0c0eb321 100644 --- a/src/content/partials/waf/waf-managed-rules-intro.mdx +++ b/src/content/partials/waf/waf-managed-rules-intro.mdx @@ -1,14 +1,13 @@ --- {} - --- WAF Managed Rules allow you to deploy pre-configured managed rulesets that provide immediate protection against: -* Zero-day vulnerabilities -* Top-10 attack techniques -* Use of stolen/exposed credentials -* Extraction of sensitive data +- Zero-day vulnerabilities +- Top-10 attack techniques +- Use of stolen/leaked credentials +- Extraction of sensitive data These managed rulesets are regularly updated. Each rule has a default action that varies according to the severity of the rule. You can adjust the behavior of specific rules, choosing from several possible actions. diff --git a/src/content/plans/index.json b/src/content/plans/index.json index b267bff7e5b62c..adcd16c4a43033 100644 --- a/src/content/plans/index.json +++ b/src/content/plans/index.json @@ -1622,7 +1622,63 @@ } } }, - "waf_b_custom_rules": { + "waf_b_detections": { + "title": "WAF detections", + "link": "/waf/detections/", + "properties": { + "availability": { + "title": "Availability", + "summary": "Available on all plans", + "free": "Yes", + "pro": "Yes", + "biz": "Yes", + "ent": "Yes" + }, + "b_malicious_uploads": { + "title": "Malicious uploads detection", + "summary": "Enterprise with add-on", + "link": "/waf/detections/malicious-uploads/", + "free": "No", + "pro": "No", + "biz": "No", + "ent": "Paid add-on" + }, + "c_leaked_creds": { + "title": "Leaked credentials detection", + "link": "/waf/detections/leaked-credentials/", + "free": "Yes", + "pro": "Yes", + "biz": "Yes", + "ent": "Yes" + }, + "d_leaked_creds_fields": { + "title": "Leaked credentials fields", + "link": "/waf/detections/leaked-credentials/", + "free": "Password Leaked", + "pro": "Password Leaked, User and Password Leaked", + "biz": "Password Leaked, User and Password Leaked", + "ent": "All leaked credentials fields" + }, + "e_leaked_creds_locations": { + "title": "Number of custom detection locations", + "summary": "Enterprise-only", + "free": "0", + "pro": "0", + "biz": "0", + "ent": "10" + }, + "f_attack_score": { + "title": "Attack score", + "summary": "Business and Enterprise plans", + "link": "/waf/detections/attack-score/", + "free": "No", + "pro": "No", + "biz": "One field only", + "ent": "Yes" + } + } + }, + "waf_c_custom_rules": { "title": "WAF custom rules", "link": "/waf/custom-rules/", "properties": { diff --git a/src/content/products/exposed-credentials.yaml b/src/content/products/exposed-credentials.yaml deleted file mode 100644 index 5348d068e1b41b..00000000000000 --- a/src/content/products/exposed-credentials.yaml +++ /dev/null @@ -1,8 +0,0 @@ -name: Exposed credential checks - -product: - title: Exposed credential checks - group: Application security - url: /waf/managed-rules/check-for-exposed-credentials/ - wrap: true - grid_placeholder: true diff --git a/src/content/products/leaked-credentials.yaml b/src/content/products/leaked-credentials.yaml new file mode 100644 index 00000000000000..f5772c55877bfb --- /dev/null +++ b/src/content/products/leaked-credentials.yaml @@ -0,0 +1,8 @@ +name: Leaked credentials checks + +product: + title: Leaked credentials checks + group: Application security + url: /waf/detections/leaked-credentials/ + wrap: true + grid_placeholder: true