http/miscellaneous/cloudflare-rocketloader-htmli.yaml

id: cloudflare-transform-via-url-injection

info:
  name: Cloudflare Transform via URL - Image Injection
  author: j3ssie
  severity: unknown
  description: |
    Transform via URL feature in Cloudflare allow attackers to show arbitrary images to the visitor of a crafted URL on the website. This can be used to perform various attacks such as phishing, defacement, etc.
  remediation: Disable Images → Transformations → “Resize from any origin” setting in Cloudflare console.
  reference:
    - https://developers.cloudflare.com/images/transform-images/transform-via-url/
  metadata:
    verified: true
    max-request: 1
  tags: misconfig,cloudflare,htmli,miscellaneous

http:
  - method: GET
    path:
      - "{{BaseURL}}/cdn-cgi/image/width=1000,format=auto/https://raw.githubusercontent.com/simple-icons/simple-icons/develop/icons/cloudflare.svg"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'Cloudflare'
          - '<svg'
          - 'M16.5088 16.8447c.1475-.5068.0908-.9707-.1553-1.3154-.2246-.3164-.6045-.499-1.0615-.5205l-'
          - '1475.5068-.0918.9707.1543 1.3164.2256.3164.6055.498'
        condition: and

      - type: word
        part: header
        words:
          - 'image/svg+xml'

      - type: status
        status:
          - 200
# digest: 4b0a004830460221009bc9019d71061122e628e2915e32390ffab8f771e7d5ddae59cd5941e854b8c3022100b18f2b5339a224718752cdaad5f3df17bee147e2cea2a10299d57e7dda7d98a4:922c64590222798bb761d5b6d8e72950
Rename template id 2025-03-14 11:09:13 +01:00			`id: cloudflare-transform-via-url-injection`
[+] Added Cloudflare Rocket Loader HTML Injection (#9269) * [+] Added Cloudflare Rocket Loader HTML Injection * minor update * misc updates --------- Co-authored-by: Dhiyaneshwaran <leedhiyanesh@gmail.com> Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2024-03-02 16:49:28 +08:00
			`info:`
Rename template to Cloudflare Transform via URL This template in fact does not detect Rocket Loader, but another Cloudflare feature, Transform via URL. 2025-03-14 10:58:59 +01:00			`name: Cloudflare Transform via URL - Image Injection`
[+] Added Cloudflare Rocket Loader HTML Injection (#9269) * [+] Added Cloudflare Rocket Loader HTML Injection * minor update * misc updates --------- Co-authored-by: Dhiyaneshwaran <leedhiyanesh@gmail.com> Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2024-03-02 16:49:28 +08:00			`author: j3ssie`
Update and rename cloudflare-rocketloader-htmli.yaml to cloudflare-rocketloader-htmli.yaml 2024-05-07 17:39:44 +05:30			`severity: unknown`
[+] Added Cloudflare Rocket Loader HTML Injection (#9269) * [+] Added Cloudflare Rocket Loader HTML Injection * minor update * misc updates --------- Co-authored-by: Dhiyaneshwaran <leedhiyanesh@gmail.com> Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2024-03-02 16:49:28 +08:00			`description: \|`
Rename template to Cloudflare Transform via URL This template in fact does not detect Rocket Loader, but another Cloudflare feature, Transform via URL. 2025-03-14 10:58:59 +01:00			`Transform via URL feature in Cloudflare allow attackers to show arbitrary images to the visitor of a crafted URL on the website. This can be used to perform various attacks such as phishing, defacement, etc.`
			`remediation: Disable Images → Transformations → “Resize from any origin” setting in Cloudflare console.`
[+] Added Cloudflare Rocket Loader HTML Injection (#9269) * [+] Added Cloudflare Rocket Loader HTML Injection * minor update * misc updates --------- Co-authored-by: Dhiyaneshwaran <leedhiyanesh@gmail.com> Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2024-03-02 16:49:28 +08:00			`reference:`
Rename template to Cloudflare Transform via URL This template in fact does not detect Rocket Loader, but another Cloudflare feature, Transform via URL. 2025-03-14 10:58:59 +01:00			`- https://developers.cloudflare.com/images/transform-images/transform-via-url/`
[+] Added Cloudflare Rocket Loader HTML Injection (#9269) * [+] Added Cloudflare Rocket Loader HTML Injection * minor update * misc updates --------- Co-authored-by: Dhiyaneshwaran <leedhiyanesh@gmail.com> Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2024-03-02 16:49:28 +08:00			`metadata:`
			`verified: true`
TemplateMan Update [Sat Mar 23 09:28:19 UTC 2024] :robot: 2024-03-23 09:28:19 +00:00			`max-request: 1`
TemplateMan Update [Fri Jun 7 10:04:28 UTC 2024] :robot: 2024-06-07 10:04:29 +00:00			`tags: misconfig,cloudflare,htmli,miscellaneous`
[+] Added Cloudflare Rocket Loader HTML Injection (#9269) * [+] Added Cloudflare Rocket Loader HTML Injection * minor update * misc updates --------- Co-authored-by: Dhiyaneshwaran <leedhiyanesh@gmail.com> Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com> 2024-03-02 16:49:28 +08:00
			`http:`
			`- method: GET`
			`path:`
			`- "{{BaseURL}}/cdn-cgi/image/width=1000,format=auto/https://raw.githubusercontent.com/simple-icons/simple-icons/develop/icons/cloudflare.svg"`

			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`part: body`
			`words:`
			`- 'Cloudflare'`
			`- '<svg'`
			`- 'M16.5088 16.8447c.1475-.5068.0908-.9707-.1553-1.3154-.2246-.3164-.6045-.499-1.0615-.5205l-'`
			`- '1475.5068-.0918.9707.1543 1.3164.2256.3164.6055.498'`
			`condition: and`

			`- type: word`
			`part: header`
			`words:`
			`- 'image/svg+xml'`

			`- type: status`
			`status:`
			`- 200`
chore: sign templates 🤖 2025-03-17 08:33:35 +00:00			`# digest: 4b0a004830460221009bc9019d71061122e628e2915e32390ffab8f771e7d5ddae59cd5941e854b8c3022100b18f2b5339a224718752cdaad5f3df17bee147e2cea2a10299d57e7dda7d98a4:922c64590222798bb761d5b6d8e72950`