Security controls bypass or absence - Cloudflare - Scala

Security controls bypass or absence - Cloudflare - Scala

Need

Implementation of proper security controls and measures to prevent bypassing of Cloudflare

Context

  • Usage of Scala for building scalable and high-performance applications
  • Usage of play.api.mvc for handling HTTP requests and responses in Play Framework
  • Usage of play.api.libs.ws for making HTTP requests in a Play Framework application

Description

Non compliant code

        import play.api.mvc._
import play.api.libs.ws._

class HomeController @Inject()(ws: WSClient) extends Controller {
  def index = Action.async { request =>
    ws.url("http://server-ip-address").get().map { response =>
      Ok(response.body)
    }
  }
}
        
        

The above Scala code is a simple Play Framework controller that makes a GET request to a server using its direct IP address.

The HomeController class has one action index that makes an asynchronous GET request to a server with the URL "http://server-ip-address". This URL is the direct IP address of the server, bypassing any security controls put in place by Cloudflare.

When a client sends a request to this index action, the server directly communicates with the IP address, circumventing Cloudflare's security measures. This could potentially expose the server to a variety of security threats, including DDoS attacks, SQL injection, and more.

The vulnerability lies in the fact that the server's IP address is directly exposed and used for communication, bypassing the Cloudflare. This could potentially allow an attacker to attack the server directly.

Steps

  • Implement proper security controls to prevent direct access to the server IP.
  • Configure Cloudflare to handle all incoming requests and act as a reverse proxy.
  • Ensure that the application only communicates with the server through Cloudflare.
  • Update the code to use the domain name instead of the server IP address.

Compliant code

        import play.api.mvc._
import play.api.libs.ws._

class HomeController @Inject()(ws: WSClient) extends Controller {
  def index = Action.async { request =>
    ws.url("http://your-domain-name").get().map { response =>
      Ok(response.body)
    }
  }
}
        
        

The original code was vulnerable because it was making requests directly to the server's IP address. This could allow an attacker to bypass Cloudflare's security controls and directly access the server.

The updated code now makes requests to the domain name instead of the server's IP address. This ensures that all requests go through Cloudflare, which acts as a reverse proxy. Cloudflare will handle all incoming requests and provide additional security controls, such as DDoS protection and Web Application Firewall (WAF).

By using the domain name, we ensure that the application only communicates with the server through Cloudflare. This prevents direct access to the server's IP address and mitigates the risk of bypassing Cloudflare's security controls.

Remember to replace "http://your-domain-name" with your actual domain name that is protected by Cloudflare.

References