Egress | Fluid Attacks Help

Egress

This section describes the high-level architecture of the Egress connection used by Fluid Attacks to access your resources to be tested, as well as its minimum requirements and limitations. This connection relies on dedicated Cloudflare egress IPs.

High-level architecture

In this connection option, Fluid Attacks utilizes public egress IP addresses to access your resources. These IP addresses are static, i.e., they do not change, ensuring consistent and reliable access.

To allow Fluid Attacks to access the necessary resources within your network, you need to whitelist the egress IP addresses on your firewall. This enables secure communication between Fluid Attacks and your designated resources over the Internet.

Below is a diagram that shows at a high level how the Egress scheme works.


Understand Egress connection with Fluid AttacksEgress connection architecture diagram

Minimum requirements

  1. Grant firewall permissions to the Fluid Attacks' egress IPs so it can reach your resourceswithout being blocked. Below is the list of Egress that need to be whitelisted:

    IPv4:

    • 104.30.132.78
    • 104.30.134.27

    IPv6:

    • 2a09:bac0:1000:252::/64
    • 2a09:bac0:1001:1cb::/64

  2. Provide the necessary details for configuring the Egress connection by completing the connection form. Once submitted, the connection is set in less than 8 office hours.

Limiting access

While Fluid Attacks requires access to your resources via the provided egress IP addresses, it is crucial to maintain a secure environment. Implement the principle of least privilege by configuring your firewall rules to expose only the essential resources required for security testing. This minimizes potential security risks by limiting access to sensitive information and systems.

Service limitations

When using self-signed SSL certificates for your sites, HTTPS traffic going through them is not inspected, reducing the log detail that can be collected. This is because the Cloudflare network, on which the connection relies, requires certificates issued by trusted Certificate Authorities (CAs) for full validation and logging. Therefore, it is recommended to use SSL certificates signed by a valid CA so navigation logs are fully detailed.

Authentication

The authentication mechanisms available for this connection are as follows:

OAuth SSH HTTPS