0009131: Cloudflare Bypass - Kali Linux Bug Tracker

ID	Project	Category	View Status	Date Submitted	Last Update

0009131	Kali Linux	Kali Websites & Docs	public	2025-04-10 02:48	2025-04-16 12:56

Reporter	telnetk	Assigned To	g0tmi1k
Priority	normal	Severity	minor	Reproducibility	have not tried
Status	closed	Resolution	no change required

Summary	0009131: Cloudflare Bypass
Description	Executive Summary This report describes a vulnerability in the Kali Linux website that allows bypassing the protections of the Web Application Firewall (WAF) by adding the public IP directly in the local hosts file. This enables users to redirect traffic to a specific IP, bypassing the security restrictions implemented by the WAF. An example of this is redirecting traffic to the IP 35.185.44.232 when trying to access https://www.kali.org/. Problem Description The Kali Linux website is protected by a Web Application Firewall (WAF) designed to detect and block malicious requests. However, the WAF can be bypassed by locally modifying the hosts file. By adding Kali Linux's public IP directly in the hosts table, an attacker can redirect traffic to a specific IP, avoiding the WAF intervention and gaining access without the proper protections. Reproduction of the Problem Access a machine with Kali Linux or any system that allows modification of the hosts file. Edit the /etc/hosts file and add the following entry: 35.185.44.232 www.kali.org Save the changes and attempt to access https://www.kali.org/. The connection will be redirected to the public IP 35.185.44.232, bypassing the WAF protections and potentially redirecting traffic to a server without the security measures of the original website.
Attached Files	Captura desde 2025-04-09 22-47-07.png (360,649 bytes)

kali-bugreport 2025-04-12 17:10 reporter ~0020484	Is this really a serious report?

telnetk 2025-04-12 18:16 reporter ~0020485	Sure, but you can take it however you like.

kali-bugreport 2025-04-13 08:16 reporter ~0020486 Last edited: 2025-04-13 12:38	Asking because if you are modifying something on your client like described you are just accessing a different system which is accessible anyway (in this case a public GitLab pages system: https://about.gitlab.com/blog/gitlab-pages-update/) and there is no bypass involved. What is getting reported here seems to make no sense but let's see if someone from the Kali team says something.

telnetk 2025-04-13 13:07 reporter ~0020487	Hi, let me explain again: When you ping the kali.org website, it responds from Cloudflare, because they currently have WAF protection. So, when anyone accesses it or tries to launch OWASP, XSS, SQLI, etc. attacks, it's stopped by Cloudflare...right? So, how come the instance in Google Cloud or the Ingress they have running doesn't have access rules from Cloudflare specifically, but rather they only have the proxy On, nothing else...but they don't have an ACL network policy that only allows traffic from Cloudflare. This means that by setting the proxy On, you should expect only traffic from Cloudflare to arrive, not directly to the public IP. The local modification I make to my host table...is logical...because what I'm trying to do isn't solve the problem with Cloudflare, it's to reach their public IP directly without this protection. Do you follow me?

telnetk 2025-04-13 13:12 reporter ~0020488	Now reading the Gitlab Pages documentation... I understand, so using Cloudflare for PCs doesn't make sense... it's a bad implementation.

telnetk 2025-04-13 13:14 reporter ~0020489	Thanks for your reply. To clarify, the behavior I'm reporting is that I'm able to access the same backend resource (which should be behind Cloudflare protections) without triggering any WAF/firewall controls, by directly reaching the origin or an alternate CDN endpoint. If GitLab Pages is expected to be accessible regardless of the Cloudflare layer, then I understand this might be intended behavior. Just wanted to flag it in case the exposure is not expected.

g0tmi1k 2025-04-16 12:56 administrator ~0020499	Thanks for the report. Theres two differnet things at play here, kali.org & www.kali.org. www.kali.org is a GitLab SaaS page - which as a result is completely static site (uses Hugo) kali.org just redirect EVERYTHING to www.kali.org (not hosted on GitLab SaaS). www.kali.org is just a 'shorten/pretty' URL to the kalilinux.gitlab.io domain. kalilinux.gitlab.io has to be public, otherwise kali.org will not work for the public (other than staff, logged into GitLab). In short, this is by design =).

Date Modified	Username	Field	Change
2025-04-10 02:48	telnetk	New Issue
2025-04-10 02:48	telnetk	File Added: Captura desde 2025-04-09 22-47-07.png
2025-04-12 17:10	kali-bugreport	Note Added: 0020484
2025-04-12 18:16	telnetk	Note Added: 0020485
2025-04-13 08:16	kali-bugreport	Note Added: 0020486
2025-04-13 11:03	kali-bugreport	Note Edited: 0020486
2025-04-13 12:32	kali-bugreport	Note Edited: 0020486
2025-04-13 12:38	kali-bugreport	Note Edited: 0020486
2025-04-13 13:07	telnetk	Note Added: 0020487
2025-04-13 13:12	telnetk	Note Added: 0020488
2025-04-13 13:14	telnetk	Note Added: 0020489
2025-04-16 12:56	g0tmi1k	Note Added: 0020499
2025-04-16 12:56	g0tmi1k	Assigned To	=> g0tmi1k
2025-04-16 12:56	g0tmi1k	Status	new => closed
2025-04-16 12:56	g0tmi1k	Resolution	open => no change required