HACKER Q&A
📣 zikduruqe

Does Cloudflare block HN comments if you have code blocks in a reply?


I was going to make a comment about using netcat to send files, and Cloudflare blocks the submission. I have never seen this happen to me on HN.

https://imgur.com/a/Pyhcssl

Has anyone run into this before?

  👤 jrockway Accepted Answer ✓
This line works:

   nc -l -p 1234 -q 1 > testfile.txt < /dev/null
The other one doesn't.

   alias foobar=nc
   cat testfile.txt | foobar 192.168.2.100 1234
I was hoping that it was a "useless use of cat" filter, but nope. It just doesn't like the bytes nc next to an IPv4 address.

This is also fine, but blocked if you change the slash to a dot:

   nc 192/168.2.100 1234
This works too:

   nc \
   192.168.2.100 1234
OK, that's all for now. Can you believe people pay money for "web application firewalls"?
👤 buro9
Probably, the WAF, specifically Cloudflare specials, matches a number of things. And as a lot of it is just regex matching the context of where the match occurs isn't precise.

Additionally cloudflare doesn't know what is safe for a given site, so it has to be a little conservative. The sites that can handle malicious input, or are tech sites that expect things that are SQL or commands that may contain directory traversal, these are in the minority.

Essentially these are false positives, which are typically viewed as more acceptable than false negatives as those would allow attacks through.

These things are configurable by the site owners, but the issue here is that the site owners are not shown the code of the rules, so have to guess from the names and descriptions whether something is safe to disable, meaning everyone just leaves everything enabled. Usually reporting this to a site owner with the cloudflare trace id is sufficient to enable the site owner to disable a rule that is causing false positives, as the site owner can use the cloudflare dashboard to search the trace id.

I do not work there any longer (left 3 years ago), but did write significant parts of the firewall and also manage the firewall, WAF, and DDoS protection teams.

👤 bhaney
Any code including netcat (for it's tendency to be used in reverse shells) or SQL (for it's tendency to be used in SQL injections) tends to be blocked across the entire cloudflare-net these days.
👤 usr1106
So HN uses Cloudflare? That surprises me because typically I notice sites using Cloudflare because my mobile running GNU Linux cannot pass their dreaded Turnstyle. Luckily that does not happen for HN.
👤 kxrm
Apparently you can get around it using other white-space characters, here I am using a horizontal tab between nc and the IP.

    nc 192.168.1.100 8000
👤 deno
Cloudflare is just dumb, they block XHR requests randomly in the same session they’ve already challenged breaking websites in not quite obvious ways and have been doing that for as long as I can remember. Trying to do anything on for example Montana's SOS BIZ portal takes a lot of patience. They’re like TSA of the Internet but at least with TSA you can pay for a fast pass.
👤 nneonneo
I ran into this when trying to post a comment with

  ../ ../ ../ etc/ passwd
(remove the spaces)
👤 gus_massa
To get a fast answer, it's beter to send an email to the mods hn@ycombinator.com
👤 1vuio0pswjnm7
"If you're seeing this message, that means JavaScript has been disabled on your browser, please enable JS to make Imgur work."

Well, it's a client that has no Javascript engine.

There is no need to use Javascript. This works for me just fine:

https://i.imgur.com/YtepoDbh.jpg

👤 ForestCritter
cloudflare blocked me from signing in to my petflow account to buy cat food. It was in an endless verification loop. Awhile back it did the same with my paid crunchyroll subscription. I don't code, I have a very ordinary setup with a well known browser. Apparently cloudflare now owns our access to the internet and can block whom it pleases, when it pleases, no recourse. The internet is soon to be available only to those who fit cloudflare's criteria, whatever that may be, as long as companies keep buying in to the third party control.
👤 kevincox
I'm sure that there is a huge chart on their Cloudflare dashboard about how many attacks were blocked! This is one thing that gets me, all of the reporting Cloudflare provides treats every block as a huge success. Nothing to help identify actually attacks vs false positives. Let also false positives that would have actually has a negative effect on the application behind the WAF.
👤 furyofantares
Huh. Just tried submitting the same comment with the same result.

Minimal test, if I try to edit this post removing the asterisk, I get the "banned" page

  nc* 192.168.2.100
👤 Jamie9912
I don't remember HN being on Cloudflare. Have they recently added it?
👤 hyperhello
What if you Base64 encode this? Pretty trivial to add to the form logic.
👤 Am4TIfIsER0ppos
How can Cloudflare be reading anything you send? Your connection is encrypted to HN's server, is it not? They don't MITM everyone's connection.
👤 kaimac
Cloudflare has access to everyone's cleartext? I was unaware of this. NSA must love that
👤 cwillu
For reference, the id in the block message is “Cloudflare Ray ID: 845543eb88d461ee”
👤 neilv
Probably not related, but I've been getting lots of throttling-like huge page load delays on HN the last couple days, only when logged in.

Any idea whether that's just an overloaded application server, or something Cloudflare is doing?

👤 sixhobbits
Test

`nc 192.168.2.100`

👤 ifeja
nc domain.com
👤 6865
aoeaoe
👤 djha-skin
Related: https://news.ycombinator.com/item?id=38966035