在 Hacker News 首頁上看到「How to bypass Cloudflare bot protection (jychp.medium.com)」這則,裡面的文章是「How to bypass CloudFlare bot protection ?」這篇,利用 Cloudflare Workers 繞過 Cloudflare 自家的 CAPTCHA 機制。
這個漏洞有先被送給 Cloudflare,但被認為不是問題,所以作者就決定公開:
Several months ago I submitted what appeared to be a security flaw to CloudFalre’s bugbounty program. According to them, this is not a problem, it’s up to you to make up your own mind.
技術上就是透過 Cloudflare Workers 當作 proxy server,只是看起來 Cloudflare 對自家 IP 有特別處理,在設定妥當後,用 Cloudflare Workers 的 IP address 去連 Cloudflare 的站台,幾乎不會觸發 Cloudflare 的阻擋機制。
不過 free tier 還是有限制,主要就是數量:
The first 100,000 requests each day are free and paid plans start at just $5/10 million requests, making Workers as much as ten-times less expensive than other serverless platforms.
作者也有提到這點:
So let’s enjoy the 100 000 request/day for your free Cloudflare account and go scrape the world !
但這是個有趣的方法,加上信用卡盜刷之類的方式,這整包看起來就很有威力...