From d4ed918cec4f43bab392be415b4cb94feffe4f13 Mon Sep 17 00:00:00 2001 From: Angela Costa Date: Mon, 18 Nov 2024 14:54:23 +0000 Subject: [PATCH 1/5] Adds a new page about scans and penetration testing policy --- .../reference/scans-penetration.mdx | 45 +++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 src/content/docs/fundamentals/reference/scans-penetration.mdx diff --git a/src/content/docs/fundamentals/reference/scans-penetration.mdx b/src/content/docs/fundamentals/reference/scans-penetration.mdx new file mode 100644 index 000000000000000..ceb93ecd4f405e1 --- /dev/null +++ b/src/content/docs/fundamentals/reference/scans-penetration.mdx @@ -0,0 +1,45 @@ +--- +pcx_content_type: reference +title: Scans and penetration testing policy + +--- + +Customers may conduct scans and penetration tests (with certain restrictions) on application- and network-layer aspects of their own assets, such as their [zones](/fundamentals/setup/accounts-and-zones/#zones) within their Cloudflare accounts, provided they adhere to Cloudflare's policy. + +- **Permitted targets** - all scans or testing must be limited to the following: + + - Customer-owned IPs, + - Cloudflare's designated public IPs, or + - The customer's registered DNS entries. + +Targets like `*.cloudflare.com` or other Cloudflare-owned destinations are only allowed as part of Cloudflare's Public Bug Bounty program. Refer to the [Additional Resources](fundamentals/reference/scans-penetration/#additional-resources) section for more information. + +### Scanning + +- **Throttling**: Scans should be throttled to a reasonable rate to prevent disruptions and ensures stable system performance. + +- **Scope and intent**: Scans should identify the presence of vulnerabilities without attempting to actively exploit any detected weaknesses. + +- **Exclusions**: It is recommended to exclude [`/cdn-cgi/` endpoints](/fundamentals/reference/cdn-cgi-endpoint/) from scans to avoid false positives or irrelevant results. + +- **Compliance checks**: Customers may conduct [PCI compliance scans](/fundamentals/basic-tasks/pci-scans/) or verify that [known vulnerabilities](/ssl/reference/compliance-and-vulnerabilities/#known-vulnerabilities-mitigations) have been addressed. + +### Penetration testing + +- **Network behavior**: + - Cloudflare's [Anycast network](/fundamentals/concepts/how-cloudflare-works/) will report ports other than 80 and 443 as open due to its shared infrastructure and the nature of Cloudflare's proxy. This is expected behavior and does not indicate a vulnerability. + - Tools like Netcat may list [non-standard HTTP ports](/fundamentals/reference/network-ports/) as open; however, these ports are open solely for Cloudflare's routing purposes and do not necessarily indicate that a connection can be established with the customer's origin over those ports. + +- **Known false positives**: Any findings related to the [ROBOT vulnerability](/ssl/reference/compliance-and-vulnerabilities/#return-of-bleichenbachers-oracle-threat-robot) are false positives when the customer's assets are behind Cloudflare. + +- **Customer security review**: During penetration testing, customers should be aware of the Cloudflare security and performance features, configurations, and rules active on their account or zone. After completing the test, it is recommended that customers review their security posture and make any necessary adjustments based on the findings. + +Customers can download the latest Penetration Test Report of Cloudflare via the [Dashboard](/fundamentals/reference/policies-compliances/compliance-docs/). + +### Denial-of-Service (DoS) Testing + +For guidelines on required notification and necessary information, refer to Cloudflare's documentation [Simulating DDoS Attacks](/ddos-protection/reference/simulate-ddos-attack). Customers should also familiarize themselves with Cloudflare's [DDoS protection best practices](/ddos-protection/best-practices/). + +### Additional Resources + +For information about Cloudflare's Public Bug Bounty program, visit [HackerOne](https://hackerone.com/cloudflare). From 907408c7484daeca29e7dfb1ea45faefc52d4363 Mon Sep 17 00:00:00 2001 From: angelampcosta <92738954+angelampcosta@users.noreply.github.com> Date: Mon, 18 Nov 2024 14:58:00 +0000 Subject: [PATCH 2/5] Update src/content/docs/fundamentals/reference/scans-penetration.mdx Co-authored-by: hyperlint-ai[bot] <154288675+hyperlint-ai[bot]@users.noreply.github.com> --- src/content/docs/fundamentals/reference/scans-penetration.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/fundamentals/reference/scans-penetration.mdx b/src/content/docs/fundamentals/reference/scans-penetration.mdx index ceb93ecd4f405e1..6fbc37d222ec677 100644 --- a/src/content/docs/fundamentals/reference/scans-penetration.mdx +++ b/src/content/docs/fundamentals/reference/scans-penetration.mdx @@ -27,7 +27,7 @@ Targets like `*.cloudflare.com` or other Cloudflare-owned destinations are only ### Penetration testing - **Network behavior**: - - Cloudflare's [Anycast network](/fundamentals/concepts/how-cloudflare-works/) will report ports other than 80 and 443 as open due to its shared infrastructure and the nature of Cloudflare's proxy. This is expected behavior and does not indicate a vulnerability. + - Cloudflare's [anycast network](/fundamentals/concepts/how-cloudflare-works/) will report ports other than 80 and 443 as open due to its shared infrastructure and the nature of Cloudflare's proxy. This is expected behavior and does not indicate a vulnerability. - Tools like Netcat may list [non-standard HTTP ports](/fundamentals/reference/network-ports/) as open; however, these ports are open solely for Cloudflare's routing purposes and do not necessarily indicate that a connection can be established with the customer's origin over those ports. - **Known false positives**: Any findings related to the [ROBOT vulnerability](/ssl/reference/compliance-and-vulnerabilities/#return-of-bleichenbachers-oracle-threat-robot) are false positives when the customer's assets are behind Cloudflare. From 5003187450d0f67452037a796af92b6593485bc7 Mon Sep 17 00:00:00 2001 From: Angela Costa Date: Mon, 18 Nov 2024 15:57:05 +0000 Subject: [PATCH 3/5] Corrects broken link --- src/content/docs/fundamentals/reference/scans-penetration.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/fundamentals/reference/scans-penetration.mdx b/src/content/docs/fundamentals/reference/scans-penetration.mdx index 6fbc37d222ec677..80b90bf293c6317 100644 --- a/src/content/docs/fundamentals/reference/scans-penetration.mdx +++ b/src/content/docs/fundamentals/reference/scans-penetration.mdx @@ -12,7 +12,7 @@ Customers may conduct scans and penetration tests (with certain restrictions) on - Cloudflare's designated public IPs, or - The customer's registered DNS entries. -Targets like `*.cloudflare.com` or other Cloudflare-owned destinations are only allowed as part of Cloudflare's Public Bug Bounty program. Refer to the [Additional Resources](fundamentals/reference/scans-penetration/#additional-resources) section for more information. +Targets like `*.cloudflare.com` or other Cloudflare-owned destinations are only allowed as part of Cloudflare's Public Bug Bounty program. Refer to the [Additional Resources](#additional-resources) section for more information. ### Scanning From 3aa9a730dab2dbc181ceab8926f8157e710a312a Mon Sep 17 00:00:00 2001 From: Angela Costa Date: Tue, 19 Nov 2024 09:30:57 +0000 Subject: [PATCH 4/5] Fix extra space --- src/content/docs/fundamentals/reference/scans-penetration.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/fundamentals/reference/scans-penetration.mdx b/src/content/docs/fundamentals/reference/scans-penetration.mdx index 80b90bf293c6317..005b486bb06fa77 100644 --- a/src/content/docs/fundamentals/reference/scans-penetration.mdx +++ b/src/content/docs/fundamentals/reference/scans-penetration.mdx @@ -28,7 +28,7 @@ Targets like `*.cloudflare.com` or other Cloudflare-owned destinations are only - **Network behavior**: - Cloudflare's [anycast network](/fundamentals/concepts/how-cloudflare-works/) will report ports other than 80 and 443 as open due to its shared infrastructure and the nature of Cloudflare's proxy. This is expected behavior and does not indicate a vulnerability. - - Tools like Netcat may list [non-standard HTTP ports](/fundamentals/reference/network-ports/) as open; however, these ports are open solely for Cloudflare's routing purposes and do not necessarily indicate that a connection can be established with the customer's origin over those ports. + - Tools like Netcat may list [non-standard HTTP ports](/fundamentals/reference/network-ports/) as open; however, these ports are open solely for Cloudflare's routing purposes and do not necessarily indicate that a connection can be established with the customer's origin over those ports. - **Known false positives**: Any findings related to the [ROBOT vulnerability](/ssl/reference/compliance-and-vulnerabilities/#return-of-bleichenbachers-oracle-threat-robot) are false positives when the customer's assets are behind Cloudflare. From 929b07d8d37bcedde0567d4fd552a953998e95e0 Mon Sep 17 00:00:00 2001 From: angelampcosta <92738954+angelampcosta@users.noreply.github.com> Date: Tue, 19 Nov 2024 10:04:46 +0000 Subject: [PATCH 5/5] Apply suggestions from code review Co-authored-by: marciocloudflare <83226960+marciocloudflare@users.noreply.github.com> --- .../fundamentals/reference/scans-penetration.mdx | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/src/content/docs/fundamentals/reference/scans-penetration.mdx b/src/content/docs/fundamentals/reference/scans-penetration.mdx index 005b486bb06fa77..1c86fd9b7249a75 100644 --- a/src/content/docs/fundamentals/reference/scans-penetration.mdx +++ b/src/content/docs/fundamentals/reference/scans-penetration.mdx @@ -4,7 +4,7 @@ title: Scans and penetration testing policy --- -Customers may conduct scans and penetration tests (with certain restrictions) on application- and network-layer aspects of their own assets, such as their [zones](/fundamentals/setup/accounts-and-zones/#zones) within their Cloudflare accounts, provided they adhere to Cloudflare's policy. +Customers may conduct scans and penetration tests (with certain restrictions) on application and network-layer aspects of their own assets, such as their [zones](/fundamentals/setup/accounts-and-zones/#zones) within their Cloudflare accounts, provided they adhere to Cloudflare's policy. - **Permitted targets** - all scans or testing must be limited to the following: @@ -16,27 +16,22 @@ Targets like `*.cloudflare.com` or other Cloudflare-owned destinations are only ### Scanning -- **Throttling**: Scans should be throttled to a reasonable rate to prevent disruptions and ensures stable system performance. - +- **Throttling**: Scans should be throttled to a reasonable rate to prevent disruptions and ensure stable system performance. - **Scope and intent**: Scans should identify the presence of vulnerabilities without attempting to actively exploit any detected weaknesses. - - **Exclusions**: It is recommended to exclude [`/cdn-cgi/` endpoints](/fundamentals/reference/cdn-cgi-endpoint/) from scans to avoid false positives or irrelevant results. - - **Compliance checks**: Customers may conduct [PCI compliance scans](/fundamentals/basic-tasks/pci-scans/) or verify that [known vulnerabilities](/ssl/reference/compliance-and-vulnerabilities/#known-vulnerabilities-mitigations) have been addressed. ### Penetration testing - **Network behavior**: - - Cloudflare's [anycast network](/fundamentals/concepts/how-cloudflare-works/) will report ports other than 80 and 443 as open due to its shared infrastructure and the nature of Cloudflare's proxy. This is expected behavior and does not indicate a vulnerability. + - Cloudflare's [anycast network](/fundamentals/concepts/how-cloudflare-works/) will report ports other than `80` and `443` as open due to its shared infrastructure and the nature of Cloudflare's proxy. This is expected behavior and does not indicate a vulnerability. - Tools like Netcat may list [non-standard HTTP ports](/fundamentals/reference/network-ports/) as open; however, these ports are open solely for Cloudflare's routing purposes and do not necessarily indicate that a connection can be established with the customer's origin over those ports. - - **Known false positives**: Any findings related to the [ROBOT vulnerability](/ssl/reference/compliance-and-vulnerabilities/#return-of-bleichenbachers-oracle-threat-robot) are false positives when the customer's assets are behind Cloudflare. - - **Customer security review**: During penetration testing, customers should be aware of the Cloudflare security and performance features, configurations, and rules active on their account or zone. After completing the test, it is recommended that customers review their security posture and make any necessary adjustments based on the findings. Customers can download the latest Penetration Test Report of Cloudflare via the [Dashboard](/fundamentals/reference/policies-compliances/compliance-docs/). -### Denial-of-Service (DoS) Testing +### Denial-of-Service (DoS) testing For guidelines on required notification and necessary information, refer to Cloudflare's documentation [Simulating DDoS Attacks](/ddos-protection/reference/simulate-ddos-attack). Customers should also familiarize themselves with Cloudflare's [DDoS protection best practices](/ddos-protection/best-practices/).