How to Bypass CloudFlare’s Bot Protection Mechanism

A few months ago, I submitted what looked like a bug to CloudFlare’s bug bounty program. But according to them, my submission was not considered a security issue and they said they were “ignoring” me!

CloudFlare provides a JavaScript Worker system that helps developers execute code on the CloudFlare server side. This feature is very common for static sites and maintenance pages, and is a great “treasure” for penetration testers (serverless C&C, simple phishing proxies, etc.). In this article, we will discuss with you how to bypass CloudFlare’s bot protection mechanism.

Go straight

If you’ve ever tried using Tor to access a site like, you know how annoying captchas can be!

First, we need to register a domain name, say free. tk domain name is enough, then use it to create a CloudFlare account. After CloudFlare has verified the validity of the domain name, we also need to add at least one valid DNS record and enable proxy mode.

  How to Bypass CloudFlare’s Bot Protection Mechanism

Next, we need to create a JavaScript Worker to act as a direction proxy (full code is available on GitHub: Create a new worker, and then copy/paste the contents of worker.js into it. You can customize the values ​​of TOKEN_HEADER, TOKEN_VALUE, HOST_HEADER and IP_HEADER.

Then add the path to your Worker:*.

  How to Bypass CloudFlare’s Bot Protection Mechanism

Now, if you try to access, you will receive “Welcome to NGINX.”. The JavaScript code here is actually quite understandable, it will look for a specific header and then forward your request to the given domain name.

The use of the proxy is also very simple. I have provided a Python wrapper for you on my[]we can use it like this:

How to Bypass CloudFlare’s Bot Protection Mechanism

You can try doing a WHOIS lookup on the result and you’ll see that it’s a CloudFlare IP, most likely the server running the worker.

At this point, if you try to send a request to your proxy through Tor, you will be blocked. So we need to add a rule to our CloudFlare firewall:

  How to Bypass CloudFlare’s Bot Protection Mechanism

Now, you can use Tor and send requests to your proxy without requiring any captcha.

At this point, you can send requests to any website that uses CloudFlare. You can also try to request a website that shows your header, you will see something like this:

 How to Bypass CloudFlare’s Bot Protection Mechanism

As you can see, X-FORWARDED-FOR can be used to send any value, so you can bypass server-side IP address request restrictions when doing web crawling or IP verification. The source IP is not forwarded to the target site, so the only way to block your server from sending requests is to filter out the CF-WORKER Header in the request.

However, according to CloudFlare, this is not a security breach:


So, you will be able to use your free CloudFlare account to send countless requests per day to scrape the resources you need, enjoy!

The Links:   SKD110-04 2N5061RLRAG