Upon opening my browser, and attempting to access the provided URL I ran into this error page.
Initially, after completing Part 1, I assumed that the owner of the site had set a WAF rule to block certain IPs. I assumed this was any enterprise IPs (so my University’s self-hosted, enterprise ISP would be blocked), so I tried accessing from my phone.
same error
Then, I tried to VPN to a couple of different countries…same error
I knew there was something more complicated going on, so I got to work on attempting to figure out what was happening!
Now that I was familiar with Cloudflare’s product, and how WAF worked, I was able to quickly navigate to the WAF settings and noticed some peculiar things.
WAF Rules Page for https://ase.mmitchellse.com
I noticed five rules, four of which were logging things, and one that was blocking. I attempted to trigger a log by connecting to the page with this URL (Rule 2): https://ase.mmitchellse.com/jfifaf
Successfully logged
Once I confirmed logging was working, I then opened Rule #4 (the block itself).
The block was configured to block all traffic that did not have an X-Header value of 15647.
In order to access the page, I used my domain, Cloudflare, my new web server from part 1, and a script in PHP.
This script would interface with my GCP VM, and run a cURL request. This request would add the X-Header required to bypass the block.
Using my Apache web server + PHP is required to accomplish this, as normal browsers cannot add custom headers to cross-origin requests (CORS restrictions).
By using my server as a "middle-man", you can add the special header.