id: cloudflare-rocketloader-htmli

info:
  name: Cloudflare Rocket Loader - HTML Injection
  author: j3ssie
  severity: unknown
  description: |
    The Rocket Loader feature in Cloudflare allow attackers to inject arbitrary HTML into the website. This can be used to perform various attacks such as phishing, defacement, etc.
  remediation: Disable the rocket loader or Add a CSP header to fix this issue.
  reference:
    - https://developers.cloudflare.com/speed/optimization/content/rocket-loader/enable/
    - https://developers.cloudflare.com/fundamentals/reference/policies-compliances/content-security-policies/#product-requirements
  metadata:
    verified: true
    max-request: 1
  tags: misconfig,cloudflare,htmli,miscellaneous

http:
  - method: GET
    path:
      - "{{BaseURL}}/cdn-cgi/image/width=1000,format=auto/https://raw.githubusercontent.com/simple-icons/simple-icons/develop/icons/cloudflare.svg"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'Cloudflare'
          - '<svg'
          - 'M16.5088 16.8447c.1475-.5068.0908-.9707-.1553-1.3154-.2246-.3164-.6045-.499-1.0615-.5205l-'
          - '1475.5068-.0918.9707.1543 1.3164.2256.3164.6055.498'
        condition: and

      - type: word
        part: header
        words:
          - 'image/svg+xml'

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100fb1e62e23ca2fabae5ffb89410f9adb4b139fc5128bf0b56efb219cb67ca7196022016ed5944ae69a92d056c3540e5e2b04cb0a6e256fc9df37e63909be77a2b31b8:922c64590222798bb761d5b6d8e72950