Intigriti - Hack Hub
  • Misconfig Mapper Docs
    • Introduction
    • Supported Services
    • CLI Tool
    • Contributing
  • Services
    • GraphQL
      • GraphQL Introspection Query Enabled
    • Symfony PHP
      • Symfony Profiler Enabled
    • Postman API Platform
      • Public Workspaces
    • Salesforce
      • Salesforce Lightning Aura Components Enabled
    • Trello
      • View Permissions on Trello Boards
    • Figma
      • View access misconfiguration
    • Freshworks Freshservice
      • Open User Registration
    • Slack
      • No Admin Approval for Invitations
    • Atlassian Bitbucket
      • Publicly Accessible Private Repositories
    • Atlassian Confluence
      • Anonymous access to Remote API
      • Disabled XSRF Protection
      • User Email Visibility
      • Misconfigured Spaces
    • Atlassian Jira
      • Open User Registration
      • Atlassian Jira Email Visibility
      • Atlassian Jira Service Desk Open Signups
    • AWS S3
      • Misconfigured List Permissions
    • Cloudflare R2
      • R2.DEV Enabled
    • Google Groups
      • Misconfigured read permissions
    • Google Docs
      • Misconfigured read permissions
    • Google Cloud Storage Bucket
      • Misconfigured access controls
    • Google OAuth
      • Unrestricted email domains
    • Jenkins
      • Open Signups
      • Public Groovy Script Console
    • GitLab
      • Gitlab Private Source Code Snippets Exposed
    • Drupal
      • Drupal Nodes with Misconfigured Access Controls
    • Laravel
      • Debug Mode Enabled
      • Laravel Telescope Enabled In Production
Powered by GitBook
On this page

Was this helpful?

Edit on GitHub
  1. Services
  2. Cloudflare R2

R2.DEV Enabled

PreviousCloudflare R2NextGoogle Groups

Last updated 8 months ago

Was this helpful?

Description:

Cloudflare R2 storage is a high-performance, zero-egress fee storage service that allows developers to store (private) unstructured data objects (such as invoices or backups) and also use it as a CDN to store publicly accessible files (such as images, videos and even static HTML and JavaScript files).

R2.DEV is a simple feature within Cloudflare R2 that provides developers the ability to make their buckets publicly accessible for testing purposes. If this feature is left enabled (by accident), it can open up a new attack surface and allow bad actors to view sensitive data on the bucket. This often leads to PII or other excessive data leaks.

Testing:

You can make use of search syntaxis supported by several popular search engines like Google to enumerate R2 buckets belonging to your target company or organization:

site:.r2.dev "company"

Before reporting a potential security misconfiguration, always verify the owner of the bucket and the impact of the vulnerability! Some Cloudflare R2 buckets are meant to be public, some may not even belong to your target!

Remediation:

To verify that public access is disabled on your Cloudflare R2 bucket, you must ensure that:

  • you have no domain assigned to your R2 storage bucket

  • R2.DEV is disabled

Visiting the index page of your R2 storage bucket endpoint should return the following response:

Potential Impact:

A Cloudflare R2 storage bucket with R2.DEV enabled (unintended) can often introduce security risks, data leaks, or other unintended consequences. Especially if the storage bucket is used for storing sensitive data (such as backups, receipts, invoices, etc.).

References:

https://blog.intigriti.com/hacking-tools/hacking-misconfigured-cloudflare-r2-buckets-a-complete-guide
https://developers.cloudflare.com/r2/
https://developers.cloudflare.com/r2/buckets/public-buckets/