Allowlisting in Cloudflare will allow the scanner to detect weaknesses lying underneath the WAF, so you can execute a 'defence in depth' security strategy, and put in place measure that would prevent successful exploitation, even where the WAF fails or can be bypassed by an attacker.
Cloudflare provides two ways to allowlist security scanners:
'IP Access Rules' – which cannot be used to allowlist Intruder's scanning ranges.
'Firewall Rules' – which can be used and is configured in two parts, explained below.
When configuring these two rules, they must show in the following order in Cloudflare for the allowlisting to work as expected:
Creating the rules in the order below ('Allow' Rule then WAF Bypass) will ensure that the order is populated correctly in Cloudflare settings (though you can manually reorder them if you need to). If the order is incorrect, you could see WAF-related issues including Possible Scan Interference, which can include results such as specific User Agent blocking, etc.
Step 1 - Add an 'Allow' rule
To get started, we'll first add an 'Allow' rule for each of Intruder's scanning ranges.
1. Click 'Create a Firewall Rule', and give it a recognisable name:
2. Using the 'Field' dropdown, select 'IP Source Address'
3. Under the Operator field, select 'is in'
4. In the 'Value' field, add all of Intruder's scanning ranges and IPs. For an up-to-date list of IP ranges, please refer to this article.
5. Under 'Choose an action', select 'Allow'
6. When finished, click save.
Step 2 - Create WAF bypass rules
This will allow Intruder's scanners to circumvent some of Cloudflare's standard web application firewall protections.
Click on 'Create a Firewall Rule' and create another rule
Using the 'Field' dropdown, select 'IP Source Address'
Under the Operator field, select 'is in'
In the 'Value' field, add all of Intruder's scanning ranges and IPs, but make sure you rearrange the order of the IP ranges, so Cloudflare doesn't complain of duplication.
Under 'Choose an action', select Bypass and input:
WAF Managed Rules (this one is important)
Browser Integrity Check
User Agent Block
Security Level
Rate Limiting
Zone Lockdown
Once complete, click 'Save', and you're done!
Intruder's scanners will now be able to scan your Cloudflare-protected hosts, without scan interference.
*Access to rules is dependent on your Cloudflare plan, so if you can't see what you're looking for, it might be worth checking what's available with your Cloudflare subscription.