Cloudflare provides two ways to whitelist security scanners, to allow them to scan your sites without causing interference and discover security weaknesses lying underneath. One of these methods (IP Access Rules) cannot be used to whitelist Intruder's scanning ranges. Instead, we recommend using the 'Firewall Rules' feature:
Cloudflare's 'Firewall Rules' tool allows for more granular rules, which can be used to whitelist Intruder's scanning ranges.
To get started, we'll first add an 'Allow' rule for each of Intruder's scanning ranges. Click 'Create a Firewall Rule', and give it a recognisable name:
Use the 'IP Address' field, and the 'is in' Operator to add all of Intruder's scanning ranges and IPs. For an up-to-date list of IP ranges, please refer to this article. When finished, click save.
Once the 'Allow' rule has been created, we'll now create specific WAF bypass rules to allow Intruder's scanners to circumvent some of Cloudflare's standard web application firewall protections.
Click on 'Create a Firewall Rule' and create another rule, using the following as a template – make sure you rearrange the order of the IP ranges, so Cloudflare doesn't complain of duplication.
Be sure to use Intruder's latest scanning ranges when configuring this rule too. Under 'Bypass', select:
WAF Managed Rules (this one is important)
Browser Integrity Check
User Agent Block
Once complete, click 'Save', and you're done! Intruder's scanners will now be able to scan your Cloudflare-protected hosts, without scan interference.
This will allow the scanner to detect weaknesses lying underneath the WAF, so you can execute a 'defense in depth' security strategy, and put in place measure that would prevent successful exploitation, even where the WAF fails or can be bypassed by an attacker.