Last week, Cloudflare announced in a blog post that it was implementing a new feature – allowing URL rewrites on the EDGE. This is pretty cool. But the post hid another change that I feel is more directly relevant to website owners, and those concerned about website security. Namely URL Normalization. Here’s why that’s important.
Unicode Encoding of URLs
Here’s a simple example. Take the domain namehero.com. Type it into your web browser and visit the site. Everything works as it should, right?
Now type in this URL instead:
%6E%61%6D%65%68%65%72%6F.com
Surprise! It works exactly the same! What’s happened? Simple – I used a Unicode converter to get the symbols for each letter in “namehero.com”. The browser automatically converted the Unicode into the human readable equivalent and displayed the page.
This is just a small example of the various tricks that both benign and malicious users can play to get your browser to do something unexpected. Some years ago, WordFence documented a devastating workaround that affected Chrome and Firefox users through a phishing attack that was undetectable by humans. What’s even worse, is that this behavior appeared to be intended. This is why even though Chrome released a fix, Firefox still required a manual configuration change.
Many of these policies are implemented with internationalization in mind. But then the security experts and architects of the guts of the Internet also need to figure out how they can be used securely.
Unicoded URLs Can Bypass Firewalls
Now that you know you can visit certain URLs without actually typing in the literal name, it’s not hard to see that they can be used to bypass firewall rules. All they need to do is replace just one letter of their name with a Unicode letter, and they’re through! Here’s a complete list of Unicode replacements for ASCII characters. With something like this, crafting a URL to bypass a firewall is child’s play!
The worst part is that you won’t even realize why your firewall isn’t working. If I check my firewall logs, it renders without the Unicode. So I’m left with the impression that a request that should have been blocked slipped through when it shouldn’t have!
Cloudflare’s URL Normalization Solves This
With the latest update, Cloudflare uses URL normalization to first parse the URLs it receives, then sends them through the firewall for processing. So no matter how the attackers try and use Unicode characters to bypass the firewall, they still won’t be able to get through.
This is tied into the main rewrite update, since they both rely on the same technology. Hence the clubbing of these two issues together in the blog post.
Enabling URL Normalization
To enable URL normalization, go to the configuration settings page under the “Firewall” tab as shown here:
Click the “Normalize Incoming URLs” option to turn it on and you’re done! Now you can try violating your firewall rules using Unicode. You’ll see that it doesn’t work anymore.
This Also Applies to Page Rules
Even if you’re not using Cloudflare’s firewall, you’re almost certainly using at least one page rule. If not, you should be! Here are four good uses of Cloudflare’s page rules. Now with URL normalization, these rules will work as expected even if someone purposely or accidentally tries to access them differently.
All in all, a good update from Cloudflare for free. It addresses an issue that I honestly hadn’t even thought about until I read about it!
I’m a NameHero team member, and an expert on WordPress and web hosting. I’ve been in this industry since 2008. I’ve also developed apps on Android and have written extensive tutorials on managing Linux servers. You can contact me on my website WP-Tweaks.com!
Leave a Reply