A Cloudflare Pages user has outlined how unsecured assets can be identified using a range of both paid for and open source tools, along with other free search engines and resources.
While Cloudflare Pages and Workers offer an easy way to deploy static sites and applications, they need to be set up properly to avoid inadvertently exposing hidden pages and workers.
Reconnaissance is key for effective penetration testing and the user’s techniques include using the powerful search engines Shodan and Censys to reveal indexed internet-connected devices and SSL certificates, along with the certificate search tool cert.sh, to find domains associated with Cloudflare Pages deployments.
Other suggestions include using the open source tool GoWitness to carry out an automated scan of collected URLs, capturing screenshots and generating a report, along with the AI-driven tool Eyeballer to categorise found pages.
The article includes installation and usage instructions for all the tools mentioned.
In conclusion, the article stresses the importance of assuming that any subdomain on Cloudflare Pages and Workers is publicly visible and should be protected accordingly.