Cloudflare ZeroTrust

You know, that vulnerability class that triagers love to close as “informative” faster than you can type “but wait, there’s a chain.” I took three bugs that would each get laughed out of a triage queue – a Self-XSS nobody can reach, a Cookie Tossing that does nothing, and a predictable CSRF token with no delivery mechanism – and duct-taped them into a single-click bypass of Cloudflare Access’s Temporary Auth approval flow....

In the past few months, there have been multiple public disclosures related to SAML Bypasses. This writeup is loosely inspired from them and my journey to uncover yet another SAML Bypass! If you aren’t familiar with SAML already, I’ll recommend to read the ProjectDiscovery blog first. Preparation It was a regular day when I encountered a public disclosure post about SAML Signature bypass in Github Enterprise. It was a Critical Severity vulnerability....