Toxic Combinations: Identifying Security Incidents through Contextualized Detections

Cloudflare's network observes requests to web applications, allowing it to identify security incidents known as "toxic combinations." These are exploits where an attacker discovers and compounds minor issues, such as debug flags or unauthenticated application paths, to breach systems or exfiltrate data. Cloudflare's detections for toxic combinations analyze the confluence of context surrounding multiple signals, including bot traffic, specific application paths, request anomalies, and misconfigurations.

Key Technical Details

• Cloudflare's framework for identifying toxic combinations includes:
  • Bot signals
  • Application paths (especially sensitive ones like admin, debug, metrics, search, and payment flows)
  • Anomalies (unexpected HTTP codes, geo jumps, identity mismatch, high ID churn, rate-limit evasion, and request or success rate spikes)
  • Vulnerabilities or misconfigurations (missing session cookies or auth headers, predictable identifiers)
• Cloudflare analyzed a 24-hour window of data to identify toxic combinations on popular application stacks, finding that about 11% of hosts were susceptible to these combinations, skewed by vulnerable WordPress websites.

Practical Implications for Developers

• Developers can use Cloudflare's intelligence to identify and address weaknesses in their stack caused by toxic combinations.
• By understanding the common types of toxic combinations and the vulnerabilities they present, developers can take proactive steps to prevent these incidents.
• Cloudflare's detections for toxic combinations can help developers shift their focus from evaluating the risk of individual requests to analyzing the broader intent and context surrounding multiple signals.