Cloudflare’s reverse proxy is a standard layer of defense that hides origin IP addresses behind its network, complicating reconnaissance efforts for security researchers and pentesters. CF-Hero tackles this exact challenge by aggregating intelligence from multiple OSINT platforms, DNS records, and HTTP fingerprinting to uncover those elusive origin IPs.
What CF-Hero does and its architecture
CF-Hero is a command-line tool written in Go that attempts to reveal the origin IP addresses of web applications shielded by Cloudflare. Its primary function is to bypass Cloudflare’s proxy obfuscation not by attacking Cloudflare itself, but by gathering and correlating side-channel intelligence from various sources.
The tool queries multiple OSINT platforms including ZoomEye, Shodan, Censys, and SecurityTrails. These platforms collect data about hosts and services across the internet, sometimes capturing historical or secondary information that can hint at the real IP behind a domain.
CF-Hero also performs DNS record analysis, both current and historical, along with subdomain enumeration. This broadens the attack surface by identifying related domains and DNS changes that might reveal origin infrastructure.
To reduce false positives, CF-Hero validates candidate IP addresses by making direct HTTP requests to them and comparing the HTML title tag of the response with the target domain’s known title. This fingerprinting step is crucial to confirm the candidate IP truly hosts the intended application.
Architecturally, CF-Hero is built using a modular pipeline pattern in Go. Each stage—data gathering from OSINT sources, DNS analysis, subdomain enumeration, and HTTP validation—is encapsulated as a pipeline step. This design makes the codebase easier to maintain and extend.
The project requires Go 1.18 or newer and is installed simply via a go install command, making it straightforward to get started for Go users.
Technical strengths and design tradeoffs
The distinguishing feature of CF-Hero is its multi-source correlation engine. By pulling data from several OSINT platforms and DNS histories, it aggregates diverse signals to increase the chance of finding origin IPs that have slipped through Cloudflare’s proxy.
The HTTP title fingerprinting is a practical heuristic to weed out unrelated IPs. Directly connecting to candidate IPs and comparing HTML titles is an effective way to minimize false positives, a common problem in passive reconnaissance tools.
From a code perspective, the modular pipeline architecture allows different reconnaissance strategies to run in sequence or parallel, improving extensibility. This is a better approach than monolithic scripts or single-source tools, as it opens the door for adding new OSINT sources or validation methods.
That said, the tool depends heavily on the quality and availability of external OSINT data. If ZoomEye, Shodan, or other platforms have limited coverage for a target, CF-Hero’s effectiveness diminishes.
Additionally, relying on HTML title matching assumes the web application’s title is unique and consistent across origin and proxied instances. This heuristic might fail for generic titles or dynamically generated content.
The tool does not perform any active probing that would risk detection or breach Cloudflare’s defenses directly, so it respects operational safety but at the cost of sometimes incomplete results.
Quick start
CF-Hero requires Go 1.18+ to install. The installation is as simple as running:
# Installation Instructions
cf-hero requires **go1.18** to install successfully. Run the following command to install.
go install -v github.com/musana/cf-hero/cmd/cf-hero@latest
After installation, you can run cf-hero with appropriate flags to specify the target domain and other options. The README and GitHub repo provide further usage documentation.
Verdict
CF-Hero is a practical reconnaissance tool for security professionals interested in uncovering origin IPs behind Cloudflare’s reverse proxy. Its multi-source OSINT correlation combined with HTTP fingerprinting is a thoughtful design that balances thoroughness with caution.
While it won’t magically reveal origin IPs in all cases, especially for well-secured or obscure targets, it offers a solid baseline for passive reconnaissance efforts. The modular Go codebase and straightforward installation make it accessible for those comfortable with CLI tools and Go.
In production, the main limitations are the dependency on external OSINT platforms’ data quality and the heuristic nature of HTTP title matching. Still, CF-Hero’s approach is a useful lesson in how side-channel data aggregation can circumvent proxy obfuscation without direct attacks.
For anyone doing web application security assessments or interested in Cloudflare bypass techniques, CF-Hero is worth exploring and extending.
Related Articles
- cc-gateway: optimizing Claude Code API usage with a reverse proxy for telemetry normalization and cost savings — CC Gateway is a TypeScript reverse proxy for Claude Code that normalizes telemetry and device identity, strips billing h
- ForensiX: ML-powered forensic analysis of Chrome and Brave browser artifacts — ForensiX combines ML-driven URL classification with browser artifact extraction for forensic analysis of Chrome and Brav
- Claudish: A versatile TypeScript CLI proxy bridging Claude Code with 580+ AI models — Claudish is a TypeScript CLI proxy that lets Claude Code work with 580+ AI models via OpenRouter, direct APIs, and local
- frp: a fast, extensible reverse proxy evolving towards cloud-native architecture — frp is a Go-based reverse proxy enabling NAT traversal with TCP/UDP/HTTP support and P2P mode. Its upcoming V2 rethinks
- Inside Mandiant’s FLARE Learning Hub: A practical Go reverse engineering reference and malware analysis training platform — Explore Mandiant’s FLARE Learning Hub, an open educational platform for malware analysis and reverse engineering with a
→ GitHub Repo: musana/CF-Hero ⭐ 2,162 · Go