#Users getting Browser Integrity Checks randomly on an API subdomain that has all security disabled.

What is the site? If the challenge pages asks users to run a command prompt, it's a fake challenge page installed on your site to compromise visitors.

if that were the case, then it would be happening for all users right?
i highly doubt its that + users get it from our program, so this isn't a browser
also, the request doesn't even reach origin so it comes from CF

Fake challenges don't show for all users, usually only Windows, or can be configured to be more precisely targetted. It's always worth suggesting if you are getting challenges that are unexpected. Check your security event log to see if and why a real challenge is issued... https://dash.cloudflare.com/?to=/:account/:zone/security/events

Fake challenges look like this... https://community.cloudflare.com/t/i-cant-access-certain-web-sites-because-cloudflare-claims-i-am-not-human/887709?u=sjr

It would be running on the origin server though? When i check raw access against the user IP i dont see requests around that time, so i think this is something on CF, some protection you cant turn off as free user maybe ?

If a request is blocked or challenged by Cloudflare it will be in your security event log.

yes that is the thing thats baffling me

Well i wish i could get in touch with a CF technician through a ticket, because i have no doubt this is coming from CF

as i mentioned everything was fine until they reworked the rules dashboard etc

It's easier to check the site directly. If you don't want to give it publicly you can put it in here... https://cf.sjr.dev/tools/check and give the first 8 digits of the test UUID then I can look it up.

The site loads blank for me. I don't see a challenge but there is this ⁨x-powered-by: PHP/7.0.33⁩ - that's very old, unsupported and has active exploits in the wild so even without the challenge issue, you need to update your PHP version.

yes its an auth endpoint so it needs a valid request, i couldnt use the full URI on the website because of limitations

and thanks for pointing out the PHP version ill get on that asap

but yes, for 99% of users its fine, but every other day new users contact me with issues and i can't figure out what to do. I'm sure if i just used the DNS on the subdomain and not route, it would be fine

but i dont want to expose the subdomain

If it happens for a user, get them to send you the full HTML including the ray ID. Then you can look up the ray ID in the security event log to see if it is there.

ok to be clear, that HTML you shared is not a cloudflare challenge page.

unless you have customized it, which I doubt

i just edited out ray ID and report id

also, usually i ask users to reset their modem and get a new IP, or use a mobile hotspot, and it works for them

no it doesn't make sense front and back

but some have static ip's

that CSS isn't in the challenge page

given the cf-cache-status: DYNAMIC header, that is also 100% coming from your origin

your origin is compromised

<html lang="en">
<head>
  <meta charset="utf8">
  <meta name="viewport" content="width=device-width,initial-scale=1.0">
  <script type="37bcb42c03ecd2c9f62346f4-text/javascript">
      (function(){
          setTimeout(function(){
              window.location.reload();
          }, 5000);
      }())
  </script>
  <link rel="icon" href="data:,">
  <title>One moment, please...</title>
  <style>
.spinner {
    -webkit-animation: spin 1s ease-out;
    animation: spin 1s ease-out;
}
@keyframes spin {
    0% {
        -webkit-transform: rotate(0deg);
        -moz-transform: rotate(0deg);
        -ms-transform: rotate(0deg);
        -o-transform: rotate(0deg);
        transform: rotate(0deg);

this is cut off i had the replies limited in the log file from users

yes but that's not how challenge pages start at all

this only happens on the api subdomain with the app > auth request > api, api is not accessible to public wihout custom headers at all, i disabled them now for checking

so how do i confirm its something on origin

go through all PHP files that are related

grep for "eval" or parts of the challenge page ("One moment, please...")

it's likely sitting somewhere highly obfuscated

I don't know how your server is setup or how well sandboxed it is, but you can assume your entire server and database are also compromised

so the auth php is like 200 lines long and pretty straightforward, the functions.php included is intact, i just diffed it against a version from 2020, and only my own changes are in there

its a managed cpanel hosting i've been using for ~10 years

then it's somewhere else, but I have no clue about PHP

it just doesnt make any sense that it happens to 4-5 people out of 100's a week, and if they are able to change their IP, then its working for them as well

that makes perfect sense because they don't want to be detected

well i'm going to switch to a different CDN for science i guess

I added a fallback pullzone on Bunny for the api subdomain and it appears to be working fine

client > bunny api host>CNAME to cf api host> origin
cf was left enabled on the subdomain and I didn't change any rules