# Securing Cloudflare: Addressing the Password Policy Bypass Issue

After a small break on bug bounty, I started hunting on the [Cloudflare Bug Bounty program](https://hackerone.com/cloudflare?type=team). This write-up is about the **Password Policy Restriction Bypass.**

Almost Every organization follows a strong password policy on their application. Sometimes It depends on the product. E.g. crypto, banking, and e-commerce applications. A strong Password policy is compulsory for compliance as well. For more details about the [password policy](https://en.wikipedia.org/wiki/Password_policy#:~:text=A%20password%20policy%20is%20a,part%20of%20security%20awareness%20training.).

I started looking for bugs in the Cloudflare application. This is my 2nd valid report on the [Cloudflare Bug Bounty program](https://hackerone.com/cloudflare?type=team). The first issue is related to [Blind SSRF](https://hackerone.com/reports/1467044). The report has already been disclosed.

Cloudflare has a strong password policy in place. It should be an 8-character long, special character, and number, but it's only on UI. If the attacker intercepts the Signup API Endpoint he can able to set a weak password for his account.

Navigate to the Cloudflare `signup/reset` page and enter all the details with a strong password on the UI. Then I captured the `signup` request using **Burp-Suite**. Manipulated strong password to weak password e.g. `Hacker@123` to `Hacker`

![Password Reset Request](https://cdn.hashnode.com/res/hashnode/image/upload/v1708356886571/3e2d0e17-123b-427b-93c9-834ee9e8f43a.png align="center")

Then I forwarded this request to the server and got a `200 ok` response. So my weak password got updated. This way, a user could set up weak passwords for their account. It's a security and compliance issue.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708357000189/082173c4-8186-4019-8e45-5f4778ff3571.png align="center")

**Report Timeline:**

* **August 21  -**  Reported to Cloudflare program on **HackerOne**
    
* **August 22  -** Report got triaged
    
* **August 23  -**  Rewarded **$200** + **$50** bonus for the well-written report.
    
* **August 23  -**  Request for a retest
    
* **August 23  -**  Issue fixed and got a reward of **$50** for a retest.
