WAF rules can include a check for exposed credentials. When enabled in a given rule, exposed credentials checking happens when there is a match for the rule expression (that is, the rule expression evaluates to true).
At this point, the WAF looks up the username/password pair in the request against a database of publicly available stolen credentials. When both the rule expression and the exposed credentials check are true, there is a rule match, and Cloudflare performs the action configured in the rule.
For example, the following rule matches POST requests to the /login.php URI when Cloudflare identifies the submitted credentials as previously exposed:
Rule #1
Rule expression:
http.request.method == "POST" and http.request.uri == "/login.php"
Exposed credentials check with the following configuration:
http.request.body.form["user_id"]http.request.body.form["password"]Action: Interactive Challenge
When there is a match for the rule above and Cloudflare detects exposed credentials, the WAF presents the user with a challenge.