This post explains how Cloudflare identifies "toxic combinations" — converging minor signals that together indicate a security breach in progress.
- •Toxic combinations occur when small issues like debug flags, unauthenticated paths, and predictable identifiers compound, allowing attackers to breach systems or exfiltrate data.
- •Cloudflare's detection shifts focus from individual request risk to broader intent by analyzing bot signals, sensitive application paths, HTTP anomalies, and misconfigurations together.
- •About 11% of analyzed hosts showed susceptibility to these combinations, heavily skewed by vulnerable WordPress sites; excluding WordPress, only 0.25% were affected.
- •One pattern involves automated bot scanning of admin panels (/wp-admin, /phpmyadmin) with bot scores under 30, enabling brute force attacks, exploit scanning, and user enumeration.
- •Another pattern targets unauthenticated API endpoints using predictable numeric IDs, allowing mass data scraping without any exploi
The Cloudflare Blog 