RankBit
Registered Member
Joined: Mar 16, 2021
Messages: 21,774
Resources: 42
Points: 113
Reaction score: 10,572
Age: 33
This is a tutorial on how to bypass Cloudflare WAF with the origin server IP address.
Cloudflare is a widely used web app firewall (WAF) provider. But what if you could bypass all these protections in a second making the defense useless? This article is a tutorial on bypassing Cloudflare WAF getting the origin server IP address. With more than 16M Internet properties, Cloudflare is now one of the most popular web application firewalls (WAF). A year ago Cloudflare released a fast DNS resolver, which became the proverbial cherry on top of their service offering. Working as a reverse proxy, the WAF does not only offer a protection against DDOS but can also trigger an alert when it detects an attack. For paid subscriptions, users have the option to turn on protection against common vulnerabilities such as SQLi, XSS and CSRF, yet this must be manually enabled. This option is not available for free accounts.
1. first, Recon! The idea is to start your normal recon process and grab as many IP addresses as you can (host, nslookup, whois, ranges ), then check which of those servers have a web server enabled (netcat, nmap, masscan). Once you have a list of web server IP, the next step is to check if the protected domain is configured on one of them as a virtual host. If not, you ll get the default server page or the default website configured. If yes then you found the entry point! Using Burp.
Some tools available to automate this process:
github.com
github.com
2. Censys If your target has a SSL certificate (and it should!), then it s registered in the Censys database (I strongly recommend to subscribe). Choose Certificates in the select input, provide the domain of your target, then hit .
3. Mail headers: The next step is to retrieve the headers in the mails issued by your target: Subscribe the newsletter, create an account, use the function forgotten password , order something in a nutshell do whatever you can to get an email from the website you re testing (note that Burp Collaborator can be used). Once you get an email, check the source, and especially the headers. Record all IPs you can find there, as well as subdomains, that could possibly belong to a hosting service. And again, try to access your target through all of them. The value of header Return-Path
4. XML-RPC Pingback: This well known tool in WordPress, the XML-RPC (Remote Procedure Call), allows an administrator to manage his/her blog remotely using XML requests. A pingback is the response of a ping. A ping is performed when a site A links to a site B, then the site B notifies the site A that it is aware of the mention. This is the pingback. You can easily check if it s enable by calling https://www.target.com/xmlrpc.php. You should get the following: XML-RPC server accepts POST requests only. According to WordPress XML-RPC Pingback API, the functions takes 2 parameters sourceUri and targetUri 5. Previous findings If you re not able to find the origin IP using the previous methods or if the website was not protected when you first started your hunt but finally became protected, remember that sometimes your best friend is your target itself and it can give you the information you are looking for.
5. DNS resources: As you probably understood, the most important thing is to grab as many IP addresses as you can no matter how, no matter where. DNS servers are of course the main focus of attention, especially their history which will be forever available in the Internet memory. Below are some great sources you can use to find :
securitytrails.com
dnsdumpster.com
sitereport.netcraft.com
Note, that none of these methods are 100% reliable as all targets are different and what will work for one, may not work for another. My advice: try them all. (available on Github) Cloudsnare.py: censys certificates (key required) HatCloud: crimeflare, ipinfo.io CrimeFlare: crimeflare, ipinfo.io bypass-firewalls-by-DNS-history: securitytrails, crimeflare CloudFail: dnsdumpster, crimeflare, subdomain brute force CloudFlair: censys key required CloudIP: nslookup some subdomains (ftp, cpanel, mail, direct, direct-connect, webmail, portal..)
Cloudflare is a widely used web app firewall (WAF) provider. But what if you could bypass all these protections in a second making the defense useless? This article is a tutorial on bypassing Cloudflare WAF getting the origin server IP address. With more than 16M Internet properties, Cloudflare is now one of the most popular web application firewalls (WAF). A year ago Cloudflare released a fast DNS resolver, which became the proverbial cherry on top of their service offering. Working as a reverse proxy, the WAF does not only offer a protection against DDOS but can also trigger an alert when it detects an attack. For paid subscriptions, users have the option to turn on protection against common vulnerabilities such as SQLi, XSS and CSRF, yet this must be manually enabled. This option is not available for free accounts.
1. first, Recon! The idea is to start your normal recon process and grab as many IP addresses as you can (host, nslookup, whois, ranges ), then check which of those servers have a web server enabled (netcat, nmap, masscan). Once you have a list of web server IP, the next step is to check if the protected domain is configured on one of them as a virtual host. If not, you ll get the default server page or the default website configured. If yes then you found the entry point! Using Burp.
Some tools available to automate this process:
GitHub - jobertabma/virtual-host-discovery: A script to enumerate virtual hosts on a server.
A script to enumerate virtual hosts on a server. Contribute to jobertabma/virtual-host-discovery development by creating an account on GitHub.
github.com
gwen001/vhost-brute
A PHP tool to brute force vhost configured on a server. - gwen001/vhost-brute
github.com
2. Censys If your target has a SSL certificate (and it should!), then it s registered in the Censys database (I strongly recommend to subscribe). Choose Certificates in the select input, provide the domain of your target, then hit .
3. Mail headers: The next step is to retrieve the headers in the mails issued by your target: Subscribe the newsletter, create an account, use the function forgotten password , order something in a nutshell do whatever you can to get an email from the website you re testing (note that Burp Collaborator can be used). Once you get an email, check the source, and especially the headers. Record all IPs you can find there, as well as subdomains, that could possibly belong to a hosting service. And again, try to access your target through all of them. The value of header Return-Path
4. XML-RPC Pingback: This well known tool in WordPress, the XML-RPC (Remote Procedure Call), allows an administrator to manage his/her blog remotely using XML requests. A pingback is the response of a ping. A ping is performed when a site A links to a site B, then the site B notifies the site A that it is aware of the mention. This is the pingback. You can easily check if it s enable by calling https://www.target.com/xmlrpc.php. You should get the following: XML-RPC server accepts POST requests only. According to WordPress XML-RPC Pingback API, the functions takes 2 parameters sourceUri and targetUri 5. Previous findings If you re not able to find the origin IP using the previous methods or if the website was not protected when you first started your hunt but finally became protected, remember that sometimes your best friend is your target itself and it can give you the information you are looking for.
5. DNS resources: As you probably understood, the most important thing is to grab as many IP addresses as you can no matter how, no matter where. DNS servers are of course the main focus of attention, especially their history which will be forever available in the Internet memory. Below are some great sources you can use to find :
SecurityTrails | The World's Largest Repository of Historical DNS data
Access the world's largest repository of historical DNS data in mere seconds. Find suspicious changes to DNS records, and prevent future fraudulent or criminal activity.
securitytrails.com
DNSdumpster.com - dns recon and research, find and lookup dns records
Find dns records in order to identify the Internet footprint of an organization. Recon that enables deeper security assessments and discovery of the attack surface.
Site report for http://thejavasea.com | Netcraft
Using results from Netcraft's internet data mining, find out the technologies and infrastructure of http://thejavasea.com.
sitereport.netcraft.com
Note, that none of these methods are 100% reliable as all targets are different and what will work for one, may not work for another. My advice: try them all. (available on Github) Cloudsnare.py: censys certificates (key required) HatCloud: crimeflare, ipinfo.io CrimeFlare: crimeflare, ipinfo.io bypass-firewalls-by-DNS-history: securitytrails, crimeflare CloudFail: dnsdumpster, crimeflare, subdomain brute force CloudFlair: censys key required CloudIP: nslookup some subdomains (ftp, cpanel, mail, direct, direct-connect, webmail, portal..)
Last edited: