🕵️
HowToHunt
  • HowToHunt.md
  • API Testing
    • Hidden API Functionality Exposure
    • Reverse Engineer an API
  • Account Takeover Methodology
    • Account Takeover Methodology
  • Application Level DoS
    • Application Level DoS Methods
  • Authentication Bypass
    • 2FA Bypasses
    • OTP Bypass
    • Account Ban Bypass
  • Broken-Link Hijacking
    • Broken-Link Hijacking
  • Broken Auth And Session Management
    • Session Based Bugs
  • CMS
    • AEM
    • Drupal
    • Wordpress
    • Moodle
  • CORS
    • CORS
    • CORS Bypasses
  • CSRF
    • CSRF
    • CSRF MindMap
    • CSRF Bypass
  • Finding CVEs
    • CVES
  • CheckList
    • Web Application Pentesting Checklist
    • Web Checklist by Chintan Gurjar.pdf
    • Web Checklist by Tushra Verma.pdf
    • Mindmap by Rohit Gautam
    • Mindmap by Cristian Cornea
  • Web Page Source Code Review
    • Web Page Code Review Tips
  • EXIF Geo Data Not Stripped
    • EXIF Geo Data Not Stripped
  • File Upload Bypass
    • File Upload Bypass
  • Find Origin IP
    • Find Origin
  • GraphQL
    • GraphQL
  • HTTP Desync Attack
    • HTTP_Desync
  • Host-Header Attack
    • Host-Header
  • HTML-Injection
    • HTML-Injection
  • IDOR
    • IDOR
  • JWT ATTACK
    • JWT
  • JIRA ATTACK
    • JIRA
  • MFA Bypass
    • MFA Bypasses
    • 2FA-Bypass
  • Misconfigurations
    • Default Credential And Admin Panel
    • Docker
    • S3 Bucket
  • OAuth
    • OAuth
    • OAuth Hunting
  • Open Redirection
    • Find OpenRedirect Trick
    • Open Redirection Bypass
  • Parameter Pollution
    • Parameter Pollution In Social Sharing Buttons
  • Password Reset Functionality
    • MindMap
    • Password Reset Token Leakage
    • Account_Takeover_By_Password_Reset_Functionality
    • Password_Reset_Flaws
  • Rate Limit
    • Rate Limit Flaws
    • Rate-Limit Bypass
    • No Rate-Limit on Verify-PhoneNo
    • No Rate-limit on Invite User
    • No Rate-limit on Promo
    • No Rate-limit on Verify-email
    • No Rate-limit on forget-password
  • Race Condition
    • Race Condition
  • Recon
    • Github
    • Recon Workflow
    • Subdomain Enumeration
  • SQLi
    • SQL Injection.md
  • SAML
    • SAML
  • SSRF
    • SSRF
    • Blind SSRF
  • SSTI
    • SSTI
  • Sign Up Functionality
    • Sign Up Bugs
    • Sign Up MindMap
  • Sensitive Info Leaks
    • Github Recon Method
    • Github-Dorks
    • Github Dorks All
    • Google Dorks
    • Shodan CVE Dorks
    • Version Leaks
  • Status Code Bypass
    • Status_Code_Bypass Tips
    • 403 Bypass
  • Subdomain Takeover
    • Subdomain Takeover - Detail Method
    • Subdomain Takeover - Easy Method
    • Subs or Top level Domain
  • Tabnabbing
    • Tabnabbing
  • WAF Bypasses
    • WAF Bypass Using Headers
  • Weak Password Policy
    • Weak Password Policy
  • XSS
    • XSS
    • Bypass CSP
    • XSS Bypass
    • Automated XSS
    • Post Message Xss
  • XXE
    • XXE Methods
    • Billion Laugh Attack
Powered by GitBook
On this page
  • Introduction
  • Identifying the Presence of a WAF
  • Techniques for Origin IP Discovery
  • 1. Historical DNS Records
  • 2. Subdomain Enumeration
  • 3. SSL Certificate Information
  • 4. Direct IP Testing
  • 5. Email Headers Analysis
  • 6. Specialized Tools
  • Verifying the Origin IP
  • Best Practices
  • References
  • Credits
  • Original Author
  • Contributors
  1. Find Origin IP

Find Origin

Introduction

Web Application Firewalls (WAFs) like Cloudflare, AWS WAF, and others protect web applications by filtering and monitoring HTTP traffic. However, discovering the origin IP address behind these protective layers can be crucial during security assessments. This guide outlines various techniques to identify origin IPs.

Identifying the Presence of a WAF

Before attempting to bypass a WAF, first confirm its presence:

# Get the IP address
dig +short example.com

# Check the organization
curl -s https://ipinfo.io/IP | jq -r '.org'

Common WAF Indicators:

  • AWS WAF: Look for "AWSLB" and "AWSLBCORS" cookies

  • Cloudflare: Organization info will indicate Cloudflare, Inc.

  • Other WAFs may have specific signatures or response headers

Techniques for Origin IP Discovery

1. Historical DNS Records

Historical DNS records often reveal IPs used before WAF implementation:

  • SecurityTrails DNS History

    • Visit: https://securitytrails.com/domain/example.com/dns

    • Export historical A records

    • Extract IPs:

      grep -E -o "([0-9]{1,3}[\\.]){3}[0-9]{1,3}" dns_history.txt | sort -u > potential_ips.txt

  • DNS Dumpster

    • Use https://dnsdumpster.com to generate network maps

    • Look for non-WAF IP addresses in the results

2. Subdomain Enumeration

Development or staging environments often lack proper WAF protection:

# Find subdomains and their IPs
subfinder -silent -d example.com | dnsprobe -silent | awk '{ print $2 }' | sort -u > subdomain_ips.txt

Focus on subdomains like:

  • dev.example.com

  • staging.example.com

  • test.example.com

  • beta.example.com

3. SSL Certificate Information

Certificates often reveal all domains and IPs where they're deployed:

  • Censys Method:

    1. Search for certificates using your target domain

    2. Select "Certificates" in the input field and search for your domain

    3. Review each certificate and click "Explore" > "IPv4 Hosts"

    4. Collect all associated IPs

  • Shodan Method:

    # Search by Common Name (CN)
ssl.cert.subject.CN:"example.com"

# Search in all certificate fields (broader)
ssl:"example.com"

    Note: Verify results manually as they may include CDN/proxy IPs. SAN (Subject Alternative Name) fields are generally more reliable than CN.

4. Direct IP Testing

For each potential IP, test if it responds to the target hostname:

# Test single IP
curl -s -k -H "Host: example.com" https://POTENTIAL_IP/

# Test multiple IPs
for ip in $(cat potential_ips.txt); do
  org=$(curl -s https://ipinfo.io/$ip | jq -r '.org')
  title=$(timeout 2 curl -s -k -H "Host: example.com" https://$ip/ | pup 'title text{}')
  echo "IP: $ip | Title: $title | Org: $org"
done

5. Email Headers Analysis

Emails from the target domain often contain internal IP information:

  1. Trigger emails from the target (register, password reset, newsletters)

  2. Examine email headers, particularly:

    • Return-Path

    • Received

    • X-Originating-IP

6. Specialized Tools

Several tools automate origin IP discovery:

  • CloudFail:

    git clone https://github.com/m0rtem/CloudFail.git
cd CloudFail
pip install -r requirements.txt
python3 cloudfail.py -t example.com

  • CloudFlair:

    git clone https://github.com/christophetd/CloudFlair
cd CloudFlair
pip install -r requirements.txt
python3 cloudflair.py example.com

Verifying the Origin IP

After discovering potential origin IPs, verify them:

  1. Compare response content with the WAF-protected site

  2. Look for server fingerprints (headers, error pages)

  3. Check for administrative interfaces or panels not accessible via WAF

Best Practices

  • Combine multiple techniques for better results

  • Document all discovered IPs and their verification status

  • Check IP ranges belonging to the organization

  • Consider timing your requests to avoid rate limiting

References

  • Navisec: A Pentester's Guide - Unmasking WAFs and Finding the Source

  • Detectify: Bypassing Cloudflare WAF with the Origin Server IP Address

Credits

Original Author

  • maverickNerd

Contributors

  • nagarajcruze

  • www

Enhanced and reformatted for HowToHunt repository by remonsec

PreviousFile Upload BypassNextGraphQL

Last updated 13 days ago