Find Origin

Identifying a WAF

dig +short
curl -s | jq -r '.org'
  • With AWS, you can often identify a load balancer with the presence of "AWSLB" and "AWSLBCORS" cookies

Identifying the source

  • Use to generate a map.

  • Next, make a search using Censys and save the IP's that look to match your target in a text file. Example:

  • Another way you can find IP's tied to a domain is by viewing their historical IPs. You can do this with SecurityTrails DNS trails.

    • Here we can see what A records existed and for how long. It is so common for an administrator to switch to a WAF solution after X amount of years of using it bare-metal, and do you think they configure whitelisting? No of course not, it works fine!

    • you can just copy the entire table(Select full table and copy paste it in a txt file) body and use awk to filter the IP's out.

      grep -E -o "([0-9]{1,3}[\\.]){3}[0-9]{1,3}" tails.txt | sort -u | tee -a ips.txt

DNS Enumeration

If you enumerate your targets DNS, you may find that they have something resembling a or subdomain, and it may be pointing to the source host with no WAF. 

- Get all the subdomains.
    `subfinder -silent -d | dnsprobe -silent | awk  '{ print $2 }'  | sort -u | tee -a ips.txt`

Checking IP's for hosts

for ip in $(cat ips.txt) # iterate through each line in file
    org=$(curl -s <$ip> | jq -r '.org') #  Get Org from IPInfo
  title=$(timeout 2 curl -s -k -H "Host:" <https://$ip/> | pup 'title text{}') # Get title
    echo "IP: $ip Title: $title Org: $org" # Print results

in one line, same command: for ip in $(cat ips.txt); do org=$(curl -s <$ip> | jq -r '.org'); title=$(timeout 2 curl --tlsv1.1 -s -k -H "Host:" <https://$ip/> | pup 'title text{}'); echo "IP: $ip Title: $title Org: $org"; done

  • What we have now is a quick overview of which IP's respond to which Host header, and we can view the title

  • We went through each host, requested the IP directly with the host header, and we have our source IP!

Setting the Host Header manually curl -s -k -H "Host:" https://<ip address>/

or set Host Header in burp.


git clone <>
cd CloudFail
pip install -r requirements.txt
python3 -t

But first, Recon!

  • The idea is to start your normal recon process and grab as many IP addresses as you can (host, nslookup, whois, ranges…), then check which of those servers have a web server enabled (netcat, nmap, masscan).

  • Once you have a list of web server IP, the next step is to check if the protected domain is configured on one of them as a virtual host.


  • Choose “Certificates” in the select input, provide the domain of your target, then hit \

  • You should see a list of certificates that fit to your target

  • Click on every result to display the details and, in the “Explore” menu at the very right, choose “IPv4 Hosts”.

  • You should be able to see the IP addresses of the servers that use the certificate

  • From here, grab all IP you can and, back to the previous chapter, try to access your target through all of them.


    curl -s -k -H "Host:" https://<ip address>/

Mail headers

  • The next step is to retrieve the headers in the mails issued by your target: Subscribe the newsletter, create an account, use the function “forgotten password”, order something… in a nutshell do whatever you can to get an email from the website you’re testing

  • Once you get an email, check the source, and especially the headers. Record all IPs you can find there, as well as subdomains, that could possibly belong to a hosting service. And again, try to access your target through all of them.

The value of header Return-Path worked pretty well

Tool: This tools works on censys data.



Last updated