Find Origin
Identifying a WAF
With AWS, you can often identify a load balancer with the presence of "AWSLB" and "AWSLBCORS" cookies
Identifying the source
Use https://dnsdumpster.com to generate a map.
Next, make a search using Censys and save the IP's that look to match your target in a text file. Example: https://censys.io/ipv4?q=0x00sec.org
Another way you can find IP's tied to a domain is by viewing their historical IPs. You can do this with SecurityTrails DNS trails. https://securitytrails.com/domain/0x00sec.org/dns
Here we can see what A records existed and for how long. It is so common for an administrator to switch to a WAF solution after X amount of years of using it bare-metal, and do you think they configure whitelisting? No of course not, it works fine!
you can just copy the entire table(Select full table and copy paste it in a txt file) body and use awk to filter the IP's out.
grep -E -o "([0-9]{1,3}[\\.]){3}[0-9]{1,3}" tails.txt | sort -u | tee -a ips.txt
DNS Enumeration
Checking IP's for hosts
in one line, same command: for ip in $(cat ips.txt); do org=$(curl -s <https://ipinfo.io/$ip> | jq -r '.org'); title=$(timeout 2 curl --tlsv1.1 -s -k -H "Host: 0x00sec.org" <https://$ip/> | pup 'title text{}'); echo "IP: $ip Title: $title Org: $org"; done
What we have now is a quick overview of which IP's respond to which Host header, and we can view the title
We went through each host, requested the IP directly with the host header, and we have our source IP!
Setting the Host Header manually curl -s -k -H "Host: 0x00sec.org" https://<ip address>/
or set Host Header in burp.
CloudFail
But first, Recon!
The idea is to start your normal recon process and grab as many IP addresses as you can (host, nslookup, whois, ranges…), then check which of those servers have a web server enabled (netcat, nmap, masscan).
Once you have a list of web server IP, the next step is to check if the protected domain is configured on one of them as a virtual host.
Censys
Choose “Certificates” in the select input, provide the domain of your target, then hit \
You should see a list of certificates that fit to your target
Click on every result to display the details and, in the “Explore” menu at the very right, choose “IPv4 Hosts”.
You should be able to see the IP addresses of the servers that use the certificate
From here, grab all IP you can and, back to the previous chapter, try to access your target through all of them.
example:
curl -s -k -H "Host: 0x00sec.org" https://<ip address>/
Mail headers
The next step is to retrieve the headers in the mails issued by your target: Subscribe the newsletter, create an account, use the function “forgotten password”, order something… in a nutshell do whatever you can to get an email from the website you’re testing
Once you get an email, check the source, and especially the headers. Record all IPs you can find there, as well as subdomains, that could possibly belong to a hosting service. And again, try to access your target through all of them.
The value of header Return-Path worked pretty well
Tool: https://github.com/christophetd/CloudFlair This tools works on censys data.
References: https://delta.navisec.io/a-pentesters-guide-part-5-unmasking-wafs-and-finding-the-source/ https://blog.detectify.com/2019/07/31/bypassing-cloudflare-waf-with-the-origin-server-ip-address/
Authors
Last updated