Find Origin
Introduction
Web Application Firewalls (WAFs) like Cloudflare, AWS WAF, and others protect web applications by filtering and monitoring HTTP traffic. However, discovering the origin IP address behind these protective layers can be crucial during security assessments. This guide outlines various techniques to identify origin IPs.
Identifying the Presence of a WAF
Before attempting to bypass a WAF, first confirm its presence:
Common WAF Indicators:
AWS WAF: Look for "AWSLB" and "AWSLBCORS" cookies
Cloudflare: Organization info will indicate Cloudflare, Inc.
Other WAFs may have specific signatures or response headers
Techniques for Origin IP Discovery
1. Historical DNS Records
Historical DNS records often reveal IPs used before WAF implementation:
SecurityTrails DNS History
Visit: https://securitytrails.com/domain/example.com/dns
Export historical A records
Extract IPs:
DNS Dumpster
Use https://dnsdumpster.com to generate network maps
Look for non-WAF IP addresses in the results
2. Subdomain Enumeration
Development or staging environments often lack proper WAF protection:
Focus on subdomains like:
dev.example.com
staging.example.com
test.example.com
beta.example.com
3. SSL Certificate Information
Certificates often reveal all domains and IPs where they're deployed:
Censys Method:
Search for certificates using your target domain
Select "Certificates" in the input field and search for your domain
Review each certificate and click "Explore" > "IPv4 Hosts"
Collect all associated IPs
Shodan Method:
Note: Verify results manually as they may include CDN/proxy IPs. SAN (Subject Alternative Name) fields are generally more reliable than CN.
4. Direct IP Testing
For each potential IP, test if it responds to the target hostname:
5. Email Headers Analysis
Emails from the target domain often contain internal IP information:
Trigger emails from the target (register, password reset, newsletters)
Examine email headers, particularly:
Return-Path
Received
X-Originating-IP
6. Specialized Tools
Several tools automate origin IP discovery:
CloudFail:
CloudFlair:
Verifying the Origin IP
After discovering potential origin IPs, verify them:
Compare response content with the WAF-protected site
Look for server fingerprints (headers, error pages)
Check for administrative interfaces or panels not accessible via WAF
Best Practices
Combine multiple techniques for better results
Document all discovered IPs and their verification status
Check IP ranges belonging to the organization
Consider timing your requests to avoid rate limiting
References
Credits
Original Author
Contributors
Enhanced and reformatted for HowToHunt repository by remonsec
Last updated