Skip to content

WAF bypass

Leak Server IP Address

  • Checkout the DNS trail of the hostname. This can be done using Security Trails - The World's Largest Repository of historical DNS data
  • DNS Lookups
    dig example.com
    
  • Options method Sometimes the OPTIONS HTTP methods leaks the IP address of the server behind the WAF.
  • HTTP Headers Try playing around with X-Forwarded-For and similar proxy headers to trigger a different response to the same page.
  • Try to abuse the 8kB upload size on AWS WAF
  • Scan the IP range using the hostname to identify the origin server.

Blogs

Tools

References: