Leak Server IP Address
- Checkout the DNS trail of the hostname. This can be done using
Security Trails - The World's Largest Repository of historical DNS data
- DNS Lookups
- Options method
Sometimes the OPTIONS HTTP methods leaks the IP address of the server behind the WAF.
- HTTP Headers
Try playing around with
X-Forwarded-For and similar proxy headers to trigger a different response to the same page.
- Try to abuse the 8kB upload size on AWS WAF
- Scan the IP range using the hostname to identify the origin server.