This is a tutorial on how to bypass Cloudflare WAF with the origin server IP address.
Cloudflare is a widely used web app firewall (WAF) provider. But what if you could bypass all these protections in a second making the defense useless? This article is a tutorial on bypassing Cloudflare WAF getting the origin server IP address. With more than 16M Internet properties, Cloudflare is now one of the most popular web application firewalls (WAF). A year ago Cloudflare released a fast DNS resolver, which became the proverbial cherry on top of their service offering. Working as a reverse proxy, the WAF does not only offer a protection against DDOS but can also trigger an alert when it detects an attack. For paid subscriptions, users have the option to turn on protection against common vulnerabilities such as SQLi, XSS and CSRF, yet this must be manually enabled. This option is not available for free accounts.
1. first, Recon! The idea is to start your normal recon process and grab as many IP addresses as you can (host, nslookup, whois, ranges ), then check which of those servers have a web server enabled (netcat, nmap, masscan). Once you have a list of web server IP, the next step is to check if the protected domain is configured on one of them as a virtual host. If not, you ll get the default server page or the default website configured. If yes then you found the entry point! Using Burp.
Some tools available to automate this process:
github.com
github.com
2. Censys If your target has a SSL certificate (and it should!), then it s registered in the [COLOR=rgb(251, 160...[/B]
Cloudflare is a widely used web app firewall (WAF) provider. But what if you could bypass all these protections in a second making the defense useless? This article is a tutorial on bypassing Cloudflare WAF getting the origin server IP address. With more than 16M Internet properties, Cloudflare is now one of the most popular web application firewalls (WAF). A year ago Cloudflare released a fast DNS resolver, which became the proverbial cherry on top of their service offering. Working as a reverse proxy, the WAF does not only offer a protection against DDOS but can also trigger an alert when it detects an attack. For paid subscriptions, users have the option to turn on protection against common vulnerabilities such as SQLi, XSS and CSRF, yet this must be manually enabled. This option is not available for free accounts.
1. first, Recon! The idea is to start your normal recon process and grab as many IP addresses as you can (host, nslookup, whois, ranges ), then check which of those servers have a web server enabled (netcat, nmap, masscan). Once you have a list of web server IP, the next step is to check if the protected domain is configured on one of them as a virtual host. If not, you ll get the default server page or the default website configured. If yes then you found the entry point! Using Burp.
Some tools available to automate this process:
A script to enumerate virtual hosts on a server. Contribute to jobertabma/virtual-host-discovery development by creating an account on GitHub.
A PHP tool to brute force vhost configured on a server. - gwen001/vhost-brute
2. Censys If your target has a SSL certificate (and it should!), then it s registered in the [COLOR=rgb(251, 160...[/B]