Hacking behind the WAF

In this brief article, I will discuss an important point for testing web applications in bug bounty.

Introduction

Let’s agree at this point that we all know about the WAF and it’s purpose and all these things. Most of the web vulnerabilities are blocked by WAF (XSS , SQLi ..), which is considered a server-side protection. In addition, the firewall hides the real IP address of the web app as protection mechanism.

In most cases our goal is to evade or bypass the firewall. However, this can be done via several techniques such as encoding, obfuscation and others. In this article, I will tackle one of the evasion techniques, which is testing on the real IP address of the web app that resides behind the WAF.

Practical Steps

In order to find the actual IP of the web app that we are testing, there are several tools that can do this for us:

Shoden : https://www.shodan.io

Censys : https://search.censys.io

IVRE : https://ivre.rocks

SecurityTrails : https://securitytrails.com

and others…

These tools can help you to find the actual IP address of the web application that is hidden by the WAF.

After we were able to find the real IP, the WAF is no longer a problem in blocking our testing attempts.

However, we still have to bypass any client-side filtrations, if theres any, in place.

NOTE: In some cases, finding the original IP address of the web application can lead to accessing sensitive or unprotected admin panels and pages, which could be a valid finding or a bug by itself.