multimedia marketplace

WAF Bypass

As a hacker bug bounty hunter, it’s obvious that it could be very interesting to get rid of the firewall. For that, you basically have 3 options:

  1. Customize your payloads in order to bypass the rules in place. It can be interesting to improve your skills about firewall bypass but it can be a tedious and time-consuming task, which is not something you can afford when you’re a bug hunter – time is prime!
  2. Alter the requests in a proper way to disrupt the server. And as the same as first option, it can be time-consuming, requires patience and good fuzzing skills.
  3.  Get around Cloudflare by finding the origin IP of the web server. Probably the easiest option, no technical skills required, it’s also part of the recon process so no time wasted. As soon as you get it, you don’t have to worry anymore about the WAF or the DDOS protection (rate limit).

In this in this article, We’re going to focus on the last option and how to achieve it based on tips grabbed here and there.

Find original ip :

1. Recon

The idea is to start your normal recon process and grab as many IP addresses as you can (host, nslookup, whois, ranges…), then check which of those servers have a web server enabled (netcat, nmap, masscan). Once you have a list of web server IP, the next step is to check if the protected domain is configured on one of them as a virtual host. If not, you’ll get the default server page or the default website configured. If yes then you found the entry point!

Some tools available to automate this process:
https://pentest-tools.com/information-gathering/find-virtual-hosts
https://github.com/jobertabma/virtual-host-discovery
https://github.com/gwen001/vhost-brute

Censys

If your target has a SSL certificate (and it should!), then it’s registered in the Censys database (I strongly recommend to subscribe). Choose “Certificates” in the select input, provide the domain of your target, then hit <enter>.

From here, grab all IP you can and, back to the previous chapter, try to access your target through all of them.

Mail headers

The next step is to retrieve the headers in the mails issued by your target: Subscribe the newsletter, create an account, use the function “forgotten password”, order something… in a nutshell do whatever you can to get an email from the website you’re testing (note that Burp Collaborator can be used).

Once you get an email, check the source, and especially the headers. Record all IPs you can find there, as well as subdomains, that could possibly belong to a hosting service. And again, try to access your target through all of them.

The value of header Return-Path worked pretty well for me.

XML-RPC Pingback

This well known tool in WordPress, the XML-RPC (Remote Procedure Call), allows an administrator to manage his/her blog remotely using XML requests. A pingback is the response of a ping. A ping is performed when a site A links to a site B, then the site B notifies the site A that it is aware of the mention. This is the pingback.

You can easily check if it’s enable by calling https://www.target.com/xmlrpc.php. You should get the following:XML-RPC server accepts POST requests only.

According to WordPress XML-RPC Pingback API, the functions takes 2 parameters sourceUri and targetUri.

Favicon.ico

STEPS TO REPRODUCE:

  1. Simply visit: https://redacted.tld
  2. Find out the absolute URL to get favicon.ico :
    https://redacted.tld/img/icons/redacted/favicon.ico« 
  3. Now generate hash for this favicon:
  4. $ curl -s -L -k “https://redacted.tld/img/icons/redacted/favicon.ico » | python3 -c ‘import mmh3,sys,codecs; print(mmh3.hash(codecs.encode(sys.stdin.buffer.read(),”base64″)))’

Output:
-645272014

5. We are going to use the above hash value to search on **SHODAN**, as:
$ shodan search http.favicon.hash:-645272014

Output:

*x.x.x.x* 80 hostname.redacted.tld HTTP/1.1 200 OK\r\nServer: nginx/1.18.0\r\nDate: Thu, 19 Nov 2020 23:39:07 GMT\r\nContent-Type: text/html\r\nContent-Length: 199766\r\nLast-Modified: Tue, 03 Nov 2020 16:02:21 GMT\r\nConnection: keep-alive\r\nETag: 5fa17f0d-30c56\r\nAccept-Ranges: bytes\r\n\r\n*

NOTE: According to output, the IP [x.x.x.x] & “hostname.redacted.tld”, point to a subdomain named as *sub.redacted.tld*

6. To verify that WAF bypassed or not, YOU CAN USE wafw00f:

6a) Execute:
$ wafw00f -a https://sub.redacted.tld
output:
[+] The site https://sub.redacted.tld is behind Cloudflare (Cloudflare Inc.) WAF.

6b) Execute:
$ wafw00f -a http://x.x.x.x
output:
[-] No WAF detected by the generic detection

7. SUGGESTIONS:
My recommendations fall in line with Cloudflare’s own guidelines[ref.: https://support.cloudflare.com/hc/en-us/articles/201897700-Step-4-Recommended-First-Steps-for-all-Cloudflare-users] the Origin server must communicate exclusively with Cloudflare’s IP address ranges, otherwise — as reported in this post on Cloudflare’s blog[Ref.: https://blog.cloudflare.com/ddos-prevention-protecting-the-origin/], the protection offered by having a reverse proxy basically becomes useless.

2 . Tools

For now we have seen how to find and check IP addresses manually, fortunately we have great developers in our community. Below are some tools that are supposed to do the job for you, and these could save your precious time. You can include them in your recon process as soon as you detect a Cloudflare protection.

Note, that none of these methods are 100% reliable as all targets are different and what will work for one, may not work for another. My advice: try them all.

HatCloud: crimeflare, ipinfo.io
CrimeFlare: crimeflare, ipinfo.io
bypass-firewalls-by-DNS-history: securitytrails, crimeflare

CloudFail: dnsdumpster, crimeflare, subdomain brute force
CloudFlair: censys key required
CloudIP: nslookup some subdomains (ftp, cpanel, mail, direct, direct-connect, webmail, portal)

A REPRESENTATION RECOMMENDATION FROM THE OWASP TO BETTER UNDERSTANT WAF