All those who have ever hacked, or tried to hack, have come across this most evil-fucking WAF. Cloudflare (most often), Sucuri (similar fucking thing), Akamai (some fucking shit), etc. Well, there exist different ways to bypass WAF, no matter how loud it sounds, but there are!
First, to understand how it all works, we will have to understand the whole picture of what’s going on. It’s a proxy server which we need to bypass by finding the direct IP address of the server. There are many ways to do this and we will explore them below. Recommended reading: https://habr.com/ru/company/dsec/blog/340144/ This: https://habr.com/ru/post/326362/ And more!:
To bypass the waffle you can use: https://github.com/vincentcox/bypassby-DNS-history
Scan all possible subdomains to determine the real ip, not hidden behind the waf. Sometimes it helps to register on the site, the email comes with a real ip address of the server, but it happeneit very rarely. Often saves nmap. In general, learn the math, do not hesitate to use Google, in extreme cases, if that has gone so.
How does the WAF work?
WAF developers have different approaches to notify the user that the WAF has blocked the request. Therefore, by analyzing the response to our attack request, we can understand what kind of WAF the web application is protected by. The term WAF Fingerprint is often used for this purpose. This may help if the WAF is not updated for some reason (usually the case with open source WAFs). Developers of proprietary WAF take care of their clients and implement auto-update mechanism. Also, if we were able to identify the WAF and it turned out to be updated to the latest version, still the information about the particular WAF will help us learn a little about the specifics of its work.
Let’s list the main places by which the WAF can be identified:
Additional cookies Additional headers added to any response or request Response content (in case of request blocking) Response code (in case of request blocking) IP address (applies to Cloud WAF) JS module (Client-side WAF)
The general idea of finding ways to bypass a WAF is to make the request we want look like it is still understandable to the attacked web application, but not understandable or seem harmless to the WAF. It is important to note that one type of WAF must be able to serve a large number of different types of servers, including exotic ones such as Unicorn, Tornado, Weblogic, Lighttpd etc… Each server may perceive certain exceptional cases of HTTP request parsing differently, which must be taken into account in the WAF. Thus, an attacker can take advantage of the HTTP request parsing specifics of the attacked server in order to find a way around the WAF.
Otsebytina What can I say, we study nmap, scan subdomains, register on sites (often email with confirmarm is sent from real ip, but it’s not exact). We study the subdomains. Feel free to use Google, or at least Yandex. Godspeed!
legit cc shops