Hello hunters,

This is Syed Jan Muhammad Zaidi, an independent Security Researcher and a Full time Penetration Tester.

Today I’ll be demonstrating to you guys how I was able to bypass WAF and find the origin IP in a jiffy, using shodan.

So let's begin.

I was hunting on a VDP program, let’s call it target.com. During my reconnaissance, it came to my notice that the target is protected by Cloudflare WAF. In order to find the origin IP, I opened my terminal and hit the command:

nslookup target.com

However the resolved IPs were generated by Cloudflare with the intention of protecting the origin server. Hitting those IPs in URL showed “Direct IP Access not allowed”

After referring to multiple articles I found this interesting regex:

Ssl.cert.subject.CN:”target.com” 200

Hitting this regex in Shodan search engine disclosed the origin IP of the server. Now, I was able to communicate with the server directly without going through WAF.

To confirm whether Cloudflare is bypassed or not I used wafw00f:

wafw00f target.com → Protected by Cloudflare

wafw00f origin_ip → No WAF detected

Now, let’s dive deeper.

I fired up the dirbuster and ffuf to Bruteforce the directories. Here I was able to find out multiple hidden files and directories which I was not able to find via the intended URL.

Bounty Awarded: $three_digits

Hit me up on Twitter: https://twitter.com/hasanakajan