WAF Bypass Techniques
-
Try to find real IP address instead of TLD domain, see
IP history websitessection
# https://github.com/vincentcox/bypass-firewalls-by-DNS-history
bash bypass-firewalls-by-DNS-history.sh -d example.com
# Tool to fuzz urls for waf bypasses
# https://github.com/RedSection/pFuzz
# A lot of options, see docs
IP history websites
- https://whoisrequest.com/history/
- https://viewdns.info/iphistory/
- https://blog.nem.ec/2020/01/22/discover-cloudflare-wordpress-ip
- https://securitytrails.com/domain/example.com/dns
- https://www.secjuice.com/finding-real-ips-of-origin-servers-behind-cloudflare-or-tor/
Quick Techniques
Given domain.com, try to subdomains that reflect the main application but are not protected:
- dev.domain.com
- stage.domains.com
- www1/ww1/www2/www3/…domain.com
- domain.com/en
By WAF type
Akamai:
- Send header:
Pragma: akamai-x-get-true-cache-key
Cloudflare
ModSecurity
Proxychains
Rotate IP every 10 seconds to bypass WAFs
# install
sudo apt-get install proxychains
sudo apt-get install tor
# then update the files /etc/proxychains.conf and /etc/tor/torrc with the given config
# restart tor server
sudo service restart tor
# prefix the tool (any command) with proxychains example
while true; do proxychains curl ifconfig.me; done
toorc
MaxCircuitDirtiness 1
CircuitBuildTimeout 10
LearnCircuitBuildTimeout 0
proxychains.conf
dynamic_chain
quiet_mode
proxy_dns
tcp_read_time_out 15000
tcp_connect_time_out 8000
[ProxyList]
socks5 127.0.0.1 9050