Listen to this Post
Introduction
When conducting bug bounty reconnaissance, Web Application Firewalls (WAFs) often obscure the true origin IP of a target, making direct exploitation difficult. One effective technique involves scanning the target’s IP range to identify the origin server behind the proxy. This article explores how to use hakoriginfinder, a powerful tool for bypassing WAFs by pinpointing the true server IP.
Learning Objectives
- Understand how reverse proxies and WAFs obscure origin IPs.
- Learn to extract a target’s ASN and IP range for scanning.
- Use hakoriginfinder to identify the origin IP and bypass WAF restrictions.
You Should Know
1. Discovering the Target’s ASN and IP Range
Before scanning, you need the target’s IP range. Use ASN lookup tools to gather this data.
Command:
whois -h whois.radb.net -- '-i origin AS15133' | grep -Eo '([0-9.]+){4}/[0-9]+'
Step-by-Step Guide:
- Identify the target’s ASN (e.g., `AS15133` for Cloudflare).
2. Query WHOIS databases using the command above.
3. Extract the CIDR ranges (e.g., `93.184.216.0/24`).
- Using hakoriginfinder to Scan for Origin IP
Once you have the IP range, hakoriginfinder helps detect mismatches between WAF and origin server responses.
Command:
prips 93.184.216.0/24 | hakoriginfinder -h example.com
Step-by-Step Guide:
1. Install hakoriginfinder (`go install github.com/hakluke/hakoriginfinder@latest`).
- Use `prips` (a CIDR-to-IP converter) to generate IPs from the range.
- Pipe the output into `hakoriginfinder` with the target domain (
-hflag).
4. A “MATCH” indicates the true origin IP.
- Bypassing WAF with Direct Origin IP Requests
Once the origin IP is found, you can send requests directly, bypassing WAF filtering.
Command:
curl -H "Host: example.com" http://<ORIGIN_IP>/vulnerable-endpoint
Step-by-Step Guide:
1. Replace `` with the discovered IP.
- Use `curl` with the original `Host` header to maintain application routing.
- Test for vulnerabilities that the WAF previously blocked.
4. Automating Mass IP Scanning with Nuclei
For large-scale reconnaissance, automate scanning with Nuclei.
Command:
nuclei -l target_ips.txt -t ~/nuclei-templates/misconfigurations/waf-bypass.yaml
Step-by-Step Guide:
- Compile a list of potential origin IPs (
target_ips.txt). - Use pre-built Nuclei templates for WAF bypass detection.
3. Analyze results for misconfigurations.
5. Defensive Mitigation: Restricting Direct IP Access
As a defender, prevent origin IP exposure by:
Cloudflare Rule (Block Direct IP Access):
if ($host != "example.com") { return 403; }
Step-by-Step Guide:
- Configure Nginx/Apache to reject requests without the correct `Host` header.
- Use Cloudflare Firewall Rules to block non-proxy traffic.
What Undercode Say
- Key Takeaway 1: Origin IP exposure is a critical misconfiguration that allows attackers to bypass WAFs.
- Key Takeaway 2: Automated scanning tools like hakoriginfinder and Nuclei significantly speed up reconnaissance.
Analysis:
Many organizations rely on WAFs as a sole security layer, neglecting server hardening. Attackers increasingly exploit origin IP leaks to bypass protections. Defenders must enforce strict Host header validation and IP whitelisting to mitigate risks.
Prediction
As cloud adoption grows, WAF bypass techniques will evolve, leading to more origin IP scanning tools and automated exploitation frameworks. Organizations must adopt zero-trust networking and multi-layered security to stay ahead.
By mastering these techniques, ethical hackers can uncover hidden vulnerabilities, while defenders can better secure their infrastructure. Happy hunting! 🎯💻
IT/Security Reporter URL:
Reported By: Zlatanh Github – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
