Open in app

Sign in

Write

Sign in

Cloudflare WAF bypass via Origin IP

Navdeep Khubber
3 min readMar 5, 2022

Cloudflare supports more than 16 million Internet attributes and is now one of the most popular WAFs(Web Application Firewalls). A year ago, Cloudflare released a fast DNS resolution service, and quickly became the most popular service. As a reverse proxy, WAF (like Cloudflare, Amazon Cloudfront, etc.) not only provides a protection scheme against DDOS, but also triggers an alarm when an attack is detected. For paid subscribers, there is an add-on to choose protection services against common vulnerabilities (such as SQLi, XSS, and CSRF), which needs to be manually enabled.

Basically, it works as a gate keeper for the website, where the traffic goes through Cloudflare servers and restricting the users to directly access the website. It stops malicious traffic before it reaches the origin web server of the website.

If you try to access the website with correct configurations using the origin IP, it will throw you an “Error 1003 stating Direct IP access not allowed”.

You can identify the WAF present in a website using Wappalyzer extension. (Look under WAF or CDN Section in Wappalyzer in order to do so)

There are many ways to bypass this WAF protection but let’s explore the one that I have worked on.

Using Shodan search engine

  1. Navigate to https://www.shodan.io/dashboard and we will create an account using educational email address in order to avail academic membership benefits.

2. Now, we have to enter the following in search bar:

Ssl.cert.subject.CN:”target.com” 200

Ssl.cert.subject.CN:”target” 200

3. Try to visit every IP address displayed in the result and we will have a look at the Common Name as well.

Try to visit every IP address displayed in the result and we will have a look at the Common Name as well

After accessing the website using the origin IP we will see that the website can be accessed without any WAF protection(verify using Wappalyzer).

IMPACT:

  • It makes the implementation of WAF on that domain useless since an attacker is able to directly access the server using its IP, WAF bypasses can have a significant impact, as any adversary is now able to communicate with the origin server directly, enabling them to perform unfiltered attacks (such as denial-of-service), and data retrieval.

Using this method, I was able to bypass WAF protection and was awarded bounty by a popular food delivery company for Medium severity in the month of February 2022.

___________________________________________________________________

For any queries, ping me on LinkedIn.

Bug Bounty
Infosec
Cybersecurity
Penetration Testing
Security

--

--

Navdeep Khubber

Written by Navdeep Khubber

38 Followers

Cyber Security Enthusiast, Bug Bounty Hunter.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams