This tweet discusses a subtle but important distinction in the way WAFs (Web Application Firewalls) may handle IP restrictions. It compares RemoteAddr and SocketAddr, two types of IP identification methods. RemoteAddr typically refers to the IP address of the client as seen by the application, while SocketAddr may refer to the actual IP address on the socket connection, including proxies or load balancers.
The key point is that some WAF rules may rely on one of these addresses but not carefully verify the other, creating what is called a 'sleeper' rule. This sleeper rule appears to enforce IP restrictions and gives a sense of security, but an attacker who understands the difference can bypass these IP restrictions by exploiting the mismatch between the two IP sources.
In essence, because RemoteAddr and SocketAddr can differ due to network setups like proxies, a WAF may incorrectly allow traffic through if it only checks one source, leading to a bypass vulnerability.
Security professionals should thoroughly test that WAF IP restrictions account for both IP representations to avoid this type of bypass. Awareness of how IP addresses are interpreted at different layers (application vs socket) is crucial to avoid false security assumptions in WAF configurations.
Check out the original tweet here: https://twitter.com/TrustedSec/status/1943324331284795605