In the context of web application security, one notable method to bypass Web Application Firewalls (WAFs), like those provided by Cloudflare and other vendors, is by identifying the origin IP addresses of the target server. Many web services hide their true IP behind a WAF to prevent direct access, which complicates security testing and exploitation efforts. By discovering these origin IPs, attackers can bypass the WAF layer altogether and interact directly with the backend server. This technique is significant because origin IPs are often not as fortified as the WAF itself, exposing vulnerabilities that the WAF is designed to protect against. In practical terms, testers or attackers might use various reconnaissance tools and methods to reveal these origin IPs, such as DNS history checks, SSL certificate data, or error messages leaking IP information. Knowing the origin IP allows direct targeting of the server, making it easier to exploit security flaws without the WAF interference. Hence, this bypass method is universal and can potentially affect any WAF vendor, not just Cloudflare. It underscores the importance of securing the origin servers and not solely relying on WAFs for defense.
Check out the original tweet here: https://twitter.com/intigriti/status/1998824294789394660