This bypass method involves using Shodan, a search engine for internet-connected devices, to find the direct IP address of a target web server. By directly connecting to this IP address instead of the domain name, the Web Application Firewall (WAF) can be bypassed because many WAFs are configured to monitor and filter traffic based on domain names rather than IP addresses. This technique can be effective against various types of vulnerabilities that the WAF is designed to protect, as it circumvents the filtering rules applied at the domain level.
To perform this bypass, security researchers or attackers use Shodan to identify servers by their IP addresses, then directly connect to these IPs. Since the WAF is bypassed, they can potentially exploit vulnerabilities like SQL Injection (SQLi), Cross-Site Scripting (XSS), Remote Code Execution (RCE), and others without being blocked by the WAF.
It's important for administrators to be aware of this bypass technique and consider implementing additional security measures, such as IP address-based filtering, network-level protections, or configuring the WAF to monitor direct IP traffic as well.
This bypass is vendor-agnostic and can affect any WAF that relies heavily on domain name filtering without adequate IP-level controls.
For more insights, check out the original tweet here: https://twitter.com/MichaelCarthy/status/2046062262297768434. And don’t forget to follow @MichaelCarthy for more exciting updates in the world of cybersecurity.