Bypass WAF by a simple trick gained $1000 bounty
Hi all….
My name is 0xbartita let’s get started>
When I was hunting on a private program on hackerone I noticed that program use Cloudflare on all subdomain *.target.com , I usually going to securitytrails.com to search for origin IP of the web application
Maybe I found Original IP it’s 50.17.***.** When requested it it’t give me 404 Not found
Most hunters see this error they think it’s not Origin IP of website.
This happens because host header set by default as IP that requested or it’s give you the default virtual host on the server
But when I changed HOST header to target domain it’s showed me the same response of domain target.com without “Server: CloudFlare” response header
To make every reqeust to target.com going to Origin IP instead of cloudflare IP on my browser go to burp and change redirect to host option to original IP
Summary:
when you face 404 or any error when you want to bypass waf by origin IP try to change host header to target domain
My twitter → https://x.com/0xbartita
