Bypass WAF by a simple trick gained $1000 bounty

0xBartita
2 min readSep 3, 2023

--

Hi all….

My name is 0xbartita let’s get started>

When I was hunting on a private program on hackerone I noticed that program use Cloudflare on all subdomain *.target.com , I usually going to securitytrails.com to search for origin IP of the web application

Origin IP of amazon server

Maybe I found Original IP it’s 50.17.***.** When requested it it’t give me 404 Not found

404 not found via origin ip

Most hunters see this error they think it’s not Origin IP of website.

This happens because host header set by default as IP that requested or it’s give you the default virtual host on the server

But when I changed HOST header to target domain it’s showed me the same response of domain target.com without “Server: CloudFlare” response header

To make every reqeust to target.com going to Origin IP instead of cloudflare IP on my browser go to burp and change redirect to host option to original IP

Proxy=>Options

Summary:

when you face 404 or any error when you want to bypass waf by origin IP try to change host header to target domain

My twitter → https://x.com/0xbartita

--

--