.png)
5 months ago
41 BOOK THIS SPACE FOR AD
ARTICLE AD
Hello everyone,
My name is Pruthu Raut, and I am new to Bug Bounty. This is my first writeup on hunting for origin IPs and will be focusing on finding the origin IP and the impact it can have. Bypassing web application firewalls (WAF) and exploiting multiple vulnerabilities by gaining direct access to the server will be our primary focus. Let’s get started with hunting for origin IP.
First, we get a domain. Once we have the domain, we copy the domain address and open it in our web browser. After opening it in the web browser, we can see the homepage. We then grab the domain again for further steps. We can clearly see that the website is using Cloudflare on top of it
Our first method is using Shodan. By using Shodan, we paste the domain with the shodan dork
ssl:”redacted.com”
into the search bar. Shodan will return multiple IP addresses associated with the domain. We open each IP address in the web browser to check if we can access the same homepage as with the domain. If we don’t find the correct IP here, we move on to our next search engine.
Next, we use Censys. We input the domain into the Censys search bar. If the first IP address in the results leads to the same webpage as the domain, we have found our origin IP. We can confirm this by checking the WAF with Wappalyzer extension
Now, we check if the main domain website has a WAF, such as Cloudflare. On the other hand, when we check the IP address, we see if there is no WAF present. If there is no WAF, this indicates that we can launch multiple attacks like DDoS, bypass rate limiting, perform SQL injection, and access other vulnerabilities since there is no WAF filter.
If you struggle to find the origin IP using Shodan or Censys, we have another search engine called Foofa. Simply input the domain, and Foofa will provide you with the associated IP addresses.
More search engines :
This is how we find origin IPs. I hope you find this guide useful. I will also drop my report on how I reported the origin IP and other related information at the end. You can use a similar format when making your bug reports and submitting them to companies and platforms.
Till then, bye-bye. See you next time!
My Socials :
LinkedIn : https://www.linkedin.com/in/pruthu-raut-89260a26a/
A Web Application Firewall (WAF) protects applications from attacks such as Cross-Site Scripting (XSS), SQL injection, and malicious strings using pattern matching and traffic analysis. Some applications completely rely on WAFs as their primary defense. By bypassing the WAF, an attacker can gain direct access to an application’s server via a specifically crafted payload.
WAF bypass can result in reputational damage and indirect financial loss for the business due to the impact on customers’ trust in the application’s security. If an attacker successfully gains direct access to the server, it can lead to user account compromise and data exfiltration.
Visit the target website and use the extension “Wappalyzer” to verify that the site is using Cloudflare WAF.Visit https://search.censys.io/.Paste the target domain in the search box.Visit the IP address found {IP}Observe that there is no firewall present.Use the extension “Wappalyzer” to verify that the site is not using Cloudflare WAF.Server IPs may still be exposed if moved to Cloudflare from a “direct IP” DNS provider.Configure your server’s firewall to only allow Cloudflare IP ranges.Force people to use your hostname; you can do this in the 000_default config file.These recommendations align with Cloudflare’s own guidelines: the origin server must communicate exclusively with Cloudflare’s IP address ranges. Otherwise, as reported in a post on Cloudflare’s blog, the protection offered by having a reverse proxy essentially becomes useless.
Bengali (Bangladesh) · 
English (United States) ·