Bypassing WAFs with Search Engines using dorks

The use of cloud-based services has become constant in recent years by the cost of maintenance, for example. With the emergence of WAFs (Web Application Firewalls) being a cloud-based service some companies have started using it in bulk to ensure the security of their web application, however that doesn't mean that their website is totally secure but how does it work?

As it can be seen in the image above, the operation is very simple and similar to a proxy, in a nutshell the WAF is positioned between the web server and the user, when sending an HTTP(s) request it analyzes and in case of any attack or suspicious request is made the system can either block the request or execute any other action defined by you

A WAF should be considered an ally and not a solution to problems that must be solved otherwise, a firewall can not be trusted to protect a site from SQL Injection attacks when it is known that the fault is there and can be fixed by safe programming. It would be the same as relying on antivirus when I click on malicious emails hoping it will always save my life.

The Bypass

There are numerous WAFs on the market, some examples are: Cloudflare, Sucuri and Incapsula. The bypass means to access the site through the origin server and to be able to carry out attacks without being blocked by the WAF, that is instead of making the request to the WAF simply it is made the requisition for the origin server ignoring it, as in the following image:

When implementing any of them, you must ensure that you have no other way to access your server except by the domain.

Give me an example!

I'll give you an example. The most common way to find out the real server is by DNS enumeration, this means that some companies put the primary domain to be protected by WAF and forget the subdomains that are often on the same server, there are some sites to do this, a very known is CyberHub.

"Keep all subdomains on CloudFlare

When you sign up for CloudFlare, CloudFlare automatically adds a 'direct' subdomain. The 'direct' subdomain doesn't get the benefit of the CloudFlare proxy service by default. For maximum security, you should rename the 'direct' subdomain to something that can't be guessed easily or remove it altogether. Otherwise, an attacker can use the subdomain to look up your origin IP address. If you receive email for the domain signed up with CloudFlare use a separate server for mail; if not the MX record would reveal the IP address of your server."

When checking the IP of the site https://desecsecurity.com/ you can see that it uses the Sucuri WAF and trying to access by IP gives the default error page of Sucuri.

Result:


DNS Status:


A | 192.124.249.155
NS | pdns13.domaincontrol.com
NS | pdns14.domaincontrol.com
MX | mailstore1.secureserver.net
MX | smtp.secureserver.net


Subdomain Bruteforce:


www.desecsecurity.com | 192.124.249.155
        

imap.desecsecurity.com | 97.74.135.143
        

With this information we know APARENTLY that Desec uses GoDaddy for email service because imap.desecsecurity.com responds to a company server. In this case, we didn't succeed because we don't have the address of the server that is the primary domain.

Shodan, Censys, ZoomEye

The Shodan, Censys and ZoomEye are examples of search engines for Internet-connected devices. Everything that is connected to the Internet can be found by some of these three, cameras, routers and web servers. For the search to be more complete these tools provide "dorks" that are words that make the search be very specific and return only the expected results.

For example, I can search for the title of the Desec Security website and the three will return everything that has related to the title of the site. Let's look at an example in practice:

When trying to access the returned address "192.169.193.146" we can access the main site. This is dangerous because if the site has a SQL Injection failure the WAF would be ignored and the attack would be successful.

Another way is through the search for digital certificates but we have a problem when the company that owns the certificate is the one that provides the cloud-based WAF. The test can be done with Censys, just pass the following command: parsed.names: hackaflag.com.br AND tags.raw: trusted.

Despite the many results returned, you can go one by one trying to verify the IPv4 addresses related to the certificate, even trying to all none brought a good result.

In that case, one should think outside the box. Without using dork ZoomEye returns everything on the internet related to the word, for example, hackaflag.

The IP "159.65.177.108" returns a page referring to the domain "ctf.hackaflag.com.br" then it is possible to do an enumeration with the Shodan based on the address of the network.

CloudBunny

I made a tool to automate this process since it can be tiring depending on the target. I hope to improve with time since the searches can be endless, just find the right dork. The repository is in Github and can be downloaded from the following address: https://github.com/Warflop/CloudBunny.

Conclusion

THINK OUTSIDE THE BOX