Skip to content

Add waf_bypass module for WAF bypass detection #2994

Merged
liquidsec merged 22 commits into
devfrom
add-waf-bypass-module
Jun 16, 2026
Merged

Add waf_bypass module for WAF bypass detection #2994
liquidsec merged 22 commits into
devfrom
add-waf-bypass-module

Conversation

@liquidsec

Copy link
Copy Markdown
Collaborator

Summary

Adds a new waf_bypass module that detects when WAF-protected web content is directly accessible by IP, bypassing the CDN/WAF layer. Requires #2992 (blasthttp integration).

How it works

  1. Detection — identifies WAF-protected domains by checking for CDN tags (cdn-cloudflare, cdn-imperva, etc.) on URL events
  2. Fingerprinting — captures a simhash fingerprint of the protected content through the CDN
  3. IP collection — gathers IP addresses from DNS resolution of related domains, ASN neighbor scanning, and IP neighbor enumeration
  4. Bypass testing — for each candidate IP, fetches the protected URL using resolve_ip to pin DNS to the candidate IP, bypassing the CDN
  5. Comparison — compares the bypassed response against the original CDN-proxied fingerprint using simhash similarity
  6. Verification — requires similarity above configurable threshold (default 0.9); redirects require exact match (1.0)

Features

  • Automatic WAF/CDN detection via BBOT's cloud tagging system
  • ASN-aware IP candidate discovery (checks IPs in the same ASN as the target)
  • IP neighbor scanning within configurable CIDR range
  • Filters out known cloud/CDN IPs to reduce false positives
  • Uses blasthttp resolve_ip for DNS pinning — no curl subprocess needed

Config options

  • similarity_threshold — minimum simhash similarity to report a bypass (default: 0.9)
  • search_ip_neighbors — enable IP neighbor scanning (default: true)
  • neighbor_cidr — CIDR prefix length for neighbor scanning (default: 24)

Preset

Includes waf-bypass.yml preset for easy activation.

Detects WAF bypasses by finding direct IP access to WAF-protected
content. Compares response similarity between CDN-proxied and
direct-IP requests using simhash. Uses blasthttp resolve_ip for
DNS pinning to target IPs.
@github-actions

github-actions Bot commented Mar 27, 2026

Copy link
Copy Markdown
Contributor

🚀 Performance Benchmark Report

⚠️ No current benchmark data available

This might be because:

  • Benchmarks failed to run
  • No benchmark tests found
  • Dependencies missing

@codecov

codecov Bot commented Mar 27, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 83.25991% with 38 lines in your changes missing coverage. Please review.
✅ Project coverage is 90%. Comparing base (1f3adf1) to head (37352ca).
⚠️ Report is 29 commits behind head on dev.

Files with missing lines Patch % Lines
bbot/modules/waf_bypass.py 80% 33 Missing ⚠️
...test_step_2/module_tests/test_module_waf_bypass.py 93% 5 Missing ⚠️
Additional details and impacted files
@@          Coverage Diff           @@
##             dev   #2994    +/-   ##
======================================
- Coverage     90%     90%    -0%     
======================================
  Files        451     453     +2     
  Lines      45577   45814   +237     
======================================
+ Hits       40766   40962   +196     
- Misses      4811    4852    +41     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@liquidsec liquidsec changed the base branch from blasthttp-integration-clean to dev May 12, 2026 18:09
liquidsec added 3 commits June 8, 2026 19:01
…handling

- Match fingerprints by hostname equality instead of substring (F1)
- Add ge/le constraints to neighbor_cidr Field (F2)
- Round similarity to nearest percent before aggregation keying (F3)
- Unify status code filtering across both get_url_content branches (F5)
@liquidsec liquidsec mentioned this pull request Jun 15, 2026
28 tasks
@ausmaster ausmaster self-requested a review June 16, 2026 21:14
@liquidsec liquidsec changed the title Add waf_bypass module for WAF bypass detection Add waf_bypass module for WAF bypass detection Jun 16, 2026
@liquidsec liquidsec marked this pull request as draft June 16, 2026 21:27
@liquidsec liquidsec marked this pull request as ready for review June 16, 2026 21:27
@liquidsec liquidsec marked this pull request as draft June 16, 2026 21:27
@liquidsec liquidsec marked this pull request as ready for review June 16, 2026 21:28
@ausmaster ausmaster self-requested a review June 16, 2026 22:07

@ausmaster ausmaster left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why you stuck

@liquidsec liquidsec merged commit 825ac1f into dev Jun 16, 2026
15 checks passed
@liquidsec liquidsec deleted the add-waf-bypass-module branch June 16, 2026 22:09
@ausmaster ausmaster added this to the BBOT 3.0 - blazed_elijah milestone Jun 26, 2026
@liquidsec liquidsec mentioned this pull request Jul 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants