Skip to content

Add waf_bypass module for WAF bypass detection#2994

Open
liquidsec wants to merge 14 commits intoblasthttp-integration-cleanfrom
add-waf-bypass-module
Open

Add waf_bypass module for WAF bypass detection#2994
liquidsec wants to merge 14 commits intoblasthttp-integration-cleanfrom
add-waf-bypass-module

Conversation

@liquidsec
Copy link
Copy Markdown
Contributor

@liquidsec liquidsec commented Mar 27, 2026

Summary

Adds a new waf_bypass module that detects when WAF-protected web content is directly accessible by IP, bypassing the CDN/WAF layer. Requires #2992 (blasthttp integration).

How it works

  1. Detection — identifies WAF-protected domains by checking for CDN tags (cdn-cloudflare, cdn-imperva, etc.) on URL events
  2. Fingerprinting — captures a simhash fingerprint of the protected content through the CDN
  3. IP collection — gathers IP addresses from DNS resolution of related domains, ASN neighbor scanning, and IP neighbor enumeration
  4. Bypass testing — for each candidate IP, fetches the protected URL using resolve_ip to pin DNS to the candidate IP, bypassing the CDN
  5. Comparison — compares the bypassed response against the original CDN-proxied fingerprint using simhash similarity
  6. Verification — requires similarity above configurable threshold (default 0.9); redirects require exact match (1.0)

Features

  • Automatic WAF/CDN detection via BBOT's cloud tagging system
  • ASN-aware IP candidate discovery (checks IPs in the same ASN as the target)
  • IP neighbor scanning within configurable CIDR range
  • Filters out known cloud/CDN IPs to reduce false positives
  • Uses blasthttp resolve_ip for DNS pinning — no curl subprocess needed

Config options

  • similarity_threshold — minimum simhash similarity to report a bypass (default: 0.9)
  • search_ip_neighbors — enable IP neighbor scanning (default: true)
  • neighbor_cidr — CIDR prefix length for neighbor scanning (default: 24)

Preset

Includes waf-bypass.yml preset for easy activation.

@liquidsec
Add waf_bypass module for WAF bypass detection
fcaa92c 
Detects WAF bypasses by finding direct IP access to WAF-protected
content. Compares response similarity between CDN-proxied and
direct-IP requests using simhash. Uses blasthttp resolve_ip for
DNS pinning to target IPs.
@liquidsec
Merge branch 'blasthttp-integration-clean' into add-waf-bypass-module
229ae24
@liquidsec
Merge branch 'blasthttp-integration-clean' into add-waf-bypass-module
1c15de4
@liquidsec
ruff format waf_bypass
1c35b54
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Mar 27, 2026
edited
Loading

📊 Performance Benchmark Report

Comparing blasthttp-integration-clean (baseline) vs add-waf-bypass-module (current)

📈 Detailed Results (All Benchmarks)

📋 Complete results for all benchmarks - includes both significant and insignificant changes

🧪 Test Name 📏 Base 📏 Current 📈 Change 🎯 Status
Bloom Filter Dns Mutation Tracking Performance 4.17ms 4.25ms +1.9%
Bloom Filter Large Scale Dns Brute Force 17.28ms 18.51ms +7.1%
Large Closest Match Lookup 355.80ms 354.97ms -0.2%
Realistic Closest Match Workload 190.66ms 188.25ms -1.3%
Event Memory Medium Scan 1782 B/event 1783 B/event +0.1%
Event Memory Large Scan 1768 B/event 1768 B/event +0.0%
Event Validation Full Scan Startup Small Batch 409.15ms 408.40ms -0.2%
Event Validation Full Scan Startup Large Batch 591.73ms 583.44ms -1.4%
Make Event Autodetection Small 30.56ms 30.93ms +1.2%
Make Event Autodetection Large 312.34ms 314.17ms +0.6%
Make Event Explicit Types 13.74ms 13.75ms +0.0%
Excavate Single Thread Small 3.904s 3.935s +0.8%
Excavate Single Thread Large 9.786s 9.497s -3.0%
Excavate Parallel Tasks Small 4.167s 4.143s -0.6%
Excavate Parallel Tasks Large 6.604s 6.612s +0.1%
Is Ip Performance 3.15ms 3.17ms +0.7%
Make Ip Type Performance 11.58ms 11.50ms -0.7%
Mixed Ip Operations 4.52ms 4.50ms -0.4%
Memory Use Web Crawl 156.2 MB 164.9 MB +5.6%
Memory Use Subdomain Enum 19.4 MB 19.4 MB +0.0%
Scan Throughput 100 4.754s 4.804s +1.1%
Scan Throughput 1000 37.086s 37.920s +2.2%
Typical Queue Shuffle 63.92µs 64.89µs +1.5%
Priority Queue Shuffle 727.28µs 732.29µs +0.7%

🎯 Performance Summary

No significant performance changes detected (all changes <10%)

🐍 Python Version 3.11.15

@codecov
Copy link
Copy Markdown

codecov Bot commented Mar 27, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 81.03448% with 44 lines in your changes missing coverage. Please review.
✅ Project coverage is 91%. Comparing base (84f6380) to head (06fb199).

Files with missing lines Patch % Lines
bbot/modules/waf_bypass.py 77% 39 Missing ⚠️
...test_step_2/module_tests/test_module_waf_bypass.py 93% 5 Missing ⚠️
Additional details and impacted files 
@@                     Coverage Diff                      @@
##           blasthttp-integration-clean   #2994    +/-   ##
============================================================
- Coverage                           91%     91%    -0%     
============================================================
  Files                              443     445     +2     
  Lines                            38305   38537   +232     
============================================================
+ Hits                             34635   34808   +173     
- Misses                            3670    3729    +59

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@liquidsec