Bypassing WAF for $2222

WAF BYPASS

I know it’s been a very long time since I last published my article on how I was able to find RCE on Bentley systems. For the last 1–1.5 years, I was doing internships in various companies and that’s why I don’t have time for doing bug bounties. After some months of internship, my mind said to me that

So I left the internship and got back to hitting bounties.

The Finding:-

I had accepted a lot of private invites on Bugcrowd. But never started hunting on them. In the mid of February, thought to try on a random private target that I had accepted.

I’m not in the recon process very much, so I just casually started surfing the website while running burp in the background but nothing special came up.
As there are already 81 bugs reported, So I thought that let’s try to hunt on very underrated endpoints like:-

  1. Careers Page
  2. Resources Page
  3. Contact Us

Finally, somehow I had managed to find a self XSS on the contact-us page and chained it with CSRF to make it exploitable and then reported it. But I wanted to find a P1 that’s my goal. So secondly, I went on the resources page and saw that there was EBOOK central(books about how to use the company’s product) and a download book feature also.

Download Button

After filling in all the required information I captured this request in BURP SUITE and the request was look like as below:

Vulnerable Request

And in the above request, the vulnerable parameter was book_pdf. So I had first set the value of book_pdf to ../../../../etc/passwd, but sadly it returns 403 forbidden.

At this stage, I tried all possible ways to bypass the WAF(CloudFront) but nothing worked for me, then I remember what if we find the ORIGIN IP behind the CloudFront. We can bypass the WAF.

After some censys Dorking, I was able to find the actual ORIGIN IP and the result is below:

LFI

then Reported to the Company and they rewarded me with $2222.

Bounty Rewarded

Connect with me:

LINKEDIN: https://www.linkedin.com/in/divyanshsharma24/

TWITTER: https://twitter.com/divyansh2401

Thanks for reading my write-up.

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} Island Bingo Of Apes Pro Hack Free Resources Generator

Security Information and Event Management (SIEM) Tool and Confusion Matrix

Non-Fungible Mechs Coming to Solana September 18th

Mech002 in Cyberspace

Financial Dataset Token Generation Event

Kali on My Mind

Game Development: Protect your Game from getting Hacked

IEON Oracle is listed on burgerswap.org

YAM Migration Live

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Divyansh Sharma

Divyansh Sharma

BUG HUNTER

More from Medium

OTP Bypass + PATO = 100 Dollars Bounty

fuzzing and credentials leakage..nice bug hunting writeup

Account Takeover [Via Host Header Injection]

You need to hear this if you are new/want to start bug hunting