Add waf_bypass module for WAF bypass detection

[liquidsec]

Summary

Adds a new waf_bypass module that detects when WAF-protected web content is directly accessible by IP, bypassing the CDN/WAF layer. Requires #2992 (blasthttp integration).

How it works

1. Detection — identifies WAF-protected domains by checking for CDN tags (cdn-cloudflare, cdn-imperva, etc.) on URL events
2. Fingerprinting — captures a simhash fingerprint of the protected content through the CDN
3. IP collection — gathers IP addresses from DNS resolution of related domains, ASN neighbor scanning, and IP neighbor enumeration
4. Bypass testing — for each candidate IP, fetches the protected URL using resolve_ip to pin DNS to the candidate IP, bypassing the CDN
5. Comparison — compares the bypassed response against the original CDN-proxied fingerprint using simhash similarity
6. Verification — requires similarity above configurable threshold (default 0.9); redirects require exact match (1.0)

Features

• Automatic WAF/CDN detection via BBOT's cloud tagging system
• ASN-aware IP candidate discovery (checks IPs in the same ASN as the target)
• IP neighbor scanning within configurable CIDR range
• Filters out known cloud/CDN IPs to reduce false positives
• Uses blasthttp resolve_ip for DNS pinning — no curl subprocess needed

Config options

• similarity_threshold — minimum simhash similarity to report a bypass (default: 0.9)
• search_ip_neighbors — enable IP neighbor scanning (default: true)
• neighbor_cidr — CIDR prefix length for neighbor scanning (default: 24)

Preset

Includes waf-bypass.yml preset for easy activation.

[github-actions]

📊 Performance Benchmark Report

Comparing blasthttp-integration-clean (baseline) vs add-waf-bypass-module (current)

📈 Detailed Results (All Benchmarks)

📋 Complete results for all benchmarks - includes both significant and insignificant changes

🧪 Test Name	📏 Base	📏 Current	📈 Change	🎯 Status
Bloom Filter Dns Mutation Tracking Performance	4.12ms	4.16ms	+1.0% ⚪	✅
Bloom Filter Large Scale Dns Brute Force	17.13ms	26.60ms	+55.3% 🔴🔴🔴	⚠️
Large Closest Match Lookup	354.09ms	355.07ms	+0.3% ⚪	✅
Realistic Closest Match Workload	188.99ms	189.08ms	+0.0% ⚪	✅
Event Memory Medium Scan	1772 B/event	1775 B/event	+0.2% ⚪	✅
Event Memory Large Scan	1760 B/event	1760 B/event	+0.0% ⚪	✅
Event Validation Full Scan Startup Small Batch	428.09ms	410.88ms	-4.0% ⚪	✅
Event Validation Full Scan Startup Large Batch	591.84ms	584.03ms	-1.3% ⚪	✅
Make Event Autodetection Small	30.71ms	30.61ms	-0.3% ⚪	✅
Make Event Autodetection Large	310.88ms	315.19ms	+1.4% ⚪	✅
Make Event Explicit Types	13.64ms	13.76ms	+0.8% ⚪	✅
Excavate Single Thread Small	3.927s	3.969s	+1.1% ⚪	✅
Excavate Single Thread Large	9.679s	9.672s	-0.1% ⚪	✅
Excavate Parallel Tasks Small	4.131s	4.106s	-0.6% ⚪	✅
Excavate Parallel Tasks Large	7.179s	7.304s	+1.7% ⚪	✅
Is Ip Performance	3.11ms	3.16ms	+1.7% ⚪	✅
Make Ip Type Performance	11.36ms	11.39ms	+0.2% ⚪	✅
Mixed Ip Operations	4.48ms	4.48ms	-0.1% ⚪	✅
Scan Throughput 100	4.544s	4.695s	+3.3% ⚪	✅
Scan Throughput 1000	37.967s	37.576s	-1.0% ⚪	✅
Typical Queue Shuffle	63.67µs	64.98µs	+2.1% ⚪	✅
Priority Queue Shuffle	724.86µs	730.69µs	+0.8% ⚪	✅

🎯 Performance Summary

! 1 regression ⚠️
  21 unchanged ✅

🔍 Significant Changes (>10%)

• Bloom Filter Large Scale Dns Brute Force: 55.3% 🐌 slower

---

🐍 Python Version 3.11.15

[codecov]

Codecov Report

❌ Patch coverage is 81.03448% with 44 lines in your changes missing coverage. Please review.
✅ Project coverage is 91%. Comparing base (294dedb) to head (de3e78c).

Files with missing lines	Patch %	Lines
bbot/modules/waf_bypass.py	77%	39 Missing ⚠️
...test_step_2/module_tests/test_module_waf_bypass.py	93%	5 Missing ⚠️

Additional details and impacted files

@@                     Coverage Diff                      @@
##           blasthttp-integration-clean   #2994    +/-   ##
============================================================
- Coverage                           91%     91%    -0%     
============================================================
  Files                              440     442     +2     
  Lines                            37570   37802   +232     
============================================================
+ Hits                             34078   34280   +202     
- Misses                            3492    3522    +30     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.