Skip to content

Add waf_bypass module for WAF bypass detection#2994

Open
liquidsec wants to merge 10 commits intoblasthttp-integration-cleanfrom
add-waf-bypass-module
Open

Add waf_bypass module for WAF bypass detection#2994
liquidsec wants to merge 10 commits intoblasthttp-integration-cleanfrom
add-waf-bypass-module

Conversation

@liquidsec
Copy link
Copy Markdown
Contributor

@liquidsec liquidsec commented Mar 27, 2026

Summary

Adds a new waf_bypass module that detects when WAF-protected web content is directly accessible by IP, bypassing the CDN/WAF layer. Requires #2992 (blasthttp integration).

How it works

  1. Detection — identifies WAF-protected domains by checking for CDN tags (cdn-cloudflare, cdn-imperva, etc.) on URL events
  2. Fingerprinting — captures a simhash fingerprint of the protected content through the CDN
  3. IP collection — gathers IP addresses from DNS resolution of related domains, ASN neighbor scanning, and IP neighbor enumeration
  4. Bypass testing — for each candidate IP, fetches the protected URL using resolve_ip to pin DNS to the candidate IP, bypassing the CDN
  5. Comparison — compares the bypassed response against the original CDN-proxied fingerprint using simhash similarity
  6. Verification — requires similarity above configurable threshold (default 0.9); redirects require exact match (1.0)

Features

  • Automatic WAF/CDN detection via BBOT's cloud tagging system
  • ASN-aware IP candidate discovery (checks IPs in the same ASN as the target)
  • IP neighbor scanning within configurable CIDR range
  • Filters out known cloud/CDN IPs to reduce false positives
  • Uses blasthttp resolve_ip for DNS pinning — no curl subprocess needed

Config options

  • similarity_threshold — minimum simhash similarity to report a bypass (default: 0.9)
  • search_ip_neighbors — enable IP neighbor scanning (default: true)
  • neighbor_cidr — CIDR prefix length for neighbor scanning (default: 24)

Preset

Includes waf-bypass.yml preset for easy activation.

@liquidsec
Add waf_bypass module for WAF bypass detection
fcaa92c 
Detects WAF bypasses by finding direct IP access to WAF-protected
content. Compares response similarity between CDN-proxied and
direct-IP requests using simhash. Uses blasthttp resolve_ip for
DNS pinning to target IPs.
@liquidsec
Merge branch 'blasthttp-integration-clean' into add-waf-bypass-module
229ae24
@liquidsec
Merge branch 'blasthttp-integration-clean' into add-waf-bypass-module
1c15de4
@liquidsec
ruff format waf_bypass
1c35b54
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 27, 2026
edited
Loading

📊 Performance Benchmark Report

Comparing blasthttp-integration-clean (baseline) vs add-waf-bypass-module (current)

📈 Detailed Results (All Benchmarks)

📋 Complete results for all benchmarks - includes both significant and insignificant changes

🧪 Test Name 📏 Base 📏 Current 📈 Change 🎯 Status
Bloom Filter Dns Mutation Tracking Performance 4.21ms 4.77ms +13.3% 🟡🟡 ⚠️
Bloom Filter Large Scale Dns Brute Force 17.38ms 17.87ms +2.8%
Large Closest Match Lookup 358.23ms 348.92ms -2.6%
Realistic Closest Match Workload 189.52ms 189.36ms -0.1%
Event Memory Medium Scan 1772 B/event 1775 B/event +0.2%
Event Memory Large Scan 1760 B/event 1760 B/event +0.0%
Event Validation Full Scan Startup Small Batch 413.64ms 408.37ms -1.3%
Event Validation Full Scan Startup Large Batch 572.44ms 578.99ms +1.1%
Make Event Autodetection Small 30.56ms 30.08ms -1.5%
Make Event Autodetection Large 311.43ms 310.13ms -0.4%
Make Event Explicit Types 13.89ms 13.52ms -2.7%
Excavate Single Thread Small 3.902s 3.882s -0.5%
Excavate Single Thread Large 9.638s 9.526s -1.2%
Excavate Parallel Tasks Small 4.088s 4.065s -0.6%
Excavate Parallel Tasks Large 6.540s 6.508s -0.5%
Is Ip Performance 3.19ms 3.16ms -1.0%
Make Ip Type Performance 11.53ms 11.49ms -0.4%
Mixed Ip Operations 4.55ms 4.48ms -1.5%
Memory Use Web Crawl 255.9 MB 256.3 MB +0.1%
Memory Use Subdomain Enum 19.3 MB 19.3 MB +0.1%
Scan Throughput 100 4.508s 4.515s +0.2%
Scan Throughput 1000 36.854s 36.635s -0.6%
Typical Queue Shuffle 64.05µs 64.44µs +0.6%
Priority Queue Shuffle 716.46µs 723.35µs +1.0%

🎯 Performance Summary

! 1 regression ⚠️
  23 unchanged ✅

🔍 Significant Changes (>10%)

  • Bloom Filter Dns Mutation Tracking Performance: 13.3% 🐌 slower

🐍 Python Version 3.11.15

@codecov
Copy link
Copy Markdown

codecov bot commented Mar 27, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 81.03448% with 44 lines in your changes missing coverage. Please review.
✅ Project coverage is 91%. Comparing base (57b6b38) to head (b3fd9b3).

Files with missing lines Patch % Lines
bbot/modules/waf_bypass.py 77% 39 Missing ⚠️
...test_step_2/module_tests/test_module_waf_bypass.py 93% 5 Missing ⚠️
Additional details and impacted files 
@@                     Coverage Diff                      @@
##           blasthttp-integration-clean   #2994    +/-   ##
============================================================
- Coverage                           91%     91%    -0%     
============================================================
  Files                              443     445     +2     
  Lines                            37838   37970   +132     
============================================================
+ Hits                             34261   34347    +86     
- Misses                            3577    3623    +46

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@liquidsec