Hello fellow hackers and security professionals,

In this post, I’m excited to share a recent experience from my vulnerability research journey where I successfully bypassed a Web Application Firewall (WAF) and uncovered the origin IP address of a target server—all within a few minutes using Shodan.

Whether you’re just starting out in bug bounty hunting or are an experienced pentester, understanding how to uncover hidden infrastructure behind services like Cloudflare can open up new attack surfaces that are often overlooked.

🎯 The Scenario

I was actively participating in a VDP (Vulnerability Disclosure Program) for a target that we’ll refer to as target.com. During my initial reconnaissance phase, I noticed that the application was behind Cloudflare WAF, which is commonly used to mask the real IP address and provide DDoS protection.

The first step I took was to resolve the domain using the classic nslookup utility:

nslookup target.com

As expected, the IPs returned were owned by Cloudflare. Attempting to access the application using these IPs returned a 403 error with the message:

"Direct IP access not allowed."

At this point, it was clear that I needed to identify the origin server’s real IP to get around the WAF protection and examine any exposed services or misconfigurations.

🔎 Enter Shodan — The Search Engine for Hackers

After exploring multiple resources and techniques, I stumbled upon an interesting Shodan search filter that leverages SSL certificate metadata.

Here's the search query I used on Shodan:

ssl.cert.subject.cn:"target.com" http.status:200
 

This query searches for servers where the SSL certificate subject matches the domain name target.com, and the HTTP status code is 200 (OK).

Within seconds, I got a hit. A public-facing IP address appeared that wasn’t owned by Cloudflare.

I copied that IP and tested it directly in the browser. The application loaded successfully, without any WAF restrictions. This was a strong indication that the origin IP was exposed.

🔍 Confirming the WAF Bypass

To confirm whether the new IP was actually bypassing Cloudflare, I used wafw00f, a tool that detects the presence and type of web application firewalls.

wafw00f target.com
# Output: Protected by Cloudflare

wafw00f <origin_ip>
# Output: No WAF detected
 

As you can see, the original domain was indeed behind Cloudflare, while the direct IP address was completely unprotected.

📂 Expanding the Attack Surface

With direct access to the origin server, I was now free to conduct further reconnaissance without interference from the WAF.

I ran directory brute-forcing tools like ffuf and DirBuster:

ffuf -u http://<origin_ip>/FUZZ -w /usr/share/wordlists/dirb/common.txt

These tools uncovered several hidden directories and sensitive files that were not accessible when accessing the site through the Cloudflare-protected URL. These findings could have included sensitive endpoints, configuration files, admin panels, or backup files—depending on the target.

🏆 The Outcome

After responsibly reporting the findings to the VDP, I was awarded a bounty in the three-digit range. More importantly, the organization was able to remediate the issue by properly restricting direct access to their origin server.

💡 Key Takeaways

• Never assume a target behind a WAF is secure—origin IPs are often accidentally exposed.
• Shodan is a powerful recon tool when used with the right filters.
• Certificate metadata can unintentionally reveal backend infrastructure.
• Always validate WAF bypass using tools like wafw00f.
• Don’t stop at discovery—map the full attack surface for hidden directories and files.

Connect with Me

Got questions or want to collaborate?

📬 Reach out on Twitter: @th3_d4rkninj4
🔐 Stay curious, stay ethical. Hack the planet—responsibly!