Origin IP bypass → direct attack on backend
Find the real origin IP behind the CDN via CT logs / DNS history / SSL fingerprinting. Connect directly to origin, bypassing WAF + caching + rate-limit; run noisy attacks (SQLi / RCE) that the edge would have blocked.
§ Context
Assumed environment: target uses a CDN / WAF (Cloudflare / Akamai / Imperva) without strict origin allowlisting (origin firewall doesn't restrict to CDN IP ranges).
§ Steps
- 01Bulk exfil before detectionExfiltrationT1041— Exfiltration Over C2 Channel
- 02DNS history (SecurityTrails / Shodan)ReconnaissanceW-RECON-SUBDOMAIN— Subdomain Enumeration
- 03TLS cert hash on Shodan → origin IPsReconnaissanceW-RECON-FINGERPRINT— Tech Stack Fingerprinting
- 04Run noisy SQLi / RCE bypassing WAFCollectionW-SQLI-UNION— SQL Injection — UNION-Based
- 05Connect directly to originDefense EvasionCDN-ORIGIN-BYPASS— CDN Origin Bypass
- 06Search CT logs for origin SANReconnaissancePKI-CT-MONITOR— Certificate Transparency Monitoring
§ References
§ Frequently asked
- What is the "Origin IP bypass → direct attack on backend" attack path?
- Find the real origin IP behind the CDN via CT logs / DNS history / SSL fingerprinting. Connect directly to origin, bypassing WAF + caching + rate-limit; run noisy attacks (SQLi / RCE) that the edge would have blocked. It chains 6 steps drawn from real-world offensive-security techniques.
- What starting position does this attack require?
- The first step is Bulk exfil before detection (T1041) — a exfiltration primitive. Assumed environment: target uses a CDN / WAF (Cloudflare / Akamai / Imperva) without strict origin allowlisting (origin firewall doesn't restrict to CDN IP ranges).
- What is the final impact of this kill-chain?
- The final step lands on Search CT logs for origin SAN (PKI-CT-MONITOR), which falls under Reconnaissance. From here, an operator typically pivots into post-exploitation or maintains persistence.
- How can defenders detect or prevent this attack?
- Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.
§ Related dossiers
- Shared techniques3
AXFR → discover shadow-IT staging → exploitable web app
DNS server allows unrestricted AXFR. Pull the full zone, find admin- / staging- / dev- hostnames never linked, hit one with default creds / leftover debug routes.
- Shared techniques2
Vesting beneficiary replace → silently drain stream
Bug in a custom vesting contract allows anyone to call setBeneficiary on existing schedules. Replace beneficiary with attacker address; legitimate token stream now flows to attacker until released funds are noticed.
- Shared techniques2
Apache Struts S2-045 (CVE-2017-5638) → Equifax-style breach
Crafted Content-Type header is parsed as OGNL — execute commands as the app user. The 2017 Equifax breach origin: unpatched Struts endpoint exposed to the internet.
- Shared techniques2
MOVEit Transfer (CVE-2023-34362) → mass data exfil (Cl0p)
Pre-auth SQLi in MOVEit's web UI forges an admin session. .NET deserialisation chain drops a webshell as SYSTEM. Cl0p's 2023 mass-exfil playbook: download every file under /var/files.
- Shared techniques2
Padding oracle → forge admin session cookie
App encrypts session cookies with AES-CBC and reveals padding-validity via a 500/200 differential. Decrypt the cookie, forge an admin cookie, log in without credentials.
- Shared techniques2
Reentrancy → drain vault contract
Vulnerable withdraw() sends ETH before updating balance. Attacker contract re-enters via fallback() until the vault is empty — the canonical DAO-2016 pattern.