I started testing a Honda subdomain related to news and updates (let's call it target.honda.co.jp). The application was protected by AWS CloudFront WAF, so direct testing was limited.
First, I tested common attack surfaces:
- Login flow
- Registration flow
- IDOR checks
No issues were found initially.
While testing the login functionality, I noticed something interesting: the application was disclosing SQL queries in the response. This immediately raised a red flag.
I captured the request in Burp Suite and started testing for SQL Injection. Basic payloads were blocked by the WAF, so direct exploitation was not possible.
At this point, I changed my approach.
๐ WAF Bypass via Origin IP Discovery
I tried to identify the origin IP behind CloudFront:
- Shodan โ no luck
- Censys โ โ success
I found the origin IP of the subdomain.
Tip:
Sometimes, opening the origin IP directly in the browser redirects to the main domain. In such cases, always try accessing a specific path (e.g., /index.php).
When I accessed the origin IP with index.php, I received a 200 OK response โ meaning the WAF was bypassed.
๐ฅ Exploitation
I captured the login request again and tested it using sqlmap. Multiple parameters were vulnerable to time-based SQL Injection (PostgreSQL).
sqlmap command used:
sqlmap -r request.txt --dbs --level 4 --risk 2 --random-agent --dbms=PostgreSQL --flush-session --time-sec=5I was able to confirm the vulnerability and extract database information.
This was a good reminder that WAFs are not a complete security solution proper server-side validation is critical.
#writeups #bugbounty #infosec #hackerone #findings