I. Introduction
In security testing, it's common to encounter a wide range of environments, from completely open systems lacking perimeter protections to tightly secured ones with multiple layers of defense. In these tightly secured environments, applications are often protected by mechanisms like Web Application Firewalls (WAFs), which are designed to prevent unauthorized access.
In such environments, we frequently face various blocking techniques that can challenge our ability to access the application. These blocking methods can take many forms, and some of the most common ones we encounter in security testing include:
IP-based blocking. This is the most common type, where our access is restricted based on our IP address. If an IP seems 'suspicious' or sends too many requests, it's often blocked right away.
Then, we have cookie-based blocking. Here, the security perimeter uses session data stored in cookies to track our activity. Similar to the previous methods, if it detects unusual patterns, our access might get cut off.
Another type is user-agent blocking. This relies on the user-agent header, which indicates the type of browser or tool we're using.
We might also encounter rate limiting, where our access is limited to a certain number of requests within a specific time period. If we exceed this limit, we can be temporarily or even permanently blocked.
Then there's geo-blocking, which restricts access based on the geographical location of our IP, with certain countries potentially being blocked entirely.
Of all these blocking methods, IP-based blocking is the most frequently encountered in security testing. In this article, we'll focus specifically on how we can bypass it during security testing.
---
2. Why IP Rotation is Important?
As mentioned earlier, one of the most common blocking methods we encounter is IP-based blocking, where WAFs or security systems restrict access based on an IP address, especially if suspicious or abnormal activity is detected. Simply put, when the IP we are using gets blocked, we need another IP to continue accessing the service we're testing. The challenge here is that, under normal circumstances, we have a limited number of IP addresses.
To overcome this limitation, IP rotation becomes an essential technique in application security testing. Technically, this method involves using a series of different IP addresses for each request, which provides greater flexibility and anonymity.
The question might arise, "can we use this IP rotation with our interceptor tools, such as Burp Suite?" The answer is yes - Burp Suite can be configured to rotate through a list of IP addresses for each request, allowing testers to bypass IP-based restrictions and continue their testing without being blocked.
In this article, we'll discuss a method I commonly use in my penetration tests, which is expected to help bypass IP-based restrictions.
---
Get Proxylist:
I personally use https://brightdata.com/ you can pay-as-you-go per traffic and they offer 2 methods of integration, locally and specific domain (for paid customers)
Method 1 local proxy manager:
first register https://brightdata.com/ and make new Zone Shared as shown
when brightdata asks you for browser or other crawler choose other
Add the zone to your list
Install Proxy Manager for windows Proxy Manager installer for linux/MacOS via nodejs
sudo npm install -g @luminati-io/luminati-proxy
or
curl -L https://brightdata.com/static/lpm/luminati-proxy-latest-setup.sh | bash
run proxy-manager
Login with same credentials for brightdata and you will find your list ready
we will use IP 127.0.0.1 port 24000 in Burp
add upstream proxy server
make sure you check IP Rotation options in proxy-manager
Then Test it https://api.myip.com/
The IP changes in every requestuse HTTP1 it doesn't support HTTP2
Method 2 Portal Access:
when you register you have to create user to use proxy list
Enter the host and credentials in Burp upstream proxy and enjoy
---
Disclaimer
It's important to note that while this article provides information on some techniques, it does not endorse or encourage unethical or illegal activities. The tools and methods discussed should be used responsibly, adhering to all applicable laws and regulations. Misuse can lead to serious legal consequences. The aim of this article is to increase awareness and understanding of these techniques, contributing to the development of more secure and resilient systems.
The authors disclaim any responsibility for any unethical or illegal use of the content.
Hopefully, the knowledge learned can be utilized as well as possible for the right purpose.
---
HakTrak Cybersecurity Squad
HakTrak is a Saudi-based cybersecurity R&D company dedicated to enhancing national cybersecurity capabilities through…medium.com