legs/kaboomwaf
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
rest in peace my waf got hit by a bazooka
3 commits 1 branch 0 tags 82 KiB
  • Python 100%
Find a file
Exact
legs 8867af53f1 Update kaboomwaf.py
2026-05-31 07:44:07 -04:00
dom.txt first commit 2026-05-31 11:40:55 +00:00
kaboomwaf.py Update kaboomwaf.py 2026-05-31 07:44:07 -04:00
LICENSE first commit 2026-05-31 11:40:55 +00:00
README.md first commit 2026-05-31 11:40:55 +00:00
requirements.txt first commit 2026-05-31 11:40:55 +00:00

README.md

KaboomWAF

KaboomWAF is an authorized WAF/CDN exposure auditor for security teams and asset owners. It maps DNS and optional HTTP evidence across a target domain, then scores hostnames that may expose an origin path outside the expected WAF/CDN layer.

Author: v3ga
Version: 3.1.0
License: MIT

Positioning

KaboomWAF is not a magic origin finder and does not claim circumvention capability. A public IP address is not automatically a finding. The tool separates ordinary public services from actionable origin-exposure candidates by requiring multiple evidence signals.

Default behavior is intentionally conservative:

  • Provider-protected records are classified as protected.
  • Public non-provider records with weak evidence are classified as public, not findings.
  • Hostnames become suspect or finding only when score thresholds are met.
  • Exit code 2 is returned only when finding results exist.

Capabilities

  • DNS resolution for A, AAAA, and CNAME records.
  • Optional MX and NS collection for context.
  • Optional HTTP(S) header probing for WAF/CDN fingerprinting.
  • Dynamic Cloudflare range fetching with bundled fallback ranges.
  • CNAME and header fingerprints for Cloudflare, Fastly, Akamai, AWS CloudFront, Azure Front Door, Google Cloud CDN, Imperva, and Sucuri.
  • Evidence-based scoring to reduce false positives.
  • Conservative verdicts: finding, suspect, public, protected, internal, unresolved, error.
  • Root-domain awareness: if the root is protected and a sensitive subdomain resolves outside provider ranges, the score increases.
  • Custom resolvers, TCP DNS, timeout controls, rate limiting, worker controls, and exact-host inspection.
  • Table, JSON, JSONL, and CSV reports.
  • Clean machine output: JSON/JSONL/CSV written to stdout is not polluted by progress logs.

Installation

Python 3.9 or newer is recommended.

git clone <your-repo-url>
cd KaboomWAF
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt

Windows PowerShell:

python -m venv venv
venv\Scripts\activate
pip install -r requirements.txt

Quick Start

Default scan with the included dom.txt wordlist:

python3 kaboomwaf.py scan example.com

Backward-compatible form:

python3 kaboomwaf.py example.com

Root-only check:

python3 kaboomwaf.py scan example.com --no-wordlist

Inspect exact hosts:

python3 kaboomwaf.py scan example.com --host origin.example.com --host admin.example.com

HTTP fingerprinting and JSON output:

python3 kaboomwaf.py scan example.com --http-probe -f json -o kaboomwaf.json

Automation-friendly quiet mode:

python3 kaboomwaf.py scan example.com --quiet --resolver 1.1.1.1,8.8.8.8

Tune sensitivity:

python3 kaboomwaf.py scan example.com --finding-threshold 80 --suspect-threshold 55

CLI

python3 kaboomwaf.py scan <domain> [options]

Core options:

Option Purpose
<domain> Approved target domain. URLs are normalized to hostnames.
-w, --wordlist FILE Subdomain wordlist. Can be repeated. Defaults to dom.txt when present.
--no-wordlist Inspect only the root domain and --host values.
--host HOST Additional exact hostname to inspect. Can be repeated.
-t, --threads N Concurrent worker count. Default: 25.
--rate-limit SECONDS Delay after completed host checks. Default: 0.
--resolver IP[,IP] Custom DNS resolver IPs. Can be repeated.
--dns-timeout SECONDS Per-attempt DNS timeout. Default: 2.0.
--dns-lifetime SECONDS Total DNS query lifetime. Default: 4.0.
--tcp-dns Use TCP for DNS queries.
--include-mx-ns Collect MX and NS records for context.
--http-probe Probe HTTP(S) headers for WAF/CDN signals.
--http-method HEAD|GET HTTP method for probes. Default: HEAD.
--http-timeout SECONDS HTTP timeout and provider range fetch timeout. Default: 5.0.
--prefer-http Try HTTP before HTTPS during probes.
--follow-redirects Follow redirects during HTTP probes.
--insecure Disable TLS certificate verification during HTTP probes.
--finding-threshold N Minimum score for a finding. Default: 70.
--suspect-threshold N Minimum score for a suspect. Default: 45.
-f, --format table|json|jsonl|csv Report format. Default: table.
-o, --output FILE Write report to a file.
-q, --quiet Print only finding and suspect rows.
-v, --verbose Print public and unresolved hosts too.
--no-banner Suppress banner output.
--no-progress Suppress progress bar.

Scoring Model

KaboomWAF scores evidence before assigning a verdict.

Positive signals include:

  • Public address outside known provider ranges.
  • Mixed provider and non-provider public addresses on the same hostname.
  • Sensitive labels such as origin, direct, backend, admin, cpanel, ftp, mail, staging, or dev.
  • Root domain is protected while the inspected hostname is not.
  • Direct HTTP response from a non-provider public address.

Negative signals include:

  • Address is inside a known WAF/CDN provider range.
  • CNAME or HTTP headers identify a known WAF/CDN provider.
  • Common low-signal public labels such as www, api, assets, or static without stronger evidence.

This keeps normal public hosts out of the finding list while still preserving them in JSON/CSV for review.

Verdicts

Verdict Meaning
finding Strong origin-exposure candidate. Multiple signals met the finding threshold.
suspect Weak or partial origin-exposure candidate. Needs manual review.
public Public non-provider DNS was found, but evidence is insufficient for an origin finding.
protected DNS, IP ranges, CNAME, or HTTP headers match known WAF/CDN protection.
internal Only private, reserved, loopback, or link-local addresses resolved.
unresolved No useful DNS records resolved.
error DNS resolution failed in a way that prevented classification.

Output

JSON output includes full evidence:

{
  "hostname": "origin.example.com",
  "public_addresses": ["203.0.113.10"],
  "providers": [],
  "evidence": [
    "public address outside known provider ranges",
    "origin-sensitive label: origin",
    "root domain is provider-protected while this hostname is not"
  ],
  "score": 90,
  "confidence": "critical",
  "verdict": "finding"
}

Exit codes:

Code Meaning
0 Scan completed and no finding verdicts were present.
1 Input, file, resolver, or runtime error.
2 Scan completed and at least one finding verdict was present.
130 Interrupted by the operator.

Wordlists

The included dom.txt is a starter list. Blank lines and lines beginning with # are ignored. Entries can be bare labels such as api or exact hostnames such as api.example.com.

Use scoped wordlists that match the authorized environment. Very large generic lists increase DNS volume and create more low-value public results.

Authorized Use

Use KaboomWAF only on systems you own or are explicitly authorized to assess. The tool performs DNS enumeration and optional HTTP probing. Unauthorized reconnaissance may violate law, contract terms, or acceptable-use policies.

The operator is responsible for authorization, scope control, rate limits, validation of findings, and all consequences of use.

Development Checks

python3 -B -m py_compile kaboomwaf.py
python3 -B kaboomwaf.py --help
python3 -B kaboomwaf.py scan --help