Once you obtained the different domains or IPs that have the same fingerprint try to discover the IPs and play with the Host HTTP header.
It's common that the companies buys a range of IPs, so you should need to check more parent IPs.
DNS History
Some times the companies put a WAF on a web application, but they don't configure it properly and any source IP instead of only the WAF can request the server.
So we can check the DNS history with viewdnsinfo to search the old IP.
The whitelisting mode is prone to false positives, which is the reason it is very common to find WAFs deployed in blacklisting mode rather than whitelisting mode.
The blacklisting mode is a collection of well-known attacks. WAF producers put together a list of rules to protect a web application against various attack vectors that are used to exploit the most common vulnerabilities.
So we can use different payloads to bypass some filters.
Cross-Site Scripting (XSS)
Instead of using alert('xss') or alert(1) we can choose a better option:
Instead of using alert(document.cookie) we can use:
Instead of using <img src=x onerror=alert(1);> we can use:
Instead of javascript:alert(document.cookie) we can use:
Blind SQL Injection (Blind SQLi)
Instead of using ' or 1=1 we can use:
Instead of UNION SELECT we can use:
Directoy Traversal
Instead of using /etc/passwd we can use:
Web Shell
Instead of using c99.php , r57.php , shell.aspx , cmd.jsp, CmdAsp.asp we can use:
WAF Detection and Fingerprinting
WAF systems leave several footprints of their presence, which allow us to detect which WAF is in place.
wafw00f is a tool that can detect up to 20 different WAF products.
Also it can be possible to detect the WAF vendor with a nmap script.
Cookie Values
Some WAF systems reveal their presence through cookies.
WAF Vendor
Cookies
Citrix Netscaler
n_saf, citrix_ns_id or NSC_
F5 BIG-IP ASM
^TS[a-zA-Z0-9]{3,6}
Barracuda
barra_counter_session and BNI__BARRACUDA_LB_COOKIE
Header Rewrite
Some WAFs rewrite the HTTP headers. Usually modify the Server header.
