loading
loading
Discovery
Discover the origin host behind a reverse proxy, useful for bypassing cloud WAFs.
overview
hakoriginfinder finds the real server hiding behind a reverse proxy or cloud WAF. Many sites front their origin with Cloudflare or a similar layer, so traffic and security rules only see the proxy. If you can reach the origin IP directly, you sidestep that protection, and this tool is built to find it.
It works by requesting the target hostname against a list of candidate IPs and comparing each response to the one the public site returns. A Levenshtein distance score measures how close the pages are, and a tunable threshold decides what counts as a match, so a backend serving the same content stands out even behind a different address.
On Trickest, carlospolop-hakoriginfinder is a Discovery node that takes a file of candidate URLs or IPs and writes a file and a folder of results. Feed it the address space from ASN or netblock enumeration, set the hostname, and let it point you at the origin the WAF was meant to hide.
use cases
Find the backend IP behind Cloudflare or a similar proxy so testing hits the application directly instead of the protective layer in front of it.
Request the target hostname against every IP in a candidate range and let response comparison reveal which address serves the real site.
Adjust the Levenshtein threshold so near-identical backend responses still match while unrelated hosts are rejected, cutting false origins.
Set the listen port and SSL flag so the comparison works against backends that serve HTTPS on a nonstandard port behind the proxy.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| urls-file | FILE | · | File of candidate target URLs or IPs to test as the origin. |
| hostname | STRING | -h | Hostname of the site, for example www.example.com. |
| threshold | STRING | -l | Levenshtein threshold; higher is more lenient (default 5). |
| port | STRING | -p | Port the original hostname listens on. |
| ssl | BOOLEAN | -s | Treat the original hostname as served over SSL (default false). |
| threads | STRING | -t | Number of threads (default 32). |
| timeout | STRING | -T | Timeout in seconds (default 5). |
| debug | BOOLEAN | -d | Show the web server responses used for comparison. |
Showing key inputs. carlospolop-hakoriginfinder exposes 8 inputs in total.
example
# carlospolop-hakoriginfinder: compare candidates to www.example.com over HTTPShakoriginfinder -h www.example.com -s -p 443 -l 5 -t 32 -T 5 < candidates.txt[*] Fetching baseline for www.example.com[*] Testing 48 candidate IPs[+] 198.51.100.42 distance=2 MATCH[+] 198.51.100.43 distance=2 MATCH[-] 203.0.113.10 distance=84[-] 203.0.113.11 distance=91[+] likely origin: 198.51.100.42guidance
Use hakoriginfinder when a target sits behind a reverse proxy or WAF and you want to reach the origin directly. It compares responses across candidate IPs, so feed it an address range from asnmap or mapcidr along with the hostname. To confirm a found origin serves the app, follow it with httpx.
Detects whether a host is behind a CDN or WAF. hakoriginfinder goes further and tries to find the origin behind it.
Finds origins by matching favicon hashes through Shodan. hakoriginfinder matches full response content across IPs.
Probes hosts for liveness and tech. hakoriginfinder uses similar requests to pick the origin out of a candidate set.
faq
related
Check whether a URL redirects to a masked 404 page.
Append lines to a file only if they are not already there.
Extract URLs and endpoints from Android APK files.
Visual inspection of websites across a large number of hosts.
Find suspicious files across a large set of AWS S3 buckets.
An automated tool that checks for backup artifacts that may disclose a web application's source code.
asnmap expands a domain into candidate IP ranges, then hakoriginfinder compares each address against the public site and writes the matching origin host as a queryable output.
Facts on this page come from the live Trickest tool library.