I was thinking of a ways to be more creative in shodan to find Origin IPs using the query ssl:example.com 200 instead of trying thousands of IPs so I was exploring shodan facets and I saw http.waf so I thought why not trying to use it .
so I excluded them and explored the the rest of the results. using the query ssl:target.com 200 -http.waf:" AWS Elastic Load Balancer (Amazon)" -http.waf:"Cloudflare (Cloudflare Inc.)" making an acceptable number of results.
I tested them using wafw00f which can be installed simply with the command
pip3 install wafw00f
then
wafw00f https://target.com > behind a WAF
wafw00f https://X.x.x.X > Without WAf
Lastly For the Poc I Used simple payload like <svg onload=alert(1)> to trigger the waf .
