hakoriginfinder: Discovering Origin Hosts Behind Reverse Proxies

hakoriginfinder: Discovering Origin Hosts Behind Reverse Proxies

Summary

hakoriginfinder is a powerful Go-based tool designed to uncover the true origin host behind reverse proxies, including cloud-based Web Application Firewalls (WAFs). It achieves this by comparing HTTP responses from potential origin IP addresses against the original proxy response using the Levenshtein algorithm. This functionality makes it an invaluable asset for security researchers and penetration testers looking to bypass WAFs and identify underlying infrastructure.

Repository Info

Updated on March 26, 2026
View on GitHub

Tags

GoSecurityPenetration TestingWAF BypassNetwork ScanningOrigin Discovery

Click on any tag to explore related repositories

Introduction

hakoriginfinder is a specialized tool developed by hakluke, aimed at identifying the actual origin server that sits behind a reverse proxy. This capability is particularly useful for security assessments, allowing testers to potentially bypass protective layers like WAFs and directly interact with the backend server.

The tool operates by first making a request to the target hostname or URL and storing its response. Subsequently, it probes a list of provided IP addresses on specified ports (defaulting to 80 and 443), setting the Host header to the original target. Each response from these IP addresses is then compared to the original response using the Levenshtein distance algorithm. A low Levenshtein score indicates high similarity, flagging a potential match for the origin host.

Installation

To install hakoriginfinder, you need to have Go installed on your system. Once Go is set up, you can install the tool using the following command:

go install github.com/hakluke/hakoriginfinder@latest

Examples

hakoriginfinder is designed for straightforward command-line usage, typically accepting a list of IP addresses via standard input and the target hostname via the -h option.

Here's a basic example demonstrating how to use it with prips to generate IP ranges:

prips 93.184.216.0/24 | hakoriginfinder -h https://example.com:443/foo

You can customize the tool's behavior with several options:

  • -l: Set the Levenshtein distance threshold. A lower number requires more similar matches, default is 5.
  • -t: Specify the number of threads to use, default is 32.
  • -h: Define the hostname, this option is mandatory.
  • -p: Set the ports to scan on the IP addresses, default is 80,443.

Output Example

The output provides three columns: a match status ("MATCH" or "NOMATCH"), the URL being tested, and the Levenshtein score.

$ prips 1.1.1.0/24 | hakoriginfinder -h http://one.one.one.one:80/index.html -p 80,443,8080,8443
Redirect 301 to: https://one.one.one.one/index.html
Redirect 308 to: https://one.one.one.one/
NOMATCH http://1.1.1.31:443/ 56290
...
MATCH https://1.1.1.1:443/ 0
...
MATCH https://1.1.1.1:8443/ 0

Why Use hakoriginfinder?

hakoriginfinder is an essential tool for several reasons, particularly in the realm of cybersecurity:

  • WAF Bypass: By identifying the true origin IP, security professionals can often bypass WAFs and other reverse proxies, allowing direct interaction with the backend server to discover vulnerabilities that would otherwise be hidden.
  • Infrastructure Discovery: It helps in mapping out an organization's network infrastructure, revealing hidden servers or misconfigurations.
  • Security Assessments: Integral for comprehensive penetration testing and vulnerability assessments, providing a deeper understanding of the target's attack surface.
  • Efficiency: Automates a complex task that would otherwise require manual and time-consuming efforts to compare server responses.

Links

For more details, contributions, or to report issues, visit the official GitHub repository: