Add waf_bypass module for WAF bypass detection

[liquidsec]

Summary

Adds a new waf_bypass module that detects when WAF-protected web content is directly accessible by IP, bypassing the CDN/WAF layer. Requires #2992 (blasthttp integration).

How it works

1. Detection — identifies WAF-protected domains by checking for CDN tags (cdn-cloudflare, cdn-imperva, etc.) on URL events
2. Fingerprinting — captures a simhash fingerprint of the protected content through the CDN
3. IP collection — gathers IP addresses from DNS resolution of related domains, ASN neighbor scanning, and IP neighbor enumeration
4. Bypass testing — for each candidate IP, fetches the protected URL using resolve_ip to pin DNS to the candidate IP, bypassing the CDN
5. Comparison — compares the bypassed response against the original CDN-proxied fingerprint using simhash similarity
6. Verification — requires similarity above configurable threshold (default 0.9); redirects require exact match (1.0)

Features

• Automatic WAF/CDN detection via BBOT's cloud tagging system
• ASN-aware IP candidate discovery (checks IPs in the same ASN as the target)
• IP neighbor scanning within configurable CIDR range
• Filters out known cloud/CDN IPs to reduce false positives
• Uses blasthttp resolve_ip for DNS pinning — no curl subprocess needed

Config options

• similarity_threshold — minimum simhash similarity to report a bypass (default: 0.9)
• search_ip_neighbors — enable IP neighbor scanning (default: true)
• neighbor_cidr — CIDR prefix length for neighbor scanning (default: 24)

Preset

Includes waf-bypass.yml preset for easy activation.

[github-actions]

📊 Performance Benchmark Report

Comparing blasthttp-integration-clean (baseline) vs add-waf-bypass-module (current)

📈 Detailed Results (All Benchmarks)

📋 Complete results for all benchmarks - includes both significant and insignificant changes

🧪 Test Name	📏 Base	📏 Current	📈 Change	🎯 Status
Bloom Filter Dns Mutation Tracking Performance	4.27ms	4.21ms	-1.4% ⚪	✅
Bloom Filter Large Scale Dns Brute Force	20.07ms	17.72ms	-11.7% 🟢🟢	🚀
Large Closest Match Lookup	356.82ms	354.83ms	-0.6% ⚪	✅
Realistic Closest Match Workload	189.52ms	190.60ms	+0.6% ⚪	✅
Event Memory Medium Scan	1784 B/event	1782 B/event	-0.1% ⚪	✅
Event Memory Large Scan	1768 B/event	1768 B/event	+0.0% ⚪	✅
Event Validation Full Scan Startup Small Batch	416.17ms	419.62ms	+0.8% ⚪	✅
Event Validation Full Scan Startup Large Batch	595.09ms	603.99ms	+1.5% ⚪	✅
Make Event Autodetection Small	31.28ms	31.50ms	+0.7% ⚪	✅
Make Event Autodetection Large	315.65ms	316.67ms	+0.3% ⚪	✅
Make Event Explicit Types	14.07ms	14.05ms	-0.2% ⚪	✅
Excavate Single Thread Small	4.097s	4.098s	+0.0% ⚪	✅
Excavate Single Thread Large	9.700s	9.761s	+0.6% ⚪	✅
Excavate Parallel Tasks Small	4.290s	4.394s	+2.4% ⚪	✅
Excavate Parallel Tasks Large	6.738s	6.791s	+0.8% ⚪	✅
Is Ip Performance	3.19ms	3.23ms	+1.1% ⚪	✅
Make Ip Type Performance	11.57ms	11.78ms	+1.9% ⚪	✅
Mixed Ip Operations	4.50ms	4.52ms	+0.3% ⚪	✅
Memory Use Web Crawl	698.6 MB	686.0 MB	-1.8% ⚪	✅
Memory Use Subdomain Enum	33.4 MB	33.3 MB	-0.1% ⚪	✅
Memory Use Deep Chain	7.8 MB	7.8 MB	+0.1% ⚪	✅
Memory Use Parallel Chains	21.9 MB	21.5 MB	-1.8% ⚪	✅
Scan Throughput 100	4.662s	4.613s	-1.0% ⚪	✅
Scan Throughput 1000	35.860s	36.936s	+3.0% ⚪	✅
Typical Queue Shuffle	63.14µs	67.32µs	+6.6% ⚪	✅
Priority Queue Shuffle	727.66µs	731.54µs	+0.5% ⚪	✅

🎯 Performance Summary

+ 1 improvement 🚀
  25 unchanged ✅

🔍 Significant Changes (>10%)

• Bloom Filter Large Scale Dns Brute Force: 11.7% 🚀 faster

---

🐍 Python Version 3.11.15

[codecov]

Codecov Report

❌ Patch coverage is 81.03448% with 44 lines in your changes missing coverage. Please review.
✅ Project coverage is 90%. Comparing base (6e6e8de) to head (ee82a33).

Files with missing lines	Patch %	Lines
bbot/modules/waf_bypass.py	77%	39 Missing ⚠️
...test_step_2/module_tests/test_module_waf_bypass.py	93%	5 Missing ⚠️

Additional details and impacted files

@@                     Coverage Diff                      @@
##           blasthttp-integration-clean   #2994    +/-   ##
============================================================
- Coverage                           90%     90%    -0%     
============================================================
  Files                              446     447     +1     
  Lines                            38377   38514   +137     
============================================================
+ Hits                             34313   34410    +97     
- Misses                            4064    4104    +40     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.