Leak Server IP Address
- Checkout the DNS trail of the hostname. This can be done using Security Trails - The World's Largest Repository of historical DNS data
- DNS Lookups
- Options method Sometimes the OPTIONS HTTP methods leaks the IP address of the server behind the WAF.
- HTTP Headers
Try playing around with
X-Forwarded-Forand similar proxy headers to trigger a different response to the same page.