Add WAF filter

sherlock-project · Apr 8, 2024 · 21ac927 · 21ac927
1 parent 55c680f
commit 21ac927
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 2 deletions.
diff --git a/sherlock/notify.py b/sherlock/notify.py
@@ -224,7 +224,7 @@ def update(self, result):
         elif result.status == QueryStatus.UNKNOWN:
             if self.print_all:
                 print(Style.BRIGHT + Fore.WHITE + "[" +
-                      Fore.RED + "-" +
+                      Fore.RED + "?" +
                       Fore.WHITE + "]" +
                       Fore.GREEN + f" {self.result.site_name}:" +
                       Fore.RED + f" {self.result.context}" +
@@ -238,6 +238,15 @@ def update(self, result):
                       Fore.WHITE + "]" +
                       Fore.GREEN + f" {self.result.site_name}:" +
                       Fore.YELLOW + f" {msg}")
+
+        elif result.status == QueryStatus.WAF:
+            if self.print_all:
+                print(Style.BRIGHT + Fore.WHITE + "[" +
+                      Fore.RED + "?" +
+                      Fore.WHITE + "]" +
+                      Fore.GREEN + f" {self.result.site_name}:" +
+                      Fore.RED + f" Blocked by WAF" +
+                      Fore.YELLOW + " (proxy recommended)")
 
         else:
             # It should be impossible to ever get here...

diff --git a/sherlock/result.py b/sherlock/result.py
@@ -14,6 +14,7 @@ class QueryStatus(Enum):
     AVAILABLE = "Available" # Username Not Detected
     UNKNOWN   = "Unknown"   # Error Occurred While Trying To Detect Username
     ILLEGAL   = "Illegal"   # Username Not Allowable For This Site
+    WAF       = "WAF"       # Request blocked by WAF (i.e. Cloudflare)
 
     def __str__(self):
         """Convert Object To String.

diff --git a/sherlock/sherlock.py b/sherlock/sherlock.py
@@ -378,9 +378,19 @@ def sherlock(
         query_status = QueryStatus.UNKNOWN
         error_context = None
 
-        if error_text is not None:
+        # As WAFs advance and evolve, they will occasionally block Sherlock and lead to false positives
+        # and negatives. Fingerprints should be added here to filter results that fail to bypass WAFs.
+        # Fingerprints should be highly targetted. Comment at the end of each fingerprint to indicate target and date.
+        WAFHitMsgs = [
+            '.loading-spinner{visibility:hidden}body.no-js .challenge-running{display:none}body.dark{background-color:#222;color:#d9d9d9}body.dark a{color:#fff}body.dark a:hover{color:#ee730a;text-decoration:underline}body.dark .lds-ring div{border-color:#999 transparent transparent}body.dark .font-red{color:#b20f03}body.dark .big-button,body.dark .pow-button{background-color:#4693ff;color:#1d1d1d}body.dark #challenge-success-text{background-image:url(data:image/svg+xml;base64,' # 2024-04-08 Cloudflare
+        ]
+
+        if error_text is not None and query_status is not QueryStatus.WAF:
             error_context = error_text
 
+        elif any(hitMsg in r.text for hitMsg in WAFHitMsgs):
+            query_status = QueryStatus.WAF
+
         elif error_type == "message":
             # error_flag True denotes no error found in the HTML
             # error_flag False denotes error found in the HTML