Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reduce false positives (those caused by WAFs and bot detection) #2069

Merged
merged 3 commits into from
May 4, 2024
Merged

Reduce false positives (those caused by WAFs and bot detection) #2069

merged 3 commits into from
May 4, 2024

Conversation

ppfeister
Copy link
Member

@ppfeister ppfeister commented Apr 8, 2024
edited

Discussions are taking place elsewhere about false positives and bot detection circumvention.

The Cloudflare bypass, even if implemented, will fail occasionally as Cloudflare updates their detection methods. Until the maintainer of whatever bypass mechanism is able to update their tool, Sherlock users will randomly see false positives.

In either case, this PR significantly reduces the number of false positives that appear as more and more sites switch to using WAFs that function like Cloudflare. If a known WAF block page is detected, the QueryStatus of WAF is applied rather than running the standard (and now useless) error checks. Results with the status of WAF are only displayed with --print-all and bear a status message indicating such.

The error message also indicates that a proxy (such as FlareSolverr) may help.

[-] Myspace: Not Found!
[-] NICommunityForum: Not Found!
[-] NationStates Nation: Blocked by bot detection (proxy may help)
[-] NationStates Region: Blocked by bot detection (proxy may help)
[-] Naver: Not Found!
[-] Needrom: Not Found!

Paired with #2068, the number of false positives presented to the user drop significantly.

Fixes #1878 (as the use of a proxy may allow Fiverr to function as desired, and it won't display false positives otherwise)

Update: This PR now also includes a fingerprint for PerimeterX -- the "press and hold" captcha service sometimes also used by sites like Fiverr

@ppfeister ppfeister mentioned this pull request Apr 8, 2024
Merged
@ppfeister ppfeister mentioned this pull request Apr 13, 2024
Open
@ppfeister ppfeister changed the title Suppress false positives due to WAF block pages (i.e. Cloudflare) Reduce false positives (those caused by WAFs and bot detection) Apr 19, 2024
@ppfeister ppfeister mentioned this pull request Apr 25, 2024
Open
2 tasks
ppfeister added a commit to ppfeister/sherlock that referenced this pull request Apr 25, 2024
@ppfeister
Re-add Instagram
760bc98 
Instagram has been added back to the site list using the old picuki probe. This service DOES use Cloudflare, but it will function perfectly fine until rate limited. Once rate limited, sherlock-project#2069 will suppress any false positives.
@ppfeister ppfeister mentioned this pull request Apr 25, 2024
Merged
ppfeister added a commit to ppfeister/sherlock that referenced this pull request Apr 25, 2024
@ppfeister
Add Untappd
7bf4be4 
Untappd is behind Cloudflare, but this doesn't seem to impact early requests. After being ratelimited, sherlock-project#2069 will suppress any possible WAF-induced false positives.
Closes sherlock-project#1780
@sdushantha
Copy link
Member

Again, I really appricate you putting so much work into this PR as well! 🙌

@sdushantha sdushantha merged commit 122082a into sherlock-project:master May 4, 2024
3 checks passed
@ppfeister ppfeister deleted the feature/antiwaf branch May 4, 2024 23:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Fiverr false positive
2 participants
@ppfeister @sdushantha