Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reduce false positives (those caused by WAFs and bot detection) #2069

Merged
merged 3 commits into from
May 4, 2024

Conversation

ppfeister
Copy link
Member

@ppfeister ppfeister commented Apr 8, 2024

Discussions are taking place elsewhere about false positives and bot detection circumvention.

The Cloudflare bypass, even if implemented, will fail occasionally as Cloudflare updates their detection methods. Until the maintainer of whatever bypass mechanism is able to update their tool, Sherlock users will randomly see false positives.

In either case, this PR significantly reduces the number of false positives that appear as more and more sites switch to using WAFs that function like Cloudflare. If a known WAF block page is detected, the QueryStatus of WAF is applied rather than running the standard (and now useless) error checks. Results with the status of WAF are only displayed with --print-all and bear a status message indicating such.

The error message also indicates that a proxy (such as FlareSolverr) may help.

[-] Myspace: Not Found!
[-] NICommunityForum: Not Found!
[-] NationStates Nation: Blocked by bot detection (proxy may help)
[-] NationStates Region: Blocked by bot detection (proxy may help)
[-] Naver: Not Found!
[-] Needrom: Not Found!

Paired with #2068, the number of false positives presented to the user drop significantly.

Fixes #1878 (as the use of a proxy may allow Fiverr to function as desired, and it won't display false positives otherwise)

Update: This PR now also includes a fingerprint for PerimeterX -- the "press and hold" captcha service sometimes also used by sites like Fiverr

@ppfeister ppfeister mentioned this pull request Apr 13, 2024
@ppfeister ppfeister changed the title Suppress false positives due to WAF block pages (i.e. Cloudflare) Reduce false positives (those caused by WAFs and bot detection) Apr 19, 2024
@ppfeister ppfeister mentioned this pull request Apr 25, 2024
2 tasks
ppfeister added a commit to ppfeister/sherlock that referenced this pull request Apr 25, 2024
Instagram has been added back to the site list using the old picuki probe. This service DOES use Cloudflare, but it will function perfectly fine until rate limited. Once rate limited, sherlock-project#2069 will suppress any false positives.
ppfeister added a commit to ppfeister/sherlock that referenced this pull request Apr 25, 2024
Untappd is behind Cloudflare, but this doesn't seem to impact early requests. After being ratelimited, sherlock-project#2069 will suppress any possible WAF-induced false positives.
Closes sherlock-project#1780
@sdushantha
Copy link
Member

Again, I really appricate you putting so much work into this PR as well! 🙌

@sdushantha sdushantha merged commit 122082a into sherlock-project:master May 4, 2024
3 checks passed
@ppfeister ppfeister deleted the feature/antiwaf branch May 4, 2024 23:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Fiverr false positive
2 participants