Merge pull request #2069 from ppfeister/feature/antiwaf

Reduce false positives (those caused by WAFs and bot detection)
sherlock-project · May 4, 2024 · 122082a · 122082a
2 parents 71bdf63 + 5d5d807
commit 122082a
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 0 deletions.
diff --git a/sherlock/notify.py b/sherlock/notify.py
@@ -238,6 +238,15 @@ def update(self, result):
                       Fore.WHITE + "]" +
                       Fore.GREEN + f" {self.result.site_name}:" +
                       Fore.YELLOW + f" {msg}")
+
+        elif result.status == QueryStatus.WAF:
+            if self.print_all:
+                print(Style.BRIGHT + Fore.WHITE + "[" +
+                      Fore.RED + "-" +
+                      Fore.WHITE + "]" +
+                      Fore.GREEN + f" {self.result.site_name}:" +
+                      Fore.RED + " Blocked by bot detection" +
+                      Fore.YELLOW + " (proxy may help)")
 
         else:
             # It should be impossible to ever get here...

diff --git a/sherlock/result.py b/sherlock/result.py
@@ -14,6 +14,7 @@ class QueryStatus(Enum):
     AVAILABLE = "Available" # Username Not Detected
     UNKNOWN   = "Unknown"   # Error Occurred While Trying To Detect Username
     ILLEGAL   = "Illegal"   # Username Not Allowable For This Site
+    WAF       = "WAF"       # Request blocked by WAF (i.e. Cloudflare)
 
     def __str__(self):
         """Convert Object To String.

diff --git a/sherlock/sherlock.py b/sherlock/sherlock.py
@@ -377,9 +377,20 @@ def sherlock(
         query_status = QueryStatus.UNKNOWN
         error_context = None
 
+        # As WAFs advance and evolve, they will occasionally block Sherlock and lead to false positives
+        # and negatives. Fingerprints should be added here to filter results that fail to bypass WAFs.
+        # Fingerprints should be highly targetted. Comment at the end of each fingerprint to indicate target and date.
+        WAFHitMsgs = [
+            '.loading-spinner{visibility:hidden}body.no-js .challenge-running{display:none}body.dark{background-color:#222;color:#d9d9d9}body.dark a{color:#fff}body.dark a:hover{color:#ee730a;text-decoration:underline}body.dark .lds-ring div{border-color:#999 transparent transparent}body.dark .font-red{color:#b20f03}body.dark .big-button,body.dark .pow-button{background-color:#4693ff;color:#1d1d1d}body.dark #challenge-success-text{background-image:url(data:image/svg+xml;base64,', # 2024-04-08 Cloudflare
+            '{return l.onPageView}}),Object.defineProperty(r,"perimeterxIdentifiers",{enumerable:' # 2024-04-09 PerimeterX / Human Security
+        ]
+
         if error_text is not None:
             error_context = error_text
 
+        elif any(hitMsg in r.text for hitMsg in WAFHitMsgs):
+            query_status = QueryStatus.WAF
+
         elif error_type == "message":
             # error_flag True denotes no error found in the HTML
             # error_flag False denotes error found in the HTML