HTTP check gives false positives on some Cloudflare sites #7
Comments
|
Hello, Thanks for the report! Yeah, those are definitely false positives. The cgos.homair.com case would be fixed by removing the If you'd like to open a PR, that would be great! Thanks, Paul |
|
I just tested out the fingerprints a little bit, and it seems like the "error code: 1001" case covers dangling pointers to CloudFlare: So I think we should be good to remove both the "Cloudflare" and "Cloudflare Ray ID" signatures. Thanks, Paul |
|
I was looking at https://support.cloudflare.com/hc/en-us/articles/360029779472-Troubleshooting-Cloudflare-1XXX-errors, and the "error code: 1001" and "error code: 1016" that we have look good. We might want to also add "error code: 1014" and "error code: 1018". Thoughts? Paul |
|
Hello and thanks for your answers, |
|
Hello, If you're still up for creating a PR to update the fingerprints, that would be great. Your conclusion on the error codes seems reasonable to me. Thanks, Paul |
* Remove a few signatures that are too general, and may occur in the result * Add the 1018 error code Resolves #7
Hello, I was scanning a list of domains and checking every positive, and found some false positives.
Expected Behavior
Domains such as
cgos.homair.comorcms.lawshould give negative results because they point to a live site.Current Behavior
These domains give positive results because the HTTP body of their home page contains the string "Cloudflare", which is specified in the
fingerprints.jsonfile.Possible Solution
Remove the "Cloudflare" fingerprint. This shouldn't impact any true positives.
Steps to Reproduce (for bugs)
echo "cms.law. 300 IN A 104.20.186.112" > dnszone-cms-lawSubdomainSleuth -resolver 1.1.1.1 -check http-fingerprint dnszone-cms-lawecho "cgos.homair.com. 146 IN A 104.26.1.192" > dnszone-cgos-homair-comSubdomainSleuth -resolver 1.1.1.1 -check http-fingerprint dnszone-cgos-homair-comShould I create a pull request ?
The text was updated successfully, but these errors were encountered: