[FALSE-POSITIVE] False Positive Detection for Cloudflare in CSP #11138
Description
Template IDs or paths
- http/technologies/tech-detect.yaml
Environment
- OS: Ubuntu 22.04.4 LTS (Jammy Jellyfish)
- Nuclei: 3.3.1
- Go: go1.23.2 linux/amd64
Steps To Reproduce
./nuclei -t http/technologies/tech-detect.yaml -u https://nicochannel.jp -debugRelevant dumped responses
HTTP/1.1 200 OK
Connection: close
Transfer-Encoding: chunked
Content-Security-Policy: default-src 'self'; base-uri 'self'; img-src * data: blob:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.google-analytics.com https://www.googletagmanager.com/ https://www.googleadservices.com/ https://googleads.g.doubleclick.net/ https://s.yimg.jp/ https://connect.facebook.net/ https://*.yahoo.co.jp/ https://maps.googleapis.com/ https://*.mul-pay.jp/ https://*.google.com https://global.localizecdn.com/ https://use.typekit.net/ https://cdnjs.cloudflare.com https://cdn.auth0.com https://ads.twitter.com https://imasdk.googleapis.com https://pagead2.googlesyndication.com https://static.ads-twitter.com https://s0.2mdn.net https://www.googletagservices.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com/; font-src 'self' data: https://fonts.gstatic.com https://use.typekit.net/; connect-src * data: blob: 'unsafe-inline'; frame-src https://*.google.com/ https://bid.g.doubleclick.net/ https://www.googletagmanager.com/ https://*.facebook.com/ https://www.youtube.com/ https://td.doubleclick.net/ https://imasdk.googleapis.com/; media-src * data: blob:; worker-src * data: blob:
Content-Type: text/html
Date: Mon, 04 Nov 2024 11:10:31 GMT
Etag: W/"b025cba8724fc42559460eba86b548ae"
Last-Modified: Thu, 24 Oct 2024 03:43:16 GMT
Server: AmazonS3
Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
Vary: Accept-Encoding
Via: 1.1 a8f6013ba1b931d50fd86c30fdcef17e.cloudfront.net (CloudFront)
X-Amz-Cf-Id: zFgMv-KGpQISA4kSSYkxmGstZ4YpYZabcLPkd-wr9dTJ8XcJvpq6QQ==
X-Amz-Cf-Pop: CAI50-P1
X-Amz-Server-Side-Encryption: AES256
X-Amz-Version-Id: null
X-Cache: Miss from cloudfront
X-Frame-Options: DENY
<!DOCTYPE html>
<html lang="ja">
<head>
<!-- Google Tag Manager -->
<script type="text/javascript">
window.NicoGoogleTagManagerDataLayer = [];
var data = {};
data.user = (function () {
var user = {};
user.user_id = "null";
user.login_status = "not_login";
user.member_status = "null";
user.account_createdatetime = "null";
return user;
})();
data.content = (function () {
var content = {};
content.player_type = "null";
content.delivery = "null";
content.category = "null";
content.content_type = "null";
return content;
})();
window.NicoGoogleTagManagerDataLayer.push(data);
</script>
<script>
(function (w, d, s, l, i) {
w[l] = w[l] || [];
w[l].push({ "gtm.start": new Date().getTime(), event: "gtm.js" });
var f = d.getElementsByTagName(s)[0],
j = d.createElement(s),
dl = l != "dataLayer" ? "&l=" + l : "";
j.async = true;
j.src = "https://www.googletagmanager.com/gtm.js?id=" + i + dl;
f.parentNode.insertBefore(j, f);
})(
window,
document,
"script",
"NicoGoogleTagManagerDataLayer",
"GTM-KXT7G5G"
);
</script>
<!-- End Google Tag Manager -->
<meta charset="utf-8" />
<meta property="og:locale" content="ja_JP" />
<meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=0" />
<link rel="manifest" href="/manifest.json" />
<title>ニコニコチャンネルプラス Portal</title>
<meta name="description" content="ニコニコチャンネルプラスでお気に入りを探して応援!" />
<link rel="apple-touch-icon" href="/portal/images/apple-touch-icon.png" />
<link rel="icon" href="/portal/images/favicon.ico" />
<meta property="og:description" content="ニコニコチャンネルプラスでお気に入りを探して応援!" />
<meta property="og:image" content="https://nicochannel.jp/portal/images/ogp.png" />
<meta property="og:image:alt" content="ニコニコチャンネルプラス" />
<meta property="og:title" content="ニコニコチャンネルプラス" />
<meta property="og:type" content="website" />
<meta name="twitter:card" content="summary_large_image" />
<link rel="preconnect" href="https://fonts.gstatic.com" />
<link href="https://fonts.googleapis.com/css2?family=Noto+Serif+JP:wght@300;400;500;700&display=swap"
rel="stylesheet" />
<link href="https://fonts.googleapis.com/css2?family=Noto+Sans+JP:wght@300;400;500;700&display=swap"
rel="stylesheet" />
<link href="https://fonts.googleapis.com/css2?family=Roboto:wght@300;400;500;700&display=swap" rel="stylesheet" />
<script type="module" crossorigin src="/portal/assets/index-e16666fa.js"></script>
<link rel="stylesheet" href="/portal/assets/index-5ba682e2.css">
</head>
<body>
<noscript>You need to enable JavaScript to run this app.</noscript>
<div id="root"></div>
</body>
</html>
[tech-detect:google-font-api] [http] [info] https://nicochannel.jp
[tech-detect:cloudflare] [http] [info] https://nicochannel.jp
[tech-detect:google-tag-manager] [http] [info] https://nicochannel.jp
Anything else?
We've observed that this template is producing false positives when a CSP includes Cloudflare. Although Cloudflare may be present in the CSP, it doesn't necessarily mean that Cloudflare is being used as a primary technology. To address this, we recommend using the more accurate Cloudflare technology detection set from wapplyzer repo
- type: word
name: cloudflare
words:
- "cloudflare"
part: server
- type: regex
name: cloudflare
regex:
- ".*"
part: cf_cache_status
- type: regex
name: cloudflare
regex:
- ".*"
part: cf_ray