Excessive False Positives in Path Traversal Detection

[bytes-Knight]

When running the tool against certain targets, the script generates an unusually high number of false positives related to path traversal findings.

Steps to Reproduce

Run the following command:

python3 gsec.py -t https://shopify.com

[gotr00t0day]

It depends on the WAF, certain endpoints will give you false positives, you will have to check these manually.

[bytes-Knight]

Thanks for the update. Since some of these WAF-triggered responses look like “path traversal” but aren’t actually returning filesystem content, adding a stricter regex filter for real /etc/passwd indicators would help cut down the noise.

A solid pattern you could integrate is something like:

^(root|daemon|bin):[x*]?:[0-9]{1,5}:[0-9]{1,5}:.*$

And for broader detection of actual passwd-style entries:

^[a-zA-Z0-9_-]+:[x*]?:[0-9]{1,5}:[0-9]{1,5}:[^:]*:[^:]*:[^:]*$

This lets the scanner validate true passwd-format lines, instead of treating generic WAF blocks as findings.

If you add this, the tool will stop screaming “Traversal!” every time a target returns a templated error page.