-
-
Notifications
You must be signed in to change notification settings - Fork 881
Lightfuzz Overhaul (False-positive reductions, False-negative reductions, many new techniques) #2967
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Lightfuzz Overhaul (False-positive reductions, False-negative reductions, many new techniques) #2967
Changes from all commits
Commits
Show all changes
59 commits
Select commit
Hold shift + click to select a range
50a079c
Add ECB mode detection and CBC bit-flipping detection to crypto submo…
liquidsec cd381f8
Reduce lightfuzz false positives: centralize WAF detection, blacklist…
liquidsec 2563c76
Skip parameter extraction from out-of-scope redirect targets
liquidsec 749a695
Fix lightfuzz false positives: crypto jitter stability, XSS context v…
liquidsec 40f6bb9
Remove duplicate get_waf_strings() definition
liquidsec abb1719
Skip Error Resolution for non-standard HTTP status codes (>511)
liquidsec 79349dd
Fix excavate redirect test to use e.url instead of e.data
liquidsec 9fc3837
Use YARA for WAF string detection instead of Python string-in loops
liquidsec ab42ab3
Fix test module refs: httpx → http for blasthttp migration
liquidsec f3be8cd
Compile serial error YARA rules in lightfuzz setup(), simplify sqli W…
liquidsec 11893a3
Merge branch 'blasthttp-integration-clean' into lightfuzz-improvement…
liquidsec 1b85374
Merge branch 'blasthttp-integration-clean' into lightfuzz-improvement…
liquidsec 52c0cc8
Reduce lightfuzz sqli false positives: url_extension filtering, confi…
liquidsec 70f04cf
Remove probe request descriptions from sqli findings
liquidsec 32ae4e5
Add Azure Application Gateway to WAF detection strings
liquidsec aee4fc8
Fix test assertions for sqli probe description removal and static URL…
liquidsec b4fb2b7
Lightfuzz FN-hunt round 1: sqli, path, cmdi
liquidsec b06096f
Lightfuzz FN-hunt round 2: xss context coverage
liquidsec 8724337
Lightfuzz FN-hunt round 3: ssti direct probes + FP guard
liquidsec c18daa5
Lightfuzz FN-hunt round 4: ssti velocity coverage
liquidsec 6a4f979
Lightfuzz FN-hunt round 5: serial pickle + skip_envelopes opt-in
liquidsec 14d9fdb
Lightfuzz FN-hunt round 6: serial Java URLDNS OOB
liquidsec f12cbed
Lightfuzz FN-hunt round 6 fixup: URLDNS flag fix + interactsh NPE
liquidsec cf5e7ac
Lightfuzz crypto: small cleanup
liquidsec 94e65ec
Lightfuzz FN-hunt round 7: esi remote-include OOB
liquidsec 766e70d
Lightfuzz path: simple non-recursive-strip probes
liquidsec 86cb595
Lightfuzz path: simple double-URL-encoding probes
liquidsec 550ff1f
Lightfuzz: extract register_interactsh_tag helper
liquidsec 18822eb
Merge branch 'blasthttp-integration-clean' into lightfuzz-improvement…
liquidsec 18deb6c
Lightfuzz xss/path: tighten URL-scheme + singledot detectors
liquidsec 6aa8e40
Merge remote-tracking branch 'origin/blasthttp-integration-clean' int…
liquidsec f6876ee
lightfuzz/sqli: junk-value control probe to suppress CDN cache-miss f…
liquidsec 9b2592d
excavate: prefer <option selected> over first option, fall back to fi…
liquidsec 3b04c69
Merge remote-tracking branch 'origin/blasthttp-integration-clean' int…
liquidsec 4190110
lightfuzz: emit canonical baseline responses as HTTP_RESPONSE events
liquidsec dadc97d
docs: frame lightfuzz as BBOT's DAST module
liquidsec 2bbc059
excavate: consolidate same-name params into same_param_values; loosen…
liquidsec 67bf00a
lightfuzz: keystream-reuse detection, from-lightfuzz tag, cookie refresh
liquidsec ef11c29
lightfuzz: declare HTTP_RESPONSE in produced_events
liquidsec 6061f4c
lightfuzz: baseline_probe submits the form properly
liquidsec b48d1e4
excavate: route form discovery through opening-tag YARA + bounded bod…
liquidsec fe63fe4
docs: document lightfuzz crypto's keystream-reuse / many-time-pad det…
liquidsec 20023d0
lightfuzz: coerce None to empty string in prepare_request wire serial…
liquidsec e208d3b
lightfuzz: dual baseline_probe (form-as-captured + populate-empty-as-…
liquidsec fe6c309
lightfuzz: host_url priming + coalesced connectivity_test; excavate: …
liquidsec 555df35
trim verbose comments/docstrings; fix web_parameters test against pos…
liquidsec d8bf489
lightfuzz/crypto: restrict keystream-reuse to hex inputs
liquidsec e97980c
lightfuzz/crypto: guard None probe responses and fix invalid confiden…
liquidsec 9d5c5d5
lightfuzz audit fixes: cache bound, cmdi guard, xss verify, defaults …
liquidsec ceb8cf6
lightfuzz/crypto: catch HttpCompareError in padding_oracle_execute
liquidsec 2cb2ad6
lightfuzz/path: add canary check to suppress search-field FPs
liquidsec 493043b
Merge remote-tracking branch 'origin/dev' into lightfuzz-improvements…
liquidsec 649143a
lightfuzz/reflected_parameters: merge probe into existing querystring
liquidsec 8a7a9d1
excavate: read response body via event.body in ParameterExtractor.pro…
liquidsec da49503
Merge branch 'dev' into lightfuzz-improvements-mar-26
liquidsec 6f47bdc
sqli: two-stage scaling-delay confirmation for time-based blind detec…
liquidsec e2aaa95
Merge pull request #3152 from blacklanternsecurity/sqli-fp-sliding-delay
liquidsec a8207fe
Merge dev, resolve conflicts in http/excavate/lightfuzz pydantic Conf…
liquidsec 75bf826
Fix keystream-reuse FP, cmdi octal bug, type mutation leak, connectiv…
liquidsec File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,87 @@ | ||
| """Build HTTP_RESPONSE event data dicts from blasthttp.Response objects. | ||
|
|
||
| Materializes hash and cert_info eagerly, so only call when about to emit an | ||
| HTTP_RESPONSE event (otherwise blasthttp.Response stays lazy). | ||
| """ | ||
|
|
||
| import re | ||
| from urllib.parse import urlparse | ||
|
|
||
|
|
||
| _TITLE_REGEX = re.compile(r"<title[^>]*>(.*?)</title>", re.IGNORECASE | re.DOTALL) | ||
|
|
||
|
|
||
| def response_to_event_dict(response, url_input, method="GET"): | ||
| """Convert a blasthttp.Response into the dict format HTTP_RESPONSE events expect. | ||
|
|
||
| Args: | ||
| response: a blasthttp.Response (native 0.5+ object with .hash, .cert_info) | ||
| url_input: the original scan-target identifier (host:port or full URL) | ||
| method: HTTP method used to fetch the response | ||
|
|
||
| Returns: | ||
| dict with keys url, input, status_code, method, path, host, raw_header, | ||
| header, content_type, content_length, title, body, location, hash. Adds | ||
| cert_info when the response carried a TLS certificate. | ||
| """ | ||
| parsed = urlparse(response.url) | ||
| path = parsed.path or "/" | ||
|
|
||
| status_line = f"HTTP/1.1 {response.status} \r\n" | ||
| raw_header = f"{status_line}{response.raw_headers}\r\n\r\n" | ||
|
|
||
| header_dict = {} | ||
| for k, v in response.headers.items(): | ||
| key = k.lower().replace("-", "_") | ||
| if key in header_dict: | ||
| header_dict[key] += f", {v}" | ||
| else: | ||
| header_dict[key] = v | ||
|
|
||
| content_type = header_dict.get("content_type", "") | ||
| content_length = int(header_dict.get("content_length", len(response.body_bytes))) | ||
| location = header_dict.get("location", "") | ||
|
|
||
| body = response.body | ||
| title = "" | ||
| title_match = _TITLE_REGEX.search(body) | ||
| if title_match: | ||
| title = title_match.group(1).strip() | ||
|
|
||
| j = { | ||
| "url": response.url, | ||
| "input": url_input, | ||
| "status_code": response.status, | ||
| "method": method, | ||
| "path": path, | ||
| "host": parsed.hostname or "", | ||
| "raw_header": raw_header, | ||
| "header": header_dict, | ||
| "content_type": content_type, | ||
| "content_length": content_length, | ||
| "title": title, | ||
| "body": body, | ||
| "location": location, | ||
| "hash": { | ||
| "body_md5": response.hash.body_md5, | ||
| "body_mmh3": response.hash.body_mmh3, | ||
| "body_sha256": response.hash.body_sha256, | ||
| "header_md5": response.hash.header_md5, | ||
| "header_mmh3": response.hash.header_mmh3, | ||
| "header_sha256": response.hash.header_sha256, | ||
| }, | ||
| } | ||
|
|
||
| ci = response.cert_info | ||
| if ci is not None: | ||
| j["cert_info"] = { | ||
| "common_name": ci.common_name, | ||
| "sans": ci.sans, | ||
| "emails": ci.emails, | ||
| "issuer": ci.issuer, | ||
| "not_before": ci.not_before, | ||
| "not_after": ci.not_after, | ||
| "fingerprint_sha256": ci.fingerprint_sha256, | ||
| } | ||
|
|
||
| return j |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.