Skip to content

Tighten lightfuzz false positives#3223

Merged
liquidsec merged 1 commit into
devfrom
lightfuzz-fp-jun-26
Jun 25, 2026
Merged

Tighten lightfuzz false positives#3223
liquidsec merged 1 commit into
devfrom
lightfuzz-fp-jun-26

Conversation

@liquidsec

Copy link
Copy Markdown
Collaborator

Summary

  • Add OAMRequestContext_ to parameter_blacklist_prefixes (Oracle Access Manager infrastructure cookies)
  • Add XSRF-TOKEN to parameter_blacklist (missing CSRF token variant)
  • Reject Error Resolution baselines with status 403/429 in the serial submodule (transient WAF/rate-limit states produce unstable baselines)

Validated against a recent scan with 400 lightfuzz findings: these three changes catch 23 additional false positives on top of the 247 already eliminated by the nlbi_ blacklist prefix (b87e5ae).

- Add OAMRequestContext_ to parameter_blacklist_prefixes (Oracle Access Manager infrastructure cookies)
- Add XSRF-TOKEN to parameter_blacklist (missing CSRF token variant)
- Reject Error Resolution baselines with status 403/429 in serial submodule (transient WAF/rate-limit states produce unstable baselines)
@github-actions

Copy link
Copy Markdown
Contributor

🚀 Performance Benchmark Report

⚠️ No current benchmark data available

This might be because:

  • Benchmarks failed to run
  • No benchmark tests found
  • Dependencies missing

@codecov

codecov Bot commented Jun 19, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 33.33333% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 90%. Comparing base (ef65b09) to head (e66182d).

Files with missing lines Patch % Lines
bbot/modules/lightfuzz/submodules/serial.py 34% 2 Missing ⚠️
Additional details and impacted files
@@          Coverage Diff          @@
##             dev   #3223   +/-   ##
=====================================
+ Coverage     90%     90%   +1%     
=====================================
  Files        453     453           
  Lines      46101   46104    +3     
=====================================
+ Hits       41211   41219    +8     
+ Misses      4890    4885    -5     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@liquidsec liquidsec added the quick This is a small and/or trivial change label Jun 19, 2026
@ausmaster ausmaster self-requested a review June 25, 2026 19:45
@ausmaster ausmaster added this to the BBOT 3.0 - blazed_elijah milestone Jun 25, 2026
@liquidsec liquidsec merged commit e25792d into dev Jun 25, 2026
17 checks passed
@liquidsec liquidsec deleted the lightfuzz-fp-jun-26 branch June 25, 2026 19:50
@liquidsec liquidsec mentioned this pull request Jul 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

quick This is a small and/or trivial change

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants