Skip Error Resolution for non-standard HTTP status codes (>511)

liquidsec · liquidsec · commit abb171945960 · 2026-04-03T15:45:33.000-04:00
Prevents false positive deserialization findings against endpoints like
GlobalProtect that use non-standard status codes (e.g. 512).
diff --git a/bbot/modules/lightfuzz/submodules/serial.py b/bbot/modules/lightfuzz/submodules/serial.py
@@ -161,6 +161,17 @@ async def fuzz(self):
 
                 # if the status code changed to 200, and the response doesn't match our general error exclusions, we have a finding
                 self.debug(f"Potential finding detected for {payload_type}, needs confirmation")
+
+                baseline_status = payload_baseline.baseline.status_code
+                # Skip Error Resolution if baseline uses a non-standard HTTP status code (>511).
+                # Non-standard codes (e.g. 512 from GlobalProtect) are application-specific
+                # and don't reliably indicate an error state that deserialization could "resolve".
+                if baseline_status > 511:
+                    self.debug(
+                        f"Baseline status {baseline_status} is non-standard (>511), skipping Error Resolution for {payload_type}"
+                    )
+                    continue
+
                 if (
                     status_code == 200
                     and "code" in diff_reasons
diff --git a/bbot/test/test_step_2/module_tests/test_module_lightfuzz.py b/bbot/test/test_step_2/module_tests/test_module_lightfuzz.py
@@ -1385,6 +1385,38 @@ def check(self, module_test, events):
         )
 
 
+class Test_Lightfuzz_serial_errorresolution_nonstandard_status(Test_Lightfuzz_serial_errorresolution):
+    """A baseline with a non-standard status code (>511, e.g. GlobalProtect's 512)
+    should not produce an Error Resolution finding even if the probe returns 200."""
+
+    def request_handler(self, request):
+        dotnet_serial_error_resolved = (
+            "<html><body>Deserialization successful! Object type: System.String</body></html>"
+        )
+        post_params = request.form
+
+        if "TextBox1" not in post_params.keys():
+            return Response(self.dotnet_serial_html, status=200)
+
+        else:
+            if post_params["__VIEWSTATE"] != "/wEPDwULLTE5MTI4MzkxNjVkZNt7ICM+GixNryV6ucx+srzhXlwP":
+                # Non-standard status code (like GlobalProtect's 512)
+                return Response(self.dotnet_serial_error, status=512)
+            if post_params["TextBox1"] == "AAEAAAD/////AQAAAAAAAAAGAQAAAAdndXN0YXZvCw==":
+                return Response(dotnet_serial_error_resolved, status=200)
+            else:
+                return Response(self.dotnet_serial_error, status=512)
+
+    def check(self, module_test, events):
+        no_finding_emitted = True
+        for e in events:
+            if e.type == "FINDING" and "Error Resolution" in e.data.get("description", ""):
+                no_finding_emitted = False
+        assert no_finding_emitted, (
+            "False positive Error Resolution finding was emitted for non-standard baseline status code (>511)"
+        )
+
+
 # CMDi echo canary
 class Test_Lightfuzz_cmdi(ModuleTestBase):
     targets = ["http://127.0.0.1:8888"]
