Lightfuzz false positive reduction + crypto submodule improvements

[liquidsec]

Summary

Systematic reduction of lightfuzz false positives across multiple submodules, plus new crypto detection capabilities.

False Positive Fixes

Serialization (serial.py)

• Centralize WAF detection using shared get_waf_strings() helper instead of hardcoded strings
• Skip Error Resolution when baseline status code is non-standard (>511), preventing false positives against endpoints like GlobalProtect that use custom status codes (e.g. 512)

XSS (xss.py)

• Verify XSS probe matches appear in the correct HTML context (e.g. inside an attribute vs. bare HTML), not just anywhere in the response body

SQLi (sqli.py)

• Suppress SQLi findings when a single-quote probe triggers a WAF 403 response, since the error-based detection is actually seeing WAF behavior, not a database error

Crypto (crypto.py)

• Add endpoint stability pre-check to padding oracle and CBC bitflip tests — if the endpoint has natural timing jitter that exceeds the detection threshold, skip the test instead of producing a false positive
• Remove overly generic "access denied" from crypto error strings

Path Traversal (path.py)

• Use centralized WAF detection list instead of hardcoded strings

Excavate (excavate.py)

• Skip parameter extraction from out-of-scope redirect targets, preventing lightfuzz from fuzzing parameters on third-party sites

Global / Config

• Add get_waf_strings() helper to misc.py with 7 common WAF signatures, shared across submodules
• Blacklist CSRF tokens and ASP.NET session cookies in defaults.yml to prevent fuzzing non-meaningful parameters
• Blacklist PKCE (code_verifier, code_challenge) and Akamai Bot Manager (_abck, bm_sz) parameters

New Features

Crypto submodule

• ECB mode detection via passive repeated-block analysis (zero HTTP requests)
• CBC bit-flipping detection via active mutation of penultimate block positions (2 HTTP requests)

Misc

• Fix modify_string() treating position=0 as falsy
• Remove duplicate get_waf_strings() definition

[github-actions]

📊 Performance Benchmark Report

Comparing blasthttp-integration-clean (baseline) vs lightfuzz-improvements-mar-26 (current)

📈 Detailed Results (All Benchmarks)

📋 Complete results for all benchmarks - includes both significant and insignificant changes

🧪 Test Name	📏 Base	📏 Current	📈 Change	🎯 Status
Bloom Filter Dns Mutation Tracking Performance	4.20ms	4.25ms	+1.2% ⚪	✅
Bloom Filter Large Scale Dns Brute Force	17.26ms	17.80ms	+3.2% ⚪	✅
Large Closest Match Lookup	350.57ms	358.02ms	+2.1% ⚪	✅
Realistic Closest Match Workload	189.60ms	187.39ms	-1.2% ⚪	✅
Event Memory Medium Scan	1778 B/event	1780 B/event	+0.1% ⚪	✅
Event Memory Large Scan	1765 B/event	1765 B/event	-0.0% ⚪	✅
Event Validation Full Scan Startup Small Batch	400.56ms	407.53ms	+1.7% ⚪	✅
Event Validation Full Scan Startup Large Batch	576.52ms	578.82ms	+0.4% ⚪	✅
Make Event Autodetection Small	31.06ms	30.60ms	-1.5% ⚪	✅
Make Event Autodetection Large	311.66ms	310.83ms	-0.3% ⚪	✅
Make Event Explicit Types	13.85ms	13.77ms	-0.6% ⚪	✅
Excavate Single Thread Small	3.861s	3.906s	+1.2% ⚪	✅
Excavate Single Thread Large	9.537s	9.506s	-0.3% ⚪	✅
Excavate Parallel Tasks Small	4.076s	4.140s	+1.6% ⚪	✅
Excavate Parallel Tasks Large	6.482s	6.507s	+0.4% ⚪	✅
Is Ip Performance	3.15ms	3.14ms	-0.3% ⚪	✅
Make Ip Type Performance	11.32ms	11.49ms	+1.5% ⚪	✅
Mixed Ip Operations	4.47ms	4.51ms	+1.0% ⚪	✅
Memory Use Web Crawl	145.5 MB	151.0 MB	+3.7% ⚪	✅
Memory Use Subdomain Enum	19.4 MB	19.4 MB	+0.2% ⚪	✅
Scan Throughput 100	4.357s	4.585s	+5.2% ⚪	✅
Scan Throughput 1000	34.647s	37.143s	+7.2% ⚪	✅
Typical Queue Shuffle	62.73µs	67.60µs	+7.8% ⚪	✅
Priority Queue Shuffle	717.22µs	746.68µs	+4.1% ⚪	✅

🎯 Performance Summary

✅ No significant performance changes detected (all changes <10%)

---

🐍 Python Version 3.11.15

[codecov]

Codecov Report

❌ Patch coverage is 91.95710% with 30 lines in your changes missing coverage. Please review.
✅ Project coverage is 91%. Comparing base (e7e61a9) to head (1b85374).

Files with missing lines	Patch %	Lines
bbot/modules/lightfuzz/submodules/crypto.py	78%	16 Missing ⚠️
.../test_step_2/module_tests/test_module_lightfuzz.py	95%	13 Missing ⚠️
bbot/modules/lightfuzz/submodules/xss.py	97%	1 Missing ⚠️

Additional details and impacted files

@@                     Coverage Diff                      @@
##           blasthttp-integration-clean   #2967    +/-   ##
============================================================
+ Coverage                           91%     91%    +1%     
============================================================
  Files                              443     443            
  Lines                            37927   38284   +357     
============================================================
+ Hits                             34316   34662   +346     
- Misses                            3611    3622    +11     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.