Lightfuzz false positive reduction + crypto submodule improvements

[liquidsec]

Summary

Systematic reduction of lightfuzz false positives across multiple submodules, plus new crypto detection capabilities.

False Positive Fixes

Serialization (serial.py)

• Centralize WAF detection using shared get_waf_strings() helper instead of hardcoded strings
• Skip Error Resolution when baseline status code is non-standard (>511), preventing false positives against endpoints like GlobalProtect that use custom status codes (e.g. 512)

XSS (xss.py)

• Verify XSS probe matches appear in the correct HTML context (e.g. inside an attribute vs. bare HTML), not just anywhere in the response body

SQLi (sqli.py)

• Suppress SQLi findings when a single-quote probe triggers a WAF 403 response, since the error-based detection is actually seeing WAF behavior, not a database error

Crypto (crypto.py)

• Add endpoint stability pre-check to padding oracle and CBC bitflip tests — if the endpoint has natural timing jitter that exceeds the detection threshold, skip the test instead of producing a false positive
• Remove overly generic "access denied" from crypto error strings

Path Traversal (path.py)

• Use centralized WAF detection list instead of hardcoded strings

Excavate (excavate.py)

• Skip parameter extraction from out-of-scope redirect targets, preventing lightfuzz from fuzzing parameters on third-party sites

Global / Config

• Add get_waf_strings() helper to misc.py with 7 common WAF signatures, shared across submodules
• Blacklist CSRF tokens and ASP.NET session cookies in defaults.yml to prevent fuzzing non-meaningful parameters
• Blacklist PKCE (code_verifier, code_challenge) and Akamai Bot Manager (_abck, bm_sz) parameters

New Features

Crypto submodule

• ECB mode detection via passive repeated-block analysis (zero HTTP requests)
• CBC bit-flipping detection via active mutation of penultimate block positions (2 HTTP requests)

Misc

• Fix modify_string() treating position=0 as falsy
• Remove duplicate get_waf_strings() definition

[github-actions]

📊 Performance Benchmark Report

Comparing 3.0 (baseline) vs lightfuzz-improvements-mar-26 (current)

📈 Detailed Results (All Benchmarks)

📋 Complete results for all benchmarks - includes both significant and insignificant changes

🧪 Test Name	📏 Base	📏 Current	📈 Change	🎯 Status
Bloom Filter Dns Mutation Tracking Performance	4.31ms	4.53ms	+5.1% ⚪	✅
Bloom Filter Large Scale Dns Brute Force	18.36ms	20.05ms	+9.2% ⚪	✅
Large Closest Match Lookup	356.88ms	341.45ms	-4.3% ⚪	✅
Realistic Closest Match Workload	189.30ms	194.76ms	+2.9% ⚪	✅
Event Memory Medium Scan	1784 B/event	1777 B/event	-0.4% ⚪	✅
Event Memory Large Scan	1768 B/event	1765 B/event	-0.2% ⚪	✅
Event Validation Full Scan Startup Small Batch	412.25ms	410.14ms	-0.5% ⚪	✅
Event Validation Full Scan Startup Large Batch	593.49ms	595.57ms	+0.4% ⚪	✅
Make Event Autodetection Small	31.58ms	31.60ms	+0.1% ⚪	✅
Make Event Autodetection Large	319.42ms	315.42ms	-1.3% ⚪	✅
Make Event Explicit Types	14.11ms	13.77ms	-2.4% ⚪	✅
Excavate Single Thread Small	4.253s	3.971s	-6.6% ⚪	✅
Excavate Single Thread Large	9.958s	9.502s	-4.6% ⚪	✅
Excavate Parallel Tasks Small	4.280s	4.127s	-3.6% ⚪	✅
Excavate Parallel Tasks Large	7.370s	7.192s	-2.4% ⚪	✅
Is Ip Performance	3.21ms	3.19ms	-0.5% ⚪	✅
Make Ip Type Performance	11.43ms	11.48ms	+0.4% ⚪	✅
Mixed Ip Operations	4.53ms	4.56ms	+0.6% ⚪	✅
Memory Use Web Crawl	41.2 MB	53.1 MB	+28.7% 🔴🔴🔴	⚠️
Memory Use Subdomain Enum	19.3 MB	19.4 MB	+0.3% ⚪	✅
Scan Throughput 100	8.640s	7.358s	-14.8% 🟢🟢	🚀
Scan Throughput 1000	46.504s	41.202s	-11.4% 🟢🟢	🚀
Typical Queue Shuffle	64.74µs	64.61µs	-0.2% ⚪	✅
Priority Queue Shuffle	727.95µs	722.56µs	-0.7% ⚪	✅

🎯 Performance Summary

+ 2 improvements 🚀
! 1 regression ⚠️
  21 unchanged ✅

🔍 Significant Changes (>10%)

• Memory Use Web Crawl: 28.7% 🐌 more memory
• Scan Throughput 100: 14.8% 🚀 faster
• Scan Throughput 1000: 11.4% 🚀 faster

---

🐍 Python Version 3.11.15

[codecov]

Codecov Report

❌ Patch coverage is 91.66667% with 31 lines in your changes missing coverage. Please review.
✅ Project coverage is 91%. Comparing base (edefefc) to head (3c54eca).

Files with missing lines	Patch %	Lines
bbot/modules/lightfuzz/submodules/crypto.py	78%	16 Missing ⚠️
.../test_step_2/module_tests/test_module_lightfuzz.py	95%	13 Missing ⚠️
bbot/modules/lightfuzz/submodules/sqli.py	86%	1 Missing ⚠️
bbot/modules/lightfuzz/submodules/xss.py	97%	1 Missing ⚠️

Additional details and impacted files

@@          Coverage Diff           @@
##             3.0   #2967    +/-   ##
======================================
+ Coverage     91%     91%    +1%     
======================================
  Files        440     440            
  Lines      37330   37686   +356     
======================================
+ Hits       33809   34138   +329     
- Misses      3521    3548    +27     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.