Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reduce false positives with canary probe #2168

Merged
merged 7 commits into from
Jan 14, 2025
Merged

Reduce false positives with canary probe #2168

merged 7 commits into from
Jan 14, 2025

Conversation

liquidsec
Copy link
Collaborator

@liquidsec liquidsec commented Jan 13, 2025
edited
Loading

This PR significantly changes the behavior of the reflected params module. It now requires the check of a canary, along with the target parameter. This is to prevent situations where ALL parameters are reflected to the page. These scenarios are rarely interesting to an attacker.

This also adds the ability to test reflection in ALL parameter types - not just GET as before. Prior to this, all parameter types were tried as GET requests only.

Tests were added for all new functionality.

This PR meets the goals set by #2097, although the approach ended up being somewhat different.

@codecov Codecov
Copy link

codecov bot commented Jan 13, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 99.11504% with 1 line in your changes missing coverage. Please review.

Project coverage is 93%. Comparing base (f40bd13) to head (cba944a).
Report is 11 commits behind head on lightfuzz.

Files with missing lines Patch % Lines
bbot/modules/reflected_parameters.py 97% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           lightfuzz   #2168    +/-   ##
==========================================
+ Coverage         93%     93%    +1%     
==========================================
  Files            386     386            
  Lines          31250   31357   +107     
==========================================
+ Hits           28809   28929   +120     
+ Misses          2441    2428    -13

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@TheTechromancer TheTechromancer mentioned this pull request Jan 13, 2025
Open
@liquidsec liquidsec mentioned this pull request Jan 13, 2025
Closed
@liquidsec liquidsec merged commit 7c77b1c into lightfuzz Jan 14, 2025
14 checks passed
@liquidsec liquidsec deleted the lightfuzz-reflected-params-rework branch January 14, 2025 13:55
@liquidsec liquidsec removed the request for review from TheTechromancer January 14, 2025 13:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@TheTechromancer TheTechromancer TheTechromancer approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@liquidsec @TheTechromancer