Comparing changes
Open a pull request
- 12 commits
- 4 files changed
- 3 contributors
Commits on Feb 4, 2026
-
Merge pull request #2 from devploit/devploit/scan-toggle-button
feat: add scan toggle button (v2.0.1)
-
fix: reduce false positives in path and param/header detection (v2.0.2)
- Add redirect detection: compare path redirects with catch-all redirect from random path probe - Add natural variance measurement: verify ambiguous signals with control request on dynamic sites - Improve soft-404 detection: filter paths with nearly identical content length (within 3%) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
-
Merge pull request #3 from devploit/devploit/fix-false-positives
fix: reduce false positives in detection (v2.0.2)
-
fix: require variance check for all detections without debug indicato…
…rs (v2.0.3) Previously, variance check was only triggered for similarity-based signals. Now it triggers for ANY detection that lacks debug indicators, preventing false positives on dynamic pages like login.microsoftonline.com. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
-
Merge pull request #4 from devploit/devploit/fix-false-positives
fix: require variance check for detections without debug indicators (v2.0.3)
-
fix: always re-analyze with variance, not just for highly dynamic sit…
…es (v2.0.4) Previously only re-analyzed if site had < 95% natural similarity. Now always re-analyzes with measured variance to catch subtler false positives. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
-
Merge pull request #5 from devploit/devploit/fix-false-positives
fix: always re-analyze with measured variance (v2.0.4)
-
fix: only skip paths that redirect to catch-all destination (v2.0.5)
Previously all redirecting paths were skipped. Now only paths that redirect to the SAME destination as the random probe are filtered. Other redirects (like /admin -> /admin/login) are followed and checked. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
-
Merge pull request #6 from devploit/devploit/fix-false-positives
fix: only skip paths with catch-all redirect (v2.0.5)
-
fix: include port in baseUrl for path checking (v2.0.6)
Changed urlObj.hostname to urlObj.host to include the port number. Without this, paths on localhost:9000 were being checked on localhost:80. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
-
fix: reduce false positives in path and param/header detection (v2.0.6)
Major changes to reduce false positives: - Redirect detection: compare with catch-all redirect from random path probe - Natural variance measurement for dynamic sites - Smart mode requires clear evidence (debug indicators or status changes) - Debug indicators must be NEW (not present in original response) - Fixed path detection on non-standard ports (use host instead of hostname) - Improved soft-404 detection with tighter content length comparison Added dynamic test server (test/server.py) that serves different content based on debug params/headers, mimicking real-world behavior. Updated README with new test server instructions and changelog. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
-
Merge pull request #7 from devploit/devploit/fix-false-positives
fix: reduce false positives in detection (v2.0.6)
This comparison is taking too long to generate.
Unfortunately it looks like we can’t render this comparison for you right now. It might be too big, or there might be something weird with your repository.
You can try running this command locally to see the comparison on your machine:
git diff devploit/scan-toggle-button...main