Skip to content

fix: reduce false positives in detection (v2.0.6)#7

Merged
devploit merged 2 commits intomainfrom
devploit/fix-false-positives
Feb 4, 2026
Merged

fix: reduce false positives in detection (v2.0.6)#7
devploit merged 2 commits intomainfrom
devploit/fix-false-positives

Conversation

@devploit
Copy link
Owner

@devploit devploit commented Feb 4, 2026

Summary

Major improvements to reduce false positives while maintaining detection accuracy:

  • Redirect detection: Paths that redirect to the same destination as random paths are filtered
  • Natural variance measurement: Dynamic sites are detected and handled appropriately
  • Smart mode improvements: Now requires clear evidence (debug indicators or status changes)
  • Debug indicator comparison: Only NEW indicators (not in original response) count
  • Port fix: Path detection now works correctly on non-standard ports (e.g., localhost:9000)
  • Soft-404 improvements: Tighter content length comparison (3% threshold)

New test server

Added test/server.py - a dynamic server that serves different content based on debug params/headers, mimicking real-world behavior where debug endpoints only expose sensitive data when triggered.

Test plan

  • No false positives on login.microsoftonline.com
  • Detects debug params/headers on test server
  • Detects sensitive paths on test server
  • Path detection works on non-standard ports

🤖 Generated with Claude Code

devploit and others added 2 commits February 4, 2026 20:19
@devploit @claude
fix: include port in baseUrl for path checking (v2.0.6)
2430682 
Changed urlObj.hostname to urlObj.host to include the port number.
Without this, paths on localhost:9000 were being checked on localhost:80.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@devploit @claude
fix: reduce false positives in path and param/header detection (v2.0.6)
5d7eaef 
Major changes to reduce false positives:
- Redirect detection: compare with catch-all redirect from random path probe
- Natural variance measurement for dynamic sites
- Smart mode requires clear evidence (debug indicators or status changes)
- Debug indicators must be NEW (not present in original response)
- Fixed path detection on non-standard ports (use host instead of hostname)
- Improved soft-404 detection with tighter content length comparison

Added dynamic test server (test/server.py) that serves different content
based on debug params/headers, mimicking real-world behavior.

Updated README with new test server instructions and changelog.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@devploit devploit merged commit 60dfc2f into main Feb 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@devploit