Skip to content

sqli: two-stage scaling-delay confirmation for time-based blind detection#3152

Merged
liquidsec merged 1 commit into
lightfuzz-improvements-mar-26from
sqli-fp-sliding-delay
Jun 8, 2026
Merged

sqli: two-stage scaling-delay confirmation for time-based blind detection#3152
liquidsec merged 1 commit into
lightfuzz-improvements-mar-26from
sqli-fp-sliding-delay

Conversation

@liquidsec

Copy link
Copy Markdown
Collaborator

Replaces single-delay 3x-confirmation with two-stage scaling-delay (delay_low=3s, delay_high=8s). Finding emitted only when measured delay scales with requested delay. Kills the jitter FP class where slow/WAF-fronted hosts produce false positives from random latency landing in the detection window.

@github-actions

github-actions Bot commented Jun 7, 2026

Copy link
Copy Markdown
Contributor

📊 Performance Benchmark Report

Comparing lightfuzz-improvements-mar-26 (baseline) vs sqli-fp-sliding-delay (current)

📈 Detailed Results (All Benchmarks)

📋 Complete results for all benchmarks - includes both significant and insignificant changes

🧪 Test Name 📏 Base 📏 Current 📈 Change 🎯 Status
Bloom Filter Dns Mutation Tracking Performance 4.17ms 4.18ms +0.2%
Bloom Filter Large Scale Dns Brute Force 17.30ms 17.81ms +3.0%
Large Closest Match Lookup 337.25ms 347.73ms +3.1%
Realistic Closest Match Workload 188.18ms 188.05ms -0.1%
Event Memory Medium Scan 1394 B/event 1395 B/event +0.1%
Event Memory Large Scan 1519 B/event 1519 B/event +0.0%
Event Validation Full Scan Startup Small Batch 408.03ms 413.28ms +1.3%
Event Validation Full Scan Startup Large Batch 562.05ms 579.20ms +3.1%
Make Event Autodetection Small 24.90ms 24.49ms -1.6%
Make Event Autodetection Large 256.80ms 256.78ms -0.0%
Make Event Explicit Types 11.43ms 10.98ms -3.9%
Excavate Single Thread Small 3.699s 3.647s -1.4%
Excavate Single Thread Large 9.581s 9.218s -3.8%
Excavate Parallel Tasks Small 3.851s 3.830s -0.6%
Excavate Parallel Tasks Large 6.304s 6.304s +0.0%
Intercept Throughput Small 1.067s 1.031s -3.3%
Intercept Throughput Medium 1.049s 1.041s -0.8%
Is Ip Performance 2.23ms 2.23ms -0.3%
Make Ip Type Performance 219.67µs 216.28µs -1.5%
Mixed Ip Operations 2.32ms 2.29ms -1.2%
Memory Use Web Crawl 400.5 MB 433.4 MB +8.2%
Memory Use Subdomain Enum 29.2 MB 29.2 MB +0.0%
Memory Use Deep Chain 8.6 MB 8.6 MB -0.1%
Memory Use Parallel Chains 20.9 MB 23.3 MB +11.5% 🟡🟡 ⚠️
Scan Throughput 100 3.362s 3.393s +0.9%
Scan Throughput 1000 23.626s 25.147s +6.4%
Typical Queue Shuffle 5.35µs 5.37µs +0.4%
Priority Queue Shuffle 26.01µs 26.07µs +0.2%

🎯 Performance Summary

! 1 regression ⚠️
  27 unchanged ✅

🔍 Significant Changes (>10%)

  • Memory Use Parallel Chains: 11.5% 🐌 more memory

🐍 Python Version 3.11.15

@codecov

codecov Bot commented Jun 7, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 85.39326% with 13 lines in your changes missing coverage. Please review.
✅ Project coverage is 90%. Comparing base (da49503) to head (6f47bdc).
⚠️ Report is 2 commits behind head on lightfuzz-improvements-mar-26.

Files with missing lines Patch % Lines
bbot/modules/lightfuzz/submodules/sqli.py 80% 12 Missing ⚠️
.../test_step_2/module_tests/test_module_lightfuzz.py 97% 1 Missing ⚠️
Additional details and impacted files
@@                      Coverage Diff                      @@
##           lightfuzz-improvements-mar-26   #3152   +/-   ##
=============================================================
+ Coverage                             90%     90%   +1%     
=============================================================
  Files                                442     442           
  Lines                              40754   40814   +60     
=============================================================
+ Hits                               36566   36632   +66     
+ Misses                              4188    4182    -6     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@liquidsec liquidsec merged commit e2aaa95 into lightfuzz-improvements-mar-26 Jun 8, 2026
18 checks passed
@liquidsec liquidsec deleted the sqli-fp-sliding-delay branch June 8, 2026 13:19
@liquidsec liquidsec mentioned this pull request Jun 9, 2026
@ausmaster ausmaster added this to the BBOT 3.0 - blazed_elijah milestone Jun 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants