Skip to content

Version 1.1.0#374

Open
liquidsec wants to merge 44 commits intomainfrom
dev
Open

Version 1.1.0#374
liquidsec wants to merge 44 commits intomainfrom
dev

Conversation

@liquidsec
Copy link
Copy Markdown
Collaborator

@liquidsec liquidsec commented Mar 27, 2026
edited
Loading

1.1.0 release

Tooling: Poetry → uv (#390)

  • [tool.poetry] → PEP 621 [project] + [dependency-groups].
  • Build backend: poetry-core + poetry-dynamic-versioninghatchling.
  • Static version pinned in badsecrets/__version__.py (mirrors baddns; major/minor bumps trigger PyPI publish).
  • CI rewritten to astral-sh/setup-uv@v6 + uv sync / uv run / uv build.
  • uv.lock replaces poetry.lock.

HTTP: httpx → blasthttp (#391)

  • Replace httpx with blasthttp (Rust-backed async client). httpx and respx are dropped entirely.
  • base.py: rename the httpx_response= kwarg to http_response=. Carve now duck-types — works with anything exposing .text / .headers / .cookies. bbot's existing call surface (carve_all_modules(body=, headers=, cookies=, url=, …)) is unchanged.
  • probe_all_modules() accepts an optional http_client= so callers (CLI, bbot) can share a client.
  • Active modules (shiro_rememberme, ltpa_token, globalprotect) switch to blasthttp.BlastHTTP and accept http_client= for injection.
  • All four CLI scripts converted: cli.py, telerik_knownkey.py, blacklist3r.py, symfony_knownkey.py.
  • Tests: respx replaced by blasthttp.mock.BlasthttpMock; new tests/conftest.py exposes a bh_mock fixture that auto-patches each CLI script's BlastHTTP import.

Library: surface IdentifyOnly results from cookies and manual product mode (#393)

Closes the long-standing gap where badsecrets -u <laravel-protected-site> printed No secrets found :( even though the cookie was correctly identified — only the APP_KEY wasn't in the wordlist.

  • carve() cookies branch: adds an IdentifyOnly fallback gated on validate_carve, mirroring the headers/body branches.
  • check_all_modules() (the badsecrets <product> path) returns a list of dicts (each tagged SecretFound or IdentifyOnly), matching carve_all_modules()'s shape.
  • carve_all_modules() and check_all_modules() suppress every IdentifyOnly result whenever any SecretFound exists — actionable hits outrank recognition-only candidates.
  • Per-module IdentifyOnly dedup inside carve() and per-detecting_module dedup across CLI fetches: one LaravelSignedCookies IdentifyOnly per module per scan, not one per cookie per response.
  • Tightened identify_regex on the loose-base64 modules (laravel_signedcookies, ltpa_token, shiro_rememberme, peoplesoft_pstoken, telerik_hashkey, telerik_encryptionkey) to anchor on actual format prefixes and exclude eyJ-prefixed values from the encrypted-base64 patterns.
  • cli.py product-mode iterates the new list and dispatches SecretFound vs IdentifyOnly to the appropriate report. URL-mode unchanged.

Cleanup

  • Deprecate the blacklist3r CLI tool (deprecate the blacklist3r CLI tool #392, deprecate the blacklist3r CLI tool #394). Capabilities are now covered by the main viewstate modules; standalone tool was dead-weight maintenance burden.
  • Test fixes for Python 3.13+ stricter base64.b64decode: test_PBKDF2_crypt and test_PBKDF1_MS_crypt slice URL-encoded fixtures correctly (664f690, b28c38d).
  • Various dependabot bumps: cryptography, django, pytest, respx (later removed), pygments, poetry-core.

bbot compatibility

bbot only imports carve_all_modules, which already returned a list. No bbot-side changes required for this release.

dependabot Bot and others added 13 commits March 23, 2026 16:03
@dependabot
Bump pyjwt from 2.11.0 to 2.12.1
c5445f6 
Bumps [pyjwt](https://github.com/jpadilla/pyjwt) from 2.11.0 to 2.12.1.
- [Release notes](https://github.com/jpadilla/pyjwt/releases)
- [Changelog](https://github.com/jpadilla/pyjwt/blob/master/CHANGELOG.rst)
- [Commits](jpadilla/pyjwt@2.11.0...2.12.1)

---
updated-dependencies:
- dependency-name: pyjwt
  dependency-version: 2.12.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
Bump pytest-cov from 7.0.0 to 7.1.0
f07da4c 
Bumps [pytest-cov](https://github.com/pytest-dev/pytest-cov) from 7.0.0 to 7.1.0.
- [Changelog](https://github.com/pytest-dev/pytest-cov/blob/master/CHANGELOG.rst)
- [Commits](pytest-dev/pytest-cov@v7.0.0...v7.1.0)

---
updated-dependencies:
- dependency-name: pytest-cov
  dependency-version: 7.1.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@liquidsec
Merge pull request #367 from blacklanternsecurity/dependabot/pip/dev/…
4c897d5 
…pytest-cov-7.1.0

Bump pytest-cov from 7.0.0 to 7.1.0
@liquidsec
Merge pull request #366 from blacklanternsecurity/dependabot/pip/dev/…
984dba8 
…pyjwt-2.12.1

Bump pyjwt from 2.11.0 to 2.12.1
@dependabot
Bump anyio from 4.12.1 to 4.13.0
242641f 
Bumps [anyio](https://github.com/agronholm/anyio) from 4.12.1 to 4.13.0.
- [Release notes](https://github.com/agronholm/anyio/releases)
- [Commits](agronholm/anyio@4.12.1...4.13.0)

---
updated-dependencies:
- dependency-name: anyio
  dependency-version: 4.13.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
Bump werkzeug from 3.1.6 to 3.1.7
f8cbba2 
Bumps [werkzeug](https://github.com/pallets/werkzeug) from 3.1.6 to 3.1.7.
- [Release notes](https://github.com/pallets/werkzeug/releases)
- [Changelog](https://github.com/pallets/werkzeug/blob/main/CHANGES.rst)
- [Commits](pallets/werkzeug@3.1.6...3.1.7)

---
updated-dependencies:
- dependency-name: werkzeug
  dependency-version: 3.1.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@vortexau
Added Dockerfile, and basic usage directions
77c7efc
@vortexau
Merge pull request #1 from vortexau/vortexau-dockerfile
612ad76 
Added Dockerfile, and basic usage directions
@liquidsec
Merge pull request #368 from blacklanternsecurity/dependabot/pip/dev/…
d38b5c9 
…anyio-4.13.0

Bump anyio from 4.12.1 to 4.13.0
@liquidsec
Merge pull request #369 from blacklanternsecurity/dependabot/pip/dev/…
6c896a5 
…werkzeug-3.1.7

Bump werkzeug from 3.1.6 to 3.1.7
@liquidsec
Remove requirements.txt to stop spurious Dependabot PRs
313e725 
This file was a stale poetry export that listed transitive deps
(like requests) no longer in pyproject.toml, causing Dependabot
to open PRs for phantom dependencies.
@liquidsec
Bump version to 1.1.0
5c399d0
@liquidsec
Merge branch 'main' into dev
dc24910
@liquidsec liquidsec changed the title Dev Version 1.1 Mar 27, 2026
dependabot Bot and others added 5 commits March 27, 2026 20:35
@dependabot
Bump cryptography from 46.0.5 to 46.0.6
af9582a 
Bumps [cryptography](https://github.com/pyca/cryptography) from 46.0.5 to 46.0.6.
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](pyca/cryptography@46.0.5...46.0.6)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-version: 46.0.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@liquidsec
Merge pull request #372 from blacklanternsecurity/dependabot/pip/dev/…
929a60b 
…cryptography-46.0.6

Bump cryptography from 46.0.5 to 46.0.6
@liquidsec
Merge pull request #370 from vortexau/main
4cb2aaf 
Added Dockerfile and brief usage instructions to README.md
@liquidsec
Clean up Dockerfile and add .dockerignore
fa43452 
Remove redundant mkdir, add --no-cache-dir to pip install,
strip trailing whitespace, and add .dockerignore to exclude
build artifacts and IDE files from the image.
@liquidsec
Merge pull request #375 from blacklanternsecurity/dockerfile
d6596b7 
Add Dockerfile
@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Mar 27, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 96.49123% with 6 lines in your changes missing coverage. Please review.
✅ Project coverage is 99.70%. Comparing base (6a7aa49) to head (b13587a).

Files with missing lines Patch % Lines
badsecrets/examples/telerik_knownkey.py 91.83% 4 Missing ⚠️
badsecrets/__version__.py 0.00% 1 Missing ⚠️
badsecrets/base.py 97.91% 1 Missing ⚠️
Additional details and impacted files 
@@             Coverage Diff             @@
##              main     #374      +/-   ##
===========================================
- Coverage   100.00%   99.70%   -0.30%     
===========================================
  Files           30       30              
  Lines         3084     3081       -3     
===========================================
- Hits          3084     3072      -12     
- Misses           0        9       +9

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

dependabot Bot and others added 4 commits March 30, 2026 19:25
@dependabot
Bump pygments from 2.19.2 to 2.20.0
a421198 
Bumps [pygments](https://github.com/pygments/pygments) from 2.19.2 to 2.20.0.
- [Release notes](https://github.com/pygments/pygments/releases)
- [Changelog](https://github.com/pygments/pygments/blob/master/CHANGES)
- [Commits](pygments/pygments@2.19.2...2.20.0)

---
updated-dependencies:
- dependency-name: pygments
  dependency-version: 2.20.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
Bump poetry from 2.3.2 to 2.3.3
2c17e29 
Bumps [poetry](https://github.com/python-poetry/poetry) from 2.3.2 to 2.3.3.
- [Release notes](https://github.com/python-poetry/poetry/releases)
- [Changelog](https://github.com/python-poetry/poetry/blob/main/CHANGELOG.md)
- [Commits](python-poetry/poetry@2.3.2...2.3.3)

---
updated-dependencies:
- dependency-name: poetry
  dependency-version: 2.3.3
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@liquidsec
Merge pull request #379 from blacklanternsecurity/main
d4a7884 
>:|
@liquidsec
Merge pull request #378 from blacklanternsecurity/dependabot/pip/poet…
c92dc59 
…ry-2.3.3

Bump poetry from 2.3.2 to 2.3.3
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 3, 2026


Thank you for your submission, we really appreciate it. Like many open-source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution. You can sign the CLA by just posting a Pull Request Comment same as the below format.

I have read the CLA Document and I hereby sign the CLA

0 out of 2 committers have signed the CLA.
@liquidsec
@vortexau
You can retrigger this bot by commenting recheck in this Pull Request. Posted by the CLA Assistant Lite bot.

liquidsec and others added 5 commits April 3, 2026 10:24
@liquidsec
Merge pull request #377 from blacklanternsecurity/dependabot/pip/pygm…
420fbc9 
…ents-2.20.0

Bump pygments from 2.19.2 to 2.20.0
@dependabot
Bump django from 5.2.12 to 5.2.13
79fbd3b 
Bumps [django](https://github.com/django/django) from 5.2.12 to 5.2.13.
- [Commits](django/django@5.2.12...5.2.13)

---
updated-dependencies:
- dependency-name: django
  dependency-version: 5.2.13
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
Bump respx from 0.22.0 to 0.23.1
9a8c0f2 
Bumps [respx](https://github.com/lundberg/respx) from 0.22.0 to 0.23.1.
- [Release notes](https://github.com/lundberg/respx/releases)
- [Changelog](https://github.com/lundberg/respx/blob/master/CHANGELOG.md)
- [Commits](lundberg/respx@0.22.0...0.23.1)

---
updated-dependencies:
- dependency-name: respx
  dependency-version: 0.23.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
Bump pytest from 9.0.2 to 9.0.3
9badedc 
Bumps [pytest](https://github.com/pytest-dev/pytest) from 9.0.2 to 9.0.3.
- [Release notes](https://github.com/pytest-dev/pytest/releases)
- [Changelog](https://github.com/pytest-dev/pytest/blob/main/CHANGELOG.rst)
- [Commits](pytest-dev/pytest@9.0.2...9.0.3)

---
updated-dependencies:
- dependency-name: pytest
  dependency-version: 9.0.3
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@liquidsec
Merge pull request #381 from blacklanternsecurity/dependabot/pip/dev/…
29a0e07 
…django-5.2.13

Bump django from 5.2.12 to 5.2.13
@liquidsec
Merge pull request #386 from blacklanternsecurity/dependabot/pip/pyte…
b4f6da7 
…st-9.0.3

Bump pytest from 9.0.2 to 9.0.3
@liquidsec
Copy link
Copy Markdown
Collaborator Author

liquidsec commented Apr 23, 2026

recheck

liquidsec and others added 16 commits May 1, 2026 12:35
@liquidsec
Merge pull request #383 from blacklanternsecurity/dependabot/pip/dev/…
69df49b 
…respx-0.23.1

Bump respx from 0.22.0 to 0.23.1
@liquidsec
fix(test): unquote before slicing in test_PBKDF2_crypt for Python 3.13+
664f690 
Python 3.13 made base64.b64decode strict about input length (rejects
length mod 4 == 1). The test sliced [:-44] on the URL-encoded string
to strip the 44-char hash, but the URL-encoded hash is longer than 44
chars (% escapes), so leftover hash bytes remained and produced an
invalid base64 length after unquote. Unquote first, then slice.
@liquidsec
migrate from poetry to uv
35d1995 
- Replace [tool.poetry] with PEP 621 [project] table
- Switch build backend from poetry-core/poetry-dynamic-versioning to hatchling
- Drop dynamic versioning; pin version in badsecrets/__version__.py (mirrors baddns)
- Add [dependency-groups].dev for dev deps
- Generate uv.lock; remove poetry.lock
- CI: replace poetry with astral-sh/setup-uv, uv sync, uv run, uv build
- Update CLI fallback message and matching test
@liquidsec
fix(test): unquote before slicing in test_PBKDF1_MS_crypt for Python …
b28c38d 
…3.13+

Same root cause as the PBKDF2_crypt fix: [:-44] is applied to the
URL-encoded fixture, but %-escapes make the encoded hash longer than
44 chars, leaving leftover bytes in what's supposed to be the
encrypted portion. Python 3.13+ rejects the resulting base64 length;
earlier versions tolerated it.
@liquidsec
Merge pull request #390 from blacklanternsecurity/migrate-to-uv
7ce2d03 
migrate from poetry to uv
@dependabot
Update django requirement from <6.0.0,>=4.1.2 to >=5.2.14,<6.0.0
ab07c9c 
Updates the requirements on [django](https://github.com/django/django) to permit the latest version.
- [Commits](django/django@4.1.2...5.2.14)

---
updated-dependencies:
- dependency-name: django
  dependency-version: 5.2.14
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@liquidsec
migrate from httpx to blasthttp
09956f4
@liquidsec
Merge pull request #388 from blacklanternsecurity/dependabot/pip/dev/…
727475c 
…django-5.2.14

Update django requirement from <6.0.0,>=4.1.2 to >=5.2.14,<6.0.0
@liquidsec
Merge pull request #391 from blacklanternsecurity/migrate-to-blasthttp
8a17dd1 
migrate from httpx to blasthttp
@liquidsec
deprecate the blacklist3r CLI tool
bc9a4bc
@liquidsec
Merge pull request #392 from blacklanternsecurity/deprecate-blacklist3r
6867365 
deprecate the blacklist3r CLI tool
@liquidsec
deprecate the blacklist3r CLI tool
89cd181
@liquidsec
Merge pull request #394 from blacklanternsecurity/deprecate-blacklist3r
f80042d 
deprecate the blacklist3r CLI tool
@liquidsec
fix: surface IdentifyOnly results from cookies and manual product mode
34da87e 
The cookies branch of carve() previously only emitted SecretFound, with no
IdentifyOnly fallback like the headers and body branches had. Likewise,
check_all_modules (the manual / 'badsecrets <product>' path) only ran
check_secret. As a result, recognizable cryptographic products with unknown
keys were silently dropped — most visibly Laravel cookies (carve_locations
is just ('cookies',)).

Both paths now mirror the headers/body symmetry:
- carve() cookies branch falls back to identify() when check_secret misses,
  gated on validate_carve.
- check_all_modules returns a list of dicts (now including IdentifyOnly hits),
  matching carve_all_modules's shape.
- carve_all_modules and check_all_modules suppress all IdentifyOnly results
  when any module produces a SecretFound — actionable hits outrank
  recognition-only candidates.
- cli.py product-mode iterates the new list and dispatches SecretFound vs
  IdentifyOnly to the appropriate report; URL-mode unaffected.

bbot is unaffected: it imports only carve_all_modules and consumes the list
return that already existed.
@liquidsec
tighten identify_regex on loose-base64 modules; dedupe IdentifyOnly p…
e96fc52 
…er module
@liquidsec
Merge pull request #393 from blacklanternsecurity/fix-cookies-identif…
b13587a 
…yonly-fallback

surface IdentifyOnly results from cookies and manual product mode
@liquidsec liquidsec changed the title Version 1.1 Version 1.1.0 May 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@liquidsec @codecov-commenter @vortexau