simple-waf-scanner 0.1.4

Production-ready OWASP Top 10:2025 aligned WAF bypass scanner with HTTP/2 support (CVE-2023-44487, CVE-2024-27983), 300+ payloads (XSS, SQLi, RCE, SSTI, XXE, SSRF, NoSQL, HTTP/2, AD FS), 11+ WAF fingerprints, and 7+ evasion techniques
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171

# HTTP/2 Quick Start Guide

## Overview

This scanner is now production-ready for HTTP/2 testing with full protocol support and comprehensive vulnerability detection.

## Quick Start

### 1. Basic HTTP/2 Scan

```bash
# Scan with HTTP/2 payloads
cargo run --release -- -t https://example.com -f payloads/http2-adfs-bypass.json
```

### 2. Production Scan (Recommended)

```bash
# Lower concurrency, add delay, save results
cargo run --release -- \
  -t https://production.example.com \
  -f payloads/http2-adfs-bypass.json \
  -c 5 \
  -d 200 \
  > http2-scan-results.txt
```

### 3. Test HTTP/2 Detection

```bash
# Run example to verify HTTP/2 support
cargo run --example http2_test
```

### 4. Verbose Logging

```bash
# See HTTP version detection and detailed logs
RUST_LOG=info cargo run --release -- -t https://example.com -f payloads/http2-adfs-bypass.json
```

## Key Features Enabled

✅ **HTTP/2 Prior Knowledge** - Direct HTTP/2 without upgrade  
✅ **Adaptive Flow Control** - Dynamic window management  
✅ **2MB Stream Window** - Optimized for performance  
✅ **4MB Connection Window** - Handles large transfers  
✅ **16KB Max Frame Size** - Efficient chunking  
✅ **Keep-Alive Pings** - 20s interval, 10s timeout  
✅ **Version Detection** - Automatic protocol logging  

## Production Checklist

Before scanning production systems:

- [ ] Obtain written authorization
- [ ] Use rate limiting (`-d 100` or higher)
- [ ] Limit concurrency (`-c 5-10`)
- [ ] Enable logging (`RUST_LOG=info`)
- [ ] Save results to file
- [ ] Monitor target system
- [ ] Have incident response ready

## HTTP/2 Vulnerabilities Tested

### Critical (Production Priority)
- ✓ CVE-2023-44487 - Rapid Reset DoS
- ✓ CVE-2024-27983 - CONTINUATION Flood
- ✓ HPACK Compression Bomb
- ✓ Flow Control Bypass

### High
- ✓ Request Smuggling
- ✓ Pseudo-Header Injection
- ✓ SETTINGS Frame Flood
- ✓ PRIORITY Frame Flood

### Medium
- ✓ Header Manipulation
- ✓ Method Override
- ✓ Stream Dependency Issues

## Examples

### Test Specific Vulnerability

```bash
# Test only Rapid Reset
cargo run --release -- -t https://example.com -f payloads/http2-adfs-bypass.json | grep "rapid-reset"
```

### Compliance Testing

```bash
# Full OWASP A02 testing (Security Misconfiguration)
cargo run --release -- -t https://example.com -f payloads/http2-adfs-bypass.json | grep "owasp-a02"
```

### High-Throughput Testing (Non-Production)

```bash
# Maximum speed (development/testing only)
cargo run --release -- -t https://test.example.com -f payloads/http2-adfs-bypass.json -c 50 -d 0
```

## Troubleshooting

### HTTP/1.1 Detected Instead of HTTP/2

**Symptom:** Log shows `HTTP/1.x detected`

**Solutions:**
- Verify target supports HTTP/2 (check headers: `curl -I --http2 https://example.com`)
- Some servers require ALPN negotiation
- Try different endpoints

### Connection Timeout

**Symptom:** Requests timing out

**Solutions:**
- Reduce concurrency: `-c 3`
- Add delay: `-d 500`
- Check firewall/rate limiting
- Increase timeout in code if needed

### Too Many Results

**Symptom:** Overwhelming number of findings

**Solutions:**
- Filter by severity: grep critical/high
- Test specific payloads
- Review false positives
- Adjust matchers in payload JSON

## Performance Tuning

| Scenario | Concurrency | Delay | Notes |
|----------|-------------|-------|-------|
| Production | 5-10 | 200-500ms | Safe, respectful |
| Staging | 10-20 | 100-200ms | Moderate load |
| Development | 20-50 | 50-100ms | Higher throughput |
| Lab/Testing | 50-100 | 0-50ms | Maximum speed |

## Next Steps

1. Review [HTTP2_PRODUCTION.md](HTTP2_PRODUCTION.md) for detailed documentation
2. Run example: `cargo run --example http2_test`
3. Test against your target with low settings first
4. Review findings and adjust based on results
5. Integrate into CI/CD pipeline if needed

## Support

- Documentation: `HTTP2_PRODUCTION.md`
- Examples: `examples/http2_test.rs`
- Payloads: `payloads/http2-adfs-bypass.json`
- Issues: Report bugs via GitHub

## Legal Notice

⚠️ **Always obtain authorization before testing.**

Unauthorized security testing is illegal and may result in:
- Criminal prosecution
- Civil liability
- Imprisonment
- Financial penalties

Use this tool responsibly and ethically.