simple-waf-scanner 0.1.6

Production-ready WAF scanner with OWASP Top 10:2025 Web & LLM support. 360+ payloads including LLM/GenAI testing (prompt injection, jailbreaks, system prompt leakage). HTTP/2, 11+ WAF fingerprints, 13 evasion techniques.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225

# HTTP/2 Production-Ready Configuration

This document outlines the HTTP/2 capabilities and production-ready features of the WAF scanner.

## HTTP/2 Support Overview

The scanner is now fully equipped with production-ready HTTP/2 support, including:

### ✅ Core HTTP/2 Features

1. **HTTP/2 Prior Knowledge**: Automatically uses HTTP/2 without protocol upgrade
2. **Adaptive Flow Control**: Dynamic window size adjustment for optimal performance
3. **Configurable Stream Windows**: 2MB initial stream window, 4MB connection window
4. **Frame Size Optimization**: 16KB maximum frame size for efficient data transfer
5. **Keep-Alive Management**: 20-second intervals with 10-second timeout
6. **HTTP Version Detection**: Automatic protocol version logging and detection

### 🔒 Security Test Categories

The scanner includes production-ready tests for critical HTTP/2 vulnerabilities:

#### Critical Vulnerabilities
- **CVE-2023-44487 (Rapid Reset)**: Tests for DoS via rapid RST_STREAM frames
- **CVE-2024-27983 (CONTINUATION Flood)**: Detects excessive CONTINUATION frame vulnerabilities
- **HPACK Compression Bomb**: Tests header compression memory exhaustion
- **Flow Control Bypass**: WINDOW_UPDATE integer overflow detection

#### High Severity Tests
- **Request Smuggling**: Protocol upgrade manipulation and connection header confusion
- **Pseudo-Header Injection**: Validation of :method, :path, :authority, :scheme headers
- **SETTINGS Frame Flood**: Rate-limiting checks for SETTINGS frames
- **PRIORITY Frame Flood**: CPU exhaustion via stream reprioritization

#### Medium Severity Tests
- **IIS Header Manipulation**: Method override (X-HTTP-Method-Override, X-Original-URL)
- **Stream Dependency Issues**: Priority tree manipulation tests

## Production Configuration

### Client Configuration

```rust
// Automatic configuration applied
ClientBuilder::new()
    .http2_prior_knowledge()                                    // Force HTTP/2
    .http2_adaptive_window(true)                                // Dynamic flow control
    .http2_initial_stream_window_size(Some(2 * 1024 * 1024))  // 2MB
    .http2_initial_connection_window_size(Some(4 * 1024 * 1024)) // 4MB
    .http2_max_frame_size(Some(16384))                         // 16KB
    .http2_keep_alive_interval(Some(Duration::from_secs(20)))  // Keep-alive
    .http2_keep_alive_timeout(Duration::from_secs(10))         // Timeout
    .http2_keep_alive_while_idle(true)                         // Idle keep-alive
```

### Performance Characteristics

- **Stream Multiplexing**: Concurrent request handling over single connection
- **Header Compression**: HPACK reduces overhead by ~40-60%
- **Server Push**: Compatible with HTTP/2 push promises
- **Flow Control**: Prevents buffer overflow and DoS conditions
- **Connection Reuse**: Reduces TLS handshake overhead

## Usage Examples

### Basic HTTP/2 Scan

```bash
# Scan target with HTTP/2 payloads
cargo run --release -- -t https://example.com -f payloads/http2-adfs-bypass.json

# Enable verbose logging to see HTTP version
RUST_LOG=info cargo run -- -t https://example.com -f payloads/http2-adfs-bypass.json
```

### Production Scanning

```bash
# Full scan with concurrency and delay
cargo run --release -- \
  -t https://production.example.com \
  -f payloads/http2-adfs-bypass.json \
  -c 10 \
  -d 100 \
  -o results.json

# Specific OWASP category testing
cargo run --release -- \
  -t https://example.com \
  -f payloads/http2-adfs-bypass.json \
  --filter-category http2-bypass
```

## Vulnerability Coverage

### OWASP Top 10:2025 Mapping

| Vulnerability | OWASP Category | Severity |
|---------------|----------------|----------|
| HTTP/2 Rapid Reset (CVE-2023-44487) | A02 - Security Misconfiguration | Critical |
| CONTINUATION Flood (CVE-2024-27983) | A02 - Security Misconfiguration | Critical |
| Request Smuggling | A01 - Broken Access Control | High |
| HPACK Compression Bomb | A02 - Security Misconfiguration | High |
| Pseudo-Header Injection | A05 - Injection | Medium |
| Header Manipulation | A02 - Security Misconfiguration | Medium |

### AD FS Specific Tests

The scanner includes 6+ AD FS-specific HTTP/2 tests:
- Authentication bypass (CVE-2025-21193)
- Token replay (CVE-2023-35348)
- Extranet lockout bypass (CVE-2019-1126)
- SSRF via txtBoxEmail (CVE-2018-16794)
- MFA bypass (CVE-2018-8340)

## Monitoring and Logging

### HTTP Version Detection

The scanner automatically logs HTTP protocol version:

```
[INFO] Target https://example.com is using HTTP version: HTTP/2
[INFO] ✓ HTTP/2 protocol detected - production-ready configuration active
```

### Finding Metadata

Each finding includes HTTP version information:

```json
{
  "payload_id": "http2-rapid-reset-cve-2023-44487",
  "severity": "critical",
  "http_version": "HTTP/2",
  "response_status": 200,
  "description": "Tests for HTTP/2 Rapid Reset vulnerability..."
}
```

## Best Practices

### Production Deployment

1. **Rate Limiting**: Use `-d` flag to add delays (100-500ms recommended)
2. **Concurrency**: Limit concurrent requests (`-c 5-10` for production)
3. **Monitoring**: Enable INFO logging to track HTTP version usage
4. **Filtering**: Test specific categories to reduce noise
5. **Output**: Always save results to JSON for analysis (`-o results.json`)

### Performance Tuning

```bash
# Low-impact scanning
cargo run --release -- -t https://example.com -c 5 -d 200

# High-throughput testing (non-production only)
cargo run --release -- -t https://test.example.com -c 50 -d 0

# Targeted testing
cargo run --release -- -t https://example.com \
  -f payloads/http2-adfs-bypass.json \
  --filter-severity critical
```

## Compliance and Standards

- **RFC 7540**: HTTP/2 Protocol Specification
- **RFC 7541**: HPACK Header Compression
- **OWASP Top 10:2025**: Security vulnerability mapping
- **CVE Database**: Real-world vulnerability coverage
- **CISA Alerts**: Includes critical infrastructure vulnerabilities

## Troubleshooting

### HTTP/1.1 Fallback

If target doesn't support HTTP/2:
```
[WARN] ⚠ HTTP/1.x detected - some HTTP/2 tests may not apply
```

The scanner will continue but HTTP/2-specific tests may not be effective.

### Connection Issues

```bash
# Increase timeout for slow servers
cargo run -- -t https://example.com --timeout 60

# Debug connection issues
RUST_LOG=debug cargo run -- -t https://example.com
```

### TLS/SSL Issues

```bash
# Scanner automatically accepts invalid certificates for testing
# This is intentional for security testing environments
RUST_LOG=warn cargo run -- -t https://self-signed.example.com
```

## Security Considerations

⚠️ **Warning**: This tool is for authorized security testing only.

- Always obtain proper authorization before scanning
- Production systems should use rate limiting (`-d` flag)
- Monitor target systems for impact during testing
- Review findings with security team before disclosure
- Follow responsible disclosure practices

## References

- [RFC 7540 - HTTP/2 Specification](https://tools.ietf.org/html/rfc7540)
- [OWASP Top 10:2025](https://owasp.org/Top10/2025/)
- [CVE-2023-44487 (Rapid Reset)](https://nvd.nist.gov/vuln/detail/CVE-2023-44487)
- [CVE-2024-27983 (CONTINUATION Flood)](https://nvd.nist.gov/vuln/detail/CVE-2024-27983)
- [CISA HTTP/2 Alert](https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487)

## Support

For issues or questions:
- GitHub Issues: [Report bugs and feature requests]
- Security Vulnerabilities: [Responsible disclosure process]
- Documentation: [Additional guides and examples]