wafrift-encoding 0.2.5

Payload encoding strategies and header obfuscation for WAF evasion.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288

//! HTTP header obfuscation for WAF bypass.
//!
//! WAFs inspect HTTP headers to detect malicious requests. This module
//! applies transformations that are valid per HTTP RFCs but confuse
//! WAF header parsers, causing them to misparse or skip inspection.
//!
//! # Techniques
//!
//! - **Case mixing** — `cOnTeNt-TyPe` instead of `Content-Type`
//! - **Whitespace tricks** — tabs, spaces around colons and values
//! - **Header folding** — obsolete but still parsed by many servers (RFC 7230 §3.2.4)
//! - **Duplicate headers** — first vs. last wins disagreement
//! - **Underscore substitution** — `Content_Type` accepted by some servers
//! - **Null byte injection** — `Content-Type\x00` truncates header name
//! - **`SPaced` header name** — `Content-Type ` trailing space before colon
//! - **Header value wrapping** — Value spread across multiple continuation lines
//! - **Comma-joined header values** — Multiple values in one header via comma

use std::fmt;

/// A header transformation technique.
#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash, serde::Serialize, serde::Deserialize)]
#[non_exhaustive]
pub enum HeaderTechnique {
    /// Random case mixing of header name.
    CaseMixing,
    /// Tab character instead of space after colon.
    TabSeparator,
    /// Extra whitespace around header value.
    WhitespacePadding,
    /// Obsolete header folding with continuation line (CRLF + whitespace).
    LineFolding,
    /// LF-only continuation line.
    LfOnlyLineFolding,
    /// Duplicate header with benign value first.
    DuplicateHeader,
    /// Underscore instead of hyphen in header name.
    UnderscoreSubstitution,
    /// Null byte injected into header name.
    NullByteInjection,
    /// Trailing space before colon in header name.
    TrailingSpace,
    /// Header value wrapped across multiple continuation lines.
    MultiLineFolding,
    /// LF-only multi-line folding.
    LfOnlyMultiLineFolding,
    /// Multiple values comma-joined in a single header.
    CommaJoin,
}

impl fmt::Display for HeaderTechnique {
    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
        match self {
            Self::CaseMixing => f.write_str("case-mixing"),
            Self::TabSeparator => f.write_str("tab-separator"),
            Self::WhitespacePadding => f.write_str("whitespace-padding"),
            Self::LineFolding => f.write_str("line-folding"),
            Self::LfOnlyLineFolding => f.write_str("lf-only-line-folding"),
            Self::DuplicateHeader => f.write_str("duplicate-header"),
            Self::UnderscoreSubstitution => f.write_str("underscore-substitution"),
            Self::NullByteInjection => f.write_str("null-byte-injection"),
            Self::TrailingSpace => f.write_str("trailing-space"),
            Self::MultiLineFolding => f.write_str("multi-line-folding"),
            Self::LfOnlyMultiLineFolding => f.write_str("lf-only-multi-line-folding"),
            Self::CommaJoin => f.write_str("comma-join"),
        }
    }
}

/// Apply case mixing to a header name.
///
/// Produces `cOnTeNt-TyPe` style output. HTTP header names are defined
/// as case-insensitive (RFC 7230 §3.2), so servers accept any casing,
/// but some WAFs only match canonical `Content-Type`.
#[must_use]
pub fn case_mix(header_name: &str) -> String {
    crate::encoding::keyword::alternating_case(header_name, false)
}

/// Apply tab separator: `Header:\tvalue` instead of `Header: value`.
#[must_use]
pub fn tab_separator(header_name: &str, value: &str) -> String {
    format!("{header_name}:\t{value}")
}

/// Apply whitespace padding around the value.
#[must_use]
pub fn whitespace_pad(header_name: &str, value: &str) -> String {
    let pad_count = rand::random::<usize>() % 4 + 2; // 2–5 spaces
    let left = " ".repeat(pad_count);
    let right = " ".repeat(pad_count);
    format!("{header_name}:{left}{value}{right}")
}

fn char_boundary_near(s: &str, byte_idx: usize) -> usize {
    if byte_idx >= s.len() {
        return s.len();
    }
    let mut i = byte_idx;
    while i > 0 && !s.is_char_boundary(i) {
        i -= 1;
    }
    i
}

/// Apply obsolete line folding (RFC 7230 §3.2.4).
///
/// The header value is split across two lines with a continuation marker
/// (CRLF followed by a space or tab). This is obsolete but many servers
/// still accept it, while WAFs often do not reassemble folded headers.
#[must_use]
pub fn line_fold(header_name: &str, value: &str) -> String {
    line_fold_with_ending(header_name, value, "\r\n")
}

/// Apply LF-only line folding.
#[must_use]
pub fn lf_only_line_fold(header_name: &str, value: &str) -> String {
    line_fold_with_ending(header_name, value, "\n")
}

fn line_fold_with_ending(header_name: &str, value: &str, ending: &str) -> String {
    if value.len() < 4 {
        return format!("{header_name}: {value}");
    }
    let mid = char_boundary_near(value, value.len() / 2);
    format!(
        "{}: {}{ending}\t{}",
        header_name,
        &value[..mid],
        &value[mid..]
    )
}

/// Apply multi-line folding — value spread across 3+ continuation lines.
///
/// More aggressive than single fold — splits value into thirds.
/// Many WAFs only handle one continuation line.
#[must_use]
pub fn multi_line_fold(header_name: &str, value: &str) -> String {
    multi_line_fold_with_ending(header_name, value, "\r\n")
}

/// Apply LF-only multi-line folding.
#[must_use]
pub fn lf_only_multi_line_fold(header_name: &str, value: &str) -> String {
    multi_line_fold_with_ending(header_name, value, "\n")
}

fn multi_line_fold_with_ending(header_name: &str, value: &str, ending: &str) -> String {
    if value.len() < 6 {
        return format!("{header_name}: {value}");
    }
    let t1 = char_boundary_near(value, value.len() / 3);
    let t2 = char_boundary_near(value, value.len() * 2 / 3);
    format!(
        "{}: {}{ending} {}{ending}\t{}",
        header_name,
        &value[..t1],
        &value[t1..t2],
        &value[t2..]
    )
}

/// Generate a duplicate header pair: returns `(benign_line, real_line)`.
///
/// Some WAFs only inspect the first occurrence of a header, while many
/// servers use the last. By placing a benign value first and the real
/// value second, the WAF sees the benign header, the server sees the
/// real one.
#[must_use]
pub fn duplicate_header(
    header_name: &str,
    real_value: &str,
    benign_value: &str,
) -> (String, String) {
    (
        format!("{header_name}: {benign_value}"),
        format!("{header_name}: {real_value}"),
    )
}

/// Replace hyphens with underscores in the header name.
///
/// Some web servers (notably PHP with `$_SERVER`, and CGI) normalise
/// `Content_Type` → `Content-Type`. WAFs typically do not.
#[must_use]
pub fn underscore_substitute(header_name: &str) -> String {
    header_name.replace('-', "_")
}

/// Inject a null byte into the header name at the midpoint.
///
/// Some C-based WAF implementations (modSecurity, native nginx modules)
/// use null-terminated string operations internally. A null byte in the
/// header name causes the WAF to see a truncated name (e.g., `Content`
/// instead of `Content-Type\x00`), while the upstream server may parse
/// the full name.
#[must_use]
pub fn null_byte_inject(header_name: &str) -> String {
    if header_name.len() < 2 {
        return header_name.to_string();
    }
    let mid = char_boundary_near(header_name, header_name.len() / 2);
    format!("{}\x00{}", &header_name[..mid], &header_name[mid..])
}

/// Add a trailing space before the colon separator.
///
/// `Content-Type : value` — some parsers strip the space, making this
/// equivalent. WAFs that expect `Name:` or `Name: ` without extra space
/// in the header name field may fail to match.
#[must_use]
pub fn trailing_space(header_name: &str, value: &str) -> String {
    format!("{header_name} : {value}")
}

/// Comma-join multiple values into a single header.
///
/// Per RFC 7230 §3.2.6, a recipient may combine multiple header fields
/// with the same name into one `field-value` separated by commas.
/// `Header: benign, malicious` is semantically equivalent to two
/// separate `Header: benign` and `Header: malicious` lines. WAFs that
/// split on the first comma may only inspect `benign`.
#[must_use]
pub fn comma_join(header_name: &str, real_value: &str, benign_value: &str) -> String {
    format!("{header_name}: {benign_value}, {real_value}")
}

/// Apply all header obfuscation techniques to a header name/value pair.
///
/// Returns a vector of `(technique, obfuscated_header_line)` pairs.
/// For `DuplicateHeader`, the two lines are joined with CRLF.
#[must_use]
pub fn all_obfuscations(header_name: &str, value: &str) -> Vec<(HeaderTechnique, String)> {
    let benign = "safe_value";
    vec![
        (
            HeaderTechnique::CaseMixing,
            format!("{}: {}", case_mix(header_name), value),
        ),
        (
            HeaderTechnique::TabSeparator,
            tab_separator(header_name, value),
        ),
        (
            HeaderTechnique::WhitespacePadding,
            whitespace_pad(header_name, value),
        ),
        (HeaderTechnique::LineFolding, line_fold(header_name, value)),
        (
            HeaderTechnique::LfOnlyLineFolding,
            lf_only_line_fold(header_name, value),
        ),
        (HeaderTechnique::DuplicateHeader, {
            let (a, b) = duplicate_header(header_name, value, benign);
            format!("{a}\r\n{b}")
        }),
        (
            HeaderTechnique::UnderscoreSubstitution,
            format!("{}: {}", underscore_substitute(header_name), value),
        ),
        (
            HeaderTechnique::NullByteInjection,
            format!("{}: {}", null_byte_inject(header_name), value),
        ),
        (
            HeaderTechnique::TrailingSpace,
            trailing_space(header_name, value),
        ),
        (
            HeaderTechnique::MultiLineFolding,
            multi_line_fold(header_name, value),
        ),
        (
            HeaderTechnique::LfOnlyMultiLineFolding,
            lf_only_multi_line_fold(header_name, value),
        ),
        (
            HeaderTechnique::CommaJoin,
            comma_join(header_name, value, benign),
        ),
    ]
}

#[cfg(test)]
#[path = "header_tests.rs"]
mod tests;