Skip to main content

wafrift_evolution/
lib.rs

1//! wafrift-evolution — Genetic algorithm, MCTS, differential analysis, and WAF-aware advisor.
2//!
3//! The adaptive feedback loop: detect WAF → analyze differential responses →
4//! evolve technique populations → recommend optimal evasion strategies.
5//!
6//! Key modules:
7//! - [`evolution`]    — genetic algorithm (crossover, mutation, fitness)
8//! - [`ast_mcts`]     — MCTS over the technique action space
9//! - [`differential`] — differential response analysis (surface divergences)
10//! - [`advisor`]      — WAF-class-aware technique recommender
11//! - [`body_padding`] — inspection-window evasion (pad JSON/form past WAF scan cap)
12//! - [`dilution`]     — ensemble dilution for ML-WAF evasion
13//! - [`intelligence`] — cross-scan intelligence aggregation
14//! - [`lineage`]      — technique lineage tracking across generations
15//! - [`search`]       — novelty search + MAP-Elites algorithm
16//! - [`custom_rules`] — operator-supplied TOML evasion rules
17//!
18//! # Examples
19//!
20//! Inflate a JSON request body past a WAF's inspection-window cap.
21//! Cloudflare and Akamai stop scanning after 8KB; AWS WAF after 16KB.
22//! `body_padding::pad` produces a structure-preserving payload that
23//! still parses on the origin while pushing the attack tokens past
24//! the inspection ceiling:
25//!
26//! ```
27//! use wafrift_evolution::body_padding::{PadOutcome, pad};
28//!
29//! let body = br#"{"q":"' OR 1=1 --"}"#;
30//! let outcome = pad(body, "application/json", 9000);
31//! match outcome {
32//!     PadOutcome::Padded { bytes, added } => {
33//!         assert!(added >= 9000, "padded by at least 9000 bytes");
34//!         assert!(bytes.len() > body.len() + 8000);
35//!         // Still parses as valid JSON — origin sees the same payload.
36//!         let s = std::str::from_utf8(&bytes).unwrap();
37//!         assert!(s.contains("' OR 1=1 --"), "attack payload preserved");
38//!     }
39//!     other => panic!("expected Padded, got {other:?}"),
40//! }
41//! ```
42//!
43//! Opaque content types (binary blobs) are left alone — padding
44//! would corrupt them:
45//!
46//! ```
47//! use wafrift_evolution::body_padding::{PadOutcome, pad};
48//!
49//! let outcome = pad(&[0u8; 64], "application/octet-stream", 9000);
50//! assert_eq!(outcome, PadOutcome::SkippedOpaque);
51//! ```
52
53pub mod advisor;
54pub mod ast_mcts;
55pub mod body_padding;
56pub mod coverage_feedback;
57pub mod custom_rules;
58pub mod differential;
59pub mod dilution;
60/// Cross-region CF edge-POP coverage map. Tracks
61/// `(egress_label, target_host) → seen-POPs` so the hunt loop can
62/// bias rotation toward egresses that haven't yet hit a given POP,
63/// detect anycast pinning early, and report total POP coverage.
64pub mod edge_pop_coverage;
65/// Encoding-stack lattice search — enumerate compositions of N
66/// encoders to find chains that defeat a target WAF rule. The
67/// systematic-search engine the hunt loop uses to fill the
68/// (rule × class) cells of the corpus.
69pub mod encoding_lattice;
70pub mod evolution;
71/// HackerOne submission-dedup fingerprint. Stable hash of
72/// (rule_id, encoding-chain-shape, payload-skeleton) so the
73/// submission queue rejects bypasses already filed in the public
74/// CumulusFire archive.
75pub mod h1_dedup;
76/// Single-call adapter from oracle verdicts → rule_corpus writes.
77/// Hunt / bench / model-evade route every probe result through one
78/// fn so corpus-key changes propagate without per-consumer churn.
79pub mod hunt_corpus_bridge;
80pub mod intelligence;
81pub mod lineage;
82/// Minimum Bypass Set computer — greedy set-cover on bypassing payloads.
83/// Computes the smallest subset that collectively exercises every WAF rule
84/// class reachable by the full input. Used to produce forensically minimal
85/// payload sets for security reports.
86pub mod min_bypass_set;
87/// Per-rule L\* alphabet inference. Picks the bytes most
88/// discriminative for a given CF rule from its observed corpus
89/// (blocks vs bypasses) so the L\* learner explores tight,
90/// rule-scoped symbolic automata instead of a generic alphabet.
91pub mod rule_alphabet;
92/// Persistent per-rule bypass corpus — accumulates rule-level bypass records
93/// across hunt rounds and surfaces them to the genome-registry submission gate.
94pub mod rule_corpus;
95pub mod search;
96pub mod types;
97
98mod safe_io;