wafrift-grammar 0.2.16

Grammar-aware payload mutation engine — SQL, XSS, CMD, LDAP, SSRF, path traversal, SSTI.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92

//! Apache Cassandra / CQL injection grammar-aware mutation.

/// Detect Cassandra CQL injection signals.
#[must_use]
pub fn detect_type(payload: &str) -> bool {
    let lower = payload.to_ascii_lowercase();
    lower.contains("cassandra")
        || lower.contains("consistency ")
        || lower.contains("token(")
        || lower.contains("allow filtering")
        || lower.contains("using ttl")
        || (lower.contains("select") && lower.contains("from") && lower.contains("json"))
}

/// Generate Cassandra mutation variants.
#[must_use]
pub fn mutate(payload: &str) -> Vec<String> {
    if !detect_type(payload) {
        return Vec::new();
    }
    let mut results = Vec::new();
    let lower = payload.to_ascii_lowercase();

    // JSON output format bypass
    if lower.contains("select") {
        results.push(format!("{payload} JSON"));
        results.push(payload.replace("SELECT ", "SELECT JSON "));
    }

    // Consistency level manipulation
    results.push(format!("CONSISTENCY ALL; {payload}"));
    results.push(format!("CONSISTENCY ONE; {payload}"));

    // Token-based partition key bypass
    if lower.contains("where") {
        results.push(payload.replace("WHERE ", "WHERE token(") + ") > 0");
    }

    // Time-to-live / timestamp injection
    if lower.contains("insert") || lower.contains("update") {
        results.push(format!("{payload} USING TTL 86400"));
    }

    results
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn detects_cassandra_signals() {
        assert!(detect_type("SELECT JSON * FROM users"));
        assert!(detect_type("CONSISTENCY ONE"));
        assert!(detect_type("SELECT * FROM users USING TTL 86400"));
    }

    #[test]
    fn generates_json_variants() {
        let mutations = mutate("SELECT JSON * FROM users");
        assert!(mutations.iter().any(|m| m.contains("JSON")));
    }

    #[test]
    fn rejects_non_cassandra() {
        assert!(!detect_type("hello world"));
        assert!(mutate("' OR 1=1--").is_empty());
    }

    #[test]
    fn consistency_variants_generated() {
        let mutations = mutate("SELECT * FROM users USING TTL");
        assert!(mutations.iter().any(|m| m.contains("CONSISTENCY")));
    }

    #[test]
    fn ttl_variant_for_insert() {
        let mutations = mutate("INSERT INTO users (id) VALUES (1) USING TTL");
        assert!(mutations.iter().any(|m| m.contains("USING TTL")));
    }

    #[test]
    fn token_variant_for_where() {
        let mutations = mutate("SELECT JSON * FROM users WHERE id = 1");
        assert!(mutations.iter().any(|m| m.contains("token(")));
    }

    #[test]
    fn empty_payload_returns_empty() {
        assert!(mutate("").is_empty());
    }
}