Expand description
§redstr
A comprehensive string obfuscation and transformation library for security testing, penetration testing, and red/blue/purple team operations.
§Overview
redstr provides 60+ transformation functions organized into categories:
- Case Transformations: Modify capitalization patterns for filter bypass
- Encoding: Base64, URL encoding, hex encoding with various formats
- Unicode: Homoglyphs, zalgo text, Unicode variations for IDN spoofing
- Injection Testing: SQL, XSS, command injection, path traversal patterns
- Obfuscation: Leetspeak, ROT13, character doubling, JavaScript obfuscation
- Phishing: Domain typosquatting, email obfuscation, URL patterns
- Bot Detection: User-agent strings, TLS fingerprinting, header variations
- Web Security: JWT manipulation, GraphQL obfuscation, API endpoint testing
- Shell: PowerShell and Bash command obfuscation
§Features
- Zero Dependencies: Uses only Rust standard library (optional serde support)
- Security-Focused: Designed specifically for offensive and defensive security
- Production-Ready: Well-tested with comprehensive test coverage
- Builder Pattern: Chain multiple transformations with
TransformBuilder
§Quick Start
use redstr::{randomize_capitalization, leetspeak, homoglyph_substitution};
// Random capitalization for filter bypass
let result = randomize_capitalization("Hello World");
// Output: "HeLlO wOrLd" (varies each run)
// Leetspeak for content filter evasion
let obfuscated = leetspeak("password");
// Output: "p@55w0rd" or "p4$$w0rd"
// Homoglyph substitution for phishing tests
let spoofed = homoglyph_substitution("admin@example.com");
// Output: "аdmіn@еxаmple.com" (Cyrillic characters)§Use Cases by Team
§Red Team / Offensive Security
- WAF bypass with case variations and encoding
- XSS payload obfuscation
- SQL injection with comment insertion
- Phishing domain generation
- Command injection testing
§Blue Team / Defensive Security
- Test security control effectiveness
- Validate input sanitization
- Test filter and detection systems
- Verify Unicode handling
§Purple Team / Security Testing
- Collaborative red/blue exercises
- Security tool validation
- Baseline security testing
§Transformation Categories
See individual function documentation for detailed use cases and examples.
Structs§
- Transform
Builder - Creates a transformer builder for chaining multiple transformations.
Functions§
- accept_
language_ variation - Generates browser-like Accept-Language header variations.
- advanced_
domain_ spoof - Generates advanced domain typosquatting with multiple techniques.
- alternate_
case - Alternates between uppercase and lowercase for each alphabetic character.
- api_
endpoint_ variation - Generates API endpoint variations for Caido and API security testing.
- base64_
encode - Encodes text to Base64.
- bash_
obfuscate - Generates bash command obfuscation for Linux penetration testing.
- canvas_
fingerprint_ variation - Generates canvas fingerprint variations for Cloudflare bot detection evasion.
- case_
swap - Swaps case randomly for WAF and filter bypass testing.
- cloudflare_
challenge_ response - Generates Cloudflare challenge response patterns.
- cloudflare_
challenge_ variation - Generates Cloudflare challenge response variations.
- cloudflare_
turnstile_ variation - Generates Cloudflare Turnstile challenge variations.
- command_
injection - Generates command injection variations for OS command injection testing.
- couchdb_
injection - Generates CouchDB injection patterns for NoSQL injection testing.
- domain_
typosquat - Generates domain typosquatting variations for phishing detection testing.
- double_
characters - Randomly doubles some characters in the string.
- dynamodb_
obfuscate - Generates DynamoDB query obfuscation patterns for NoSQL injection testing.
- email_
obfuscation - Obfuscates email addresses for phishing and social engineering testing.
- env_
var_ obfuscate - Obfuscates environment variable references for shell command evasion.
- file_
path_ obfuscate - Generates file path obfuscation for path traversal and file inclusion testing.
- font_
fingerprint_ consistency - Generates font fingerprint consistency variations for Cloudflare bot detection evasion.
- graphql_
introspection_ bypass - Generates GraphQL introspection bypass patterns for security testing.
- graphql_
obfuscate - Generates GraphQL query obfuscation for API security testing.
- graphql_
variable_ injection - Generates GraphQL variable injection patterns for GraphQL injection testing.
- hex_
encode - Encodes text to hexadecimal representation (lowercase).
- hex_
encode_ mixed - Encodes text with mixed hexadecimal formats (0x, \x, %, &#x).
- homoglyph_
substitution - Substitutes characters with similar-looking homoglyphs.
- html_
entity_ encode - Encodes text using various HTML entity formats.
- html_
form_ action_ variation - Generates HTML form action URL variations for form submission bypass testing.
- html_
form_ field_ obfuscate - Generates HTML form field name obfuscation for form bypass testing.
- html_
input_ attribute_ variation - Generates HTML input field attribute variations for input validation testing.
- html_
input_ type_ variation - Generates HTML input type attribute variations for input validation bypass testing.
- html_
input_ value_ obfuscate - Generates HTML input value attribute obfuscation for XSS and injection testing.
- http2_
header_ order - Generates HTTP/2 header order variations for Cloudflare bot detection evasion.
- http_
header_ variation - Generates HTTP header value variations for Caido and web security testing.
- inverse_
case - Inverts the case of all alphabetic characters.
- js_
string_ concat - Applies JavaScript string concatenation obfuscation.
- jwt_
algorithm_ confusion - Generates JWT algorithm confusion patterns for JWT security testing.
- jwt_
header_ manipulation - Generates JWT header manipulation patterns for JWT security testing.
- jwt_
payload_ obfuscate - Generates JWT payload obfuscation patterns for JWT security testing.
- jwt_
signature_ bypass - Generates JWT signature bypass patterns for JWT security testing.
- leetspeak
- Converts text to leetspeak by replacing letters with similar-looking numbers/symbols.
- mixed_
encoding - Encodes characters using mixed encoding formats (HTML entities, Unicode escapes).
- mongodb_
injection - Generates MongoDB injection patterns for NoSQL injection testing.
- nosql_
operator_ injection - Generates NoSQL operator injection patterns for NoSQL injection testing.
- null_
byte_ injection - Inserts null byte representations for testing null byte vulnerabilities.
- path_
traversal - Generates path traversal patterns for directory traversal testing.
- powershell_
obfuscate - Generates PowerShell command obfuscation for Windows penetration testing.
- random_
user_ agent - Generates a random user-agent string from a curated list of common browsers.
- randomize_
capitalization - Applies random capitalization to each letter in the input string.
- reverse_
string - Reverses the input string.
- rot13
- Applies ROT13 cipher to the input.
- session_
token_ variation - Generates session token variations for authentication bypass testing.
- space_
variants - Replaces regular spaces with various Unicode space characters.
- sql_
comment_ injection - Inserts SQL comment patterns for SQL injection testing.
- ssti_
framework_ variation - Generates framework-specific SSTI variations for template injection testing.
- ssti_
injection - Generates Server-Side Template Injection (SSTI) patterns for template injection testing.
- ssti_
syntax_ obfuscate - Generates template syntax obfuscation for SSTI testing.
- tls_
fingerprint_ variation - Generates TLS fingerprint variations for Cloudflare bot detection evasion.
- tls_
handshake_ pattern - Generates TLS handshake pattern variations for Cloudflare bot detection evasion.
- to_
camel_ case - Converts a string to camelCase.
- to_
kebab_ case - Converts a string to kebab-case.
- to_
snake_ case - Converts a string to snake_case.
- unicode_
normalize_ variants - Generates unicode normalization variations (NFD, NFC, NFKC, NFKD concepts).
- unicode_
variations - Replaces characters with random Unicode variations.
- url_
encode - Encodes text with URL/percent encoding (RFC 3986).
- url_
shortening_ pattern - Generates URL shortening patterns for phishing campaigns.
- vowel_
swap - Randomly swaps vowels with other vowels.
- webgl_
fingerprint_ obfuscate - Obfuscates WebGL fingerprint data for Cloudflare bot detection evasion.
- whitespace_
padding - Adds random whitespace padding to bypass simple filters.
- xss_
tag_ variations - Generates XSS tag variations for testing XSS filters.
- zalgo_
text - Adds zalgo combining characters to create corrupted-looking text.