Crate wafrift_core

Expand description

wafrift-core — Façade crate re-exporting all WAF Rift modules.

This crate is a convenience umbrella. Each module lives in its own focused crate; this crate re-exports them all under a single namespace so existing consumers (wafrift-cli, wafrift-transport, integration tests) can continue using wafrift_core::*.

§Examples

Use the umbrella to drive a payload through three subsystems without depending on each subcrate by name:

use wafrift_core::{encoding, grammar};

// Classify, mutate, encode — three lego-blocks, one façade.
let p = "' OR 1=1 --";
assert_eq!(grammar::classify(p), grammar::PayloadType::Sql);

let mutations = grammar::mutate(p, 3);
assert!(!mutations.is_empty());

let encoded = encoding::encode(p, encoding::Strategy::UrlEncode).unwrap();
assert!(encoded.contains("%27"));

Use the re-exported types to build a request without naming wafrift_types:

use wafrift_core::{Method, Request};

let r = Request::get("https://example.com").header("X-Test", "1");
assert_eq!(r.method(), &Method::Get);
assert_eq!(r.headers().len(), 1);

§Crate structure

§Re-exported crates

Crate	Re-exported as	Purpose
`wafrift-types`	(crate root via `*`)	Core types: Request, Technique, EvasionResult
`wafrift-encoding`	`encoding`, `header`	Payload encoding + header obfuscation
`wafrift-grammar`	`grammar`	Grammar-aware payload mutations
`wafrift-content-type`	`content_type`	WAFFLED Content-Type switching
`wafrift-smuggling`	`smuggling`, `h2_evasion`	HTTP smuggling + HTTP/2 frame-level evasion
`wafrift-fingerprint`	`fingerprint`, `tls_fingerprint`	Browser + TLS JA3/JA4 fingerprint profiles
`wafrift-detect`	`waf_detect`, `response_fingerprint`	WAF detection (HTTP headers, DNS CNAME, BGP ASN)
`wafrift-evolution`	`evolution`, `advisor`, `differential`, `custom_rules`, `intelligence`	Genetic algorithm + MCTS + advisor
`wafrift-oracle`	`oracle`	Payload validity oracles (SQL, XSS, SSTI, …)
`wafrift-strategy`	`host_state`, `strategy`	Evasion pipeline + gene bank + adaptive host state
`wafrift-transport`	`transport`	Evasion-aware HTTP client + stealth profiles
`proxywire`	`pool`	Canonical proxy substrate (routing, rotation, auth)
`wafrift-recon`	`recon`	Origin discovery via CT logs + DNS history

§NOT re-exported by this crate

These crates are part of the workspace but are not included in wafrift-core to avoid the associated heavy dependencies (wasmtime, ed25519-dalek, etc.) in consumers that don’t need them. Use the sub-crates directly:

wafrift-wafmodel — L* WAF decompiler + offline SFA bypass mining
wafrift-genome-registry — ed25519 genome signing + trust-list management
wafrift-plugin-api — TOML + WASM external tamper SDK
wafrift-graphql — GraphQL-specific evasion payloads
wafrift-grpc-evasion — gRPC opaque-payload bypass
wafrift-captchaforge-bridge — headless Chromium challenge solver

Re-exports§

pub use wafrift_content_type as content_type;
pub use wafrift_http3_evasion as http3_evasion;
pub use wafrift_oracle as oracle;
pub use proxywire as pool;
pub use wafrift_transport as transport;
pub use wafrift_recon as recon;

Modules§

advisor: WAF-aware strategy advisor.
bogon: Canonical bogon / non-public IP classification for the workspace.
calibration: WAF calibration — detect whether a target has a WAF at all.
canary: Per-probe correlation token shared by every wafrift evasion module that emits wire-format payloads.
config: Evasion configuration — knobs for the strategy engine.
custom_rules: Community-configurable WAF detection and evasion rules.
differential: WAF rule differential analysis — reverse-engineer what a WAF blocks.
discovery
encoding: Payload encoding strategies — transform payloads to bypass WAF keyword detection.
entropy: Information-theoretic primitives shared across the workspace.
escalation: Escalation levels — how aggressively we need to evade.
evolution: Feedback-driven evolutionary evasion engine.
explanation
fingerprint: Compatibility facade for shared browser HTTP fingerprint profiles.
format
gene_bank_io: Canonical schema for the operator’s per-host gene-bank persistence file (default path: ~/.wafrift/gene-bank.json).
grammar: Grammar-aware payload mutation engine.
h2_evasion: HTTP/2 frame-level evasion and downgrade techniques.
hash: Pure, deterministic, dependency-free hashing primitives shared across the workspace.
header: HTTP header obfuscation for WAF bypass.
host_state: Per-host evasion state — tracks what works and what doesn’t.
injection_context
intelligence: Intelligence loop — connects differential analysis, evolution, and strategy.
loaders: Shared file-discovery primitives for .toml rule directories.
oob
pick: Random selection from a static pool — workspace-wide primitive.
probe: Workspace-wide SmuggleProbe trait — uniform interface for the seven (and growing) probe families wafrift emits.
probe_aggregator: Single aggregator that pulls every wafrift smuggle probe under one operator-iterable interface.
request: HTTP method and request types — the foundation layer all wafrift crates depend on.
response_fingerprint: Response fingerprinting for silent-block detection.
result: Evasion result — a transformed request with metadata.
session
smuggling: HTTP request smuggling payloads for WAF bypass.
strategy: Evasion strategy engine — the pipeline that wires ALL modules.
technique: Evasion technique identifiers.
tls_fingerprint: Compatibility facade for shared TLS ClientHello fingerprint profiles.
utf7: UTF-7 (RFC 2152) codec — a foundational, self-contained primitive.
verdict: WAF response verdict taxonomy.
waf_class: WAF classification by architectural backing — governs which evasion sub-engines are activated for a given target.
waf_detect: WAF detection from response headers and body.

Structs§

EvasionConfig: Evasion configuration.
EvasionResult: A transformed request ready to send.
HostState: Per-host evasion state — tracks what works and what doesn’t.
Request: A request that wafrift can transform.

Enums§

BlockReason: Extracted block reason from a WAF response.
CalibrationResult: Result of WAF calibration check.
ConnectionBehavior: Connection behavior anomalies that influence verdict classification.
EscalationLevel: How aggressively we need to evade.
Method: HTTP method — enforced at the type level instead of a bare String.
Signal: A classification signal that contributed to a verdict.
Technique: An evasion technique that was applied.
Verdict: WAF response verdict — the output of the response oracle.
WafClass: High-level WAF architectural class.

Constants§

BLOCK_SCAN_BODY_WINDOW: Workspace-canonical body-scan window size (bytes) used by every WAF-block classifier that reads the response body.
DEFAULT_EGRESS_CHALLENGE_THRESHOLD: Default egress-pool “burn threshold” — the number of challenge / rate-limit verdicts on a single egress identity before that egress rotates into cooldown. Pre-R63 the literal 3 was open-coded at 7 production sites (cli config defaults, scan/raw_runner, hunt_cmd, import_curl, model_evade_cmd, and main.rs clap defaults). Anchoring here makes the value tunable in one place and prevents the silent divergence where one site updates and others don’t.
DEFAULT_EGRESS_COOLDOWN_SECS: Default egress-pool cooldown duration in seconds after threshold strikes. Pre-R63 the literal 300 was hardcoded at 6 sites including wafrift_transport::egress_pool’s builder’s unwrap_or fallback — meaning a CLI default and a builder default could silently disagree.
DEFAULT_MAX_REDIRECTS: Default redirect chain depth allowed when wafrift acts as an HTTP client. Mirrors curl’s default to minimise practitioner surprise.
DEFAULT_REQUEST_TIMEOUT_SECS: Default per-request HTTP timeout (seconds). Used by every reqwest client builder in the workspace unless the caller explicitly opts into a different value (e.g. bench-waf --timeout-secs).
DEFAULT_SMUGGLE_BODY_DIVERGENCE_THRESHOLD: Default body-length divergence threshold for the fire-mode classifier. 5% delta = body-diverged signal. Tuned to avoid noise from server-timestamp headers while catching real per-route page-shape divergence.
DEFAULT_SMUGGLE_COMPOSED_CAP: Default cap on emitted composed artifacts in smuggle-cross-product / smuggle-chain. The cartesian product grows polynomially — 64 is the empirical sweet spot between coverage and operator-readable output volume.
DEFAULT_SMUGGLE_FIRE_DELAY_MS: Default inter-request delay (ms) in sequential fire mode. Rate-limit-friendly default; operators raise/lower per target.
DEFAULT_SMUGGLE_FIRE_PARALLEL: Default concurrent in-flight smuggle-fire probes. 1 = sequential (respects --delay-ms); >1 = parallel.
DEFAULT_SMUGGLE_FIRE_TIMEOUT_SECS: Default per-request HTTP timeout (seconds) for smuggle-fire subcommands. 10s matches the scan-path convention.
FNV_OFFSET_64: FNV-1a 64-bit offset basis (RFC reference value).
FNV_PRIME_64: FNV-1a 64-bit prime (RFC reference value).
HOST_STATES_CAP: Workspace-canonical cap on the in-memory per-host evasion/state map shared by wafrift-transport’s EvasionClient and the scan-path clients. The cap prevents a long-running session scanning thousands of distinct hostnames from growing the map unboundedly.
HOST_TECHNIQUE_HINTS_CAP: Workspace-canonical cap on the prioritized_techniques and avoided_techniques hint lists stored in a wafrift_strategy::HostState (a downstream crate, so this is a plain code span, not an intra-doc link).
MAX_RESPONSE_BODY_BYTES: Workspace-canonical ceiling on the largest HTTP response / decoded body wafrift holds in memory at once. ONE source of truth for the three sites that each previously defined their own 64 * 1024 * 1024 and were kept in sync only by a comment (§7 DEDUPLICATION — “two = a future drift bug”):
REGEX_NFA_SIZE_LIMIT: Workspace-canonical compiled NFA byte-size limit for RegexBuilder::size_limit and RegexSetBuilder::size_limit.

Functions§

binary_shannon: Binary Shannon entropy of a Bernoulli with parameter p, in bits.
fnv1a_64: Hash a byte slice with FNV-1a-64 in a single call.
fnv1a_64_extend: Streaming variant — fold bytes into the running h in place. Equivalent to *h = bytes.iter().fold(*h, fnv1a_64_step) but preserves the existing call site shape from evolution::h1_dedup.
fnv1a_64_step: Single-byte step of FNV-1a-64. Exposed for streaming callers (e.g. evolution::h1_dedup’s incremental fingerprint over a tokenised request, where each segment is fed independently).
glob_match: Tiny ASCII glob matcher: * matches any byte run (including empty), ? matches exactly one byte, everything else is a case-insensitive literal. The match is anchored at both ends (full-string).
glob_match_bytes: Byte-slice core of glob_match. Exported for crates that already hold &[u8] and want to avoid the UTF-8 round-trip.
ip_addr_is_bogon: True if this IP should be blocked when private/upstream lab access is disallowed.
shannon: General Shannon entropy over a discrete distribution probs, in bits. H(p_1, …, p_n) = -Σ p_i · log2(p_i), with the convention 0 · log 0 = 0 (the mathematical limit).