Expand description
HTTP header obfuscation for WAF bypass.
WAFs inspect HTTP headers to detect malicious requests. This module applies transformations that are valid per HTTP RFCs but confuse WAF header parsers, causing them to misparse or skip inspection.
§Techniques
- Case mixing —
cOnTeNt-TyPeinstead ofContent-Type - Whitespace tricks — tabs, spaces around colons and values
- Header folding — obsolete but still parsed by many servers (RFC 7230 §3.2.4)
- Duplicate headers — first vs. last wins disagreement
- Underscore substitution —
Content_Typeaccepted by some servers - Null byte injection —
Content-Type\x00truncates header name SPacedheader name —Content-Typetrailing space before colon- Header value wrapping — Value spread across multiple continuation lines
- Comma-joined header values — Multiple values in one header via comma
Enums§
- Header
Technique - A header transformation technique.
Functions§
- all_
obfuscations - Apply all header obfuscation techniques to a header name/value pair.
- case_
mix - Apply case mixing to a header name.
- comma_
join - Comma-join multiple values into a single header.
- duplicate_
header - Generate a duplicate header pair: returns
(benign_line, real_line). - lf_
only_ line_ fold - Apply LF-only line folding.
- lf_
only_ multi_ line_ fold - Apply LF-only multi-line folding.
- line_
fold - Apply obsolete line folding (RFC 7230 §3.2.4).
- multi_
line_ fold - Apply multi-line folding — value spread across 3+ continuation lines.
- null_
byte_ inject - Inject a null byte into the header name at the midpoint.
- tab_
separator - Apply tab separator:
Header:\tvalueinstead ofHeader: value. - trailing_
space - Add a trailing space before the colon separator.
- underscore_
substitute - Replace hyphens with underscores in the header name.
- whitespace_
pad - Apply whitespace padding around the value.