Skip to main content

json_unicode_alnum

Function json_unicode_alnum 

Source
pub fn json_unicode_alnum(payload: &str) -> String
Expand description

Partial JSON Unicode escape — encodes ASCII alphanumeric chars as \uXXXX while leaving structural punctuation (quotes, operators, whitespace) bare.

Bypass mechanism: Keyword fingerprint rules (UNION, SELECT, alert, script, eval, …) match against the byte sequence. Splitting the keyword across Unicode escapes defeats them — the origin’s JSON parser / JS engine re-materializes the keyword at the application layer, but the WAF sees UNION in the wire bytes and finds no UNION. Distinct from unicode_encode which escapes EVERY char (high \u density flags some heuristic WAFs); this leaves the SQL/HTML/JS structural skeleton visible, so the payload still looks like data.

Idempotent: pre-existing \uXXXX sequences in the input are detected and passed through verbatim — second-pass tampering does not re-escape an already-escaped char.

Context: ONLY safe when the target parser performs JSON-style / JavaScript-style Unicode decoding. Inert against raw HTTP parameters (you’ll send literal backslash-u bytes).