wafrift_encoding/encoding/mod.rs
1//! Payload encoding strategies — transform payloads to bypass WAF keyword detection.
2//!
3//! Each strategy changes HOW the payload looks without changing WHAT it does.
4//! The server decodes the payload back to its original form, but the WAF
5//! fails to match it against its rules.
6//!
7//! # Scope
8//!
9//! Every module here is a **WAF-evasion primitive**: it transforms a payload
10//! so the WAF's keyword / regex / signature matcher misses it while the
11//! origin's normalizer / parser still recovers the original. Modules whose
12//! attack target is the origin application (template engines, deserializers,
13//! databases, etc) do NOT belong in `wafrift` — those are sibling Santh
14//! tools.
15//!
16//! # Module structure
17//!
18//! | Module | Responsibility |
19//! |--------|---------------|
20//! | [`strategy`] | `Strategy` enum and `encode()` dispatcher |
21//! | [`url`] | URL, double-URL, and triple-URL encoding |
22//! | [`unicode`] | Unicode `\uXXXX`, `%uXXXX`, JSON, and HTML entity encoding |
23//! | [`keyword`] | Case alternation, whitespace/comment insertion, SQL obfuscation |
24//! | [`structural`] | Null byte, overlong UTF-8, chunked split, HPP, compression |
25//! | [`layered`] | Multi-strategy chaining and aggressiveness scoring |
26//! | [`invisible`] | Plan 9 tag chars, variation selectors, ligatures, soft hyphens |
27//! | [`path_norm`] | RFC 3986 §5.2.4 differential path-normalization variants |
28//! | [`request_line`] | Method / version / URI-form tricks (WAF↔origin parser disagreement) |
29//! | [`race`] | Single-packet attack frame builders (Kettle BH23) |
30//! | [`method_override`] | `X-HTTP-Method-Override` / `_method` framework re-interpret tricks |
31//! | [`cache_poison`] | `X-Forwarded-*` + web cache deception + Vary confusion |
32
33/// HTTP cache poisoning payloads: X-Forwarded-Host/Scheme/Port,
34/// X-Original-URL, X-Host (Akamai), Forwarded (RFC 7239),
35/// X-Backend-Host, loopback-trust headers, web cache deception
36/// paths (5 extensions × null-byte / semicolon / traversal forms),
37/// cache key normalization variants, Vary header confusion, status
38/// code poisoning, HTTP/2 :authority split.
39pub mod cache_poison;
40/// Invisible-character & tag-character encoders (Plan 9 tag chars,
41/// variation selectors, stylistic ligatures, enclosed alphanumerics,
42/// soft hyphens, word joiners). Looks identical, normalizes identical,
43/// byte stream is unrecognizable.
44pub mod invisible;
45/// Keyword manipulation strategies (case, whitespace, comments).
46pub mod keyword;
47/// Multi-strategy layering and aggressiveness scoring.
48pub mod layered;
49/// HTTP method-override confusion: framework re-interprets the
50/// request method from `X-HTTP-Method-Override` header (3 name
51/// variants), `_method` form field / query / multipart, chunked
52/// trailer, or header+form disagreement. Wire method shown to WAF
53/// is POST; framework executes DELETE/PUT/PATCH/etc.
54pub mod method_override;
55/// Path-normalization differential encoders (dot-segment variants,
56/// percent-encoded slash/dot, double-encoded, Tomcat semicolon,
57/// IIS backslash, fullwidth slash, overlong UTF-8 dot). Each variant
58/// is RFC 3986 §5.2.4-equivalent to the same target — but most WAFs
59/// don't run that exact algorithm.
60pub mod path_norm;
61/// Single-packet race-condition primitives (Kettle BH23 "Smashing the
62/// State Machine"): HTTP/1.1 pipelined coalesce + HTTP/2 last-byte-sync
63/// frame builders. Builds wire bytes only; the transport layer
64/// handles the TCP_NODELAY-off + writev coalesce.
65pub mod race;
66/// HTTP request-line differential tricks: exotic methods (WebDAV,
67/// CalDAV, cache-private), method case/whitespace tricks, version
68/// strings (HTTP/0.9, HTTP/1.99, HTTP/2.0-on-h1-wire), absolute-form
69/// URI (RFC 7230 §5.3.2), asterisk-form, authority-form.
70pub mod request_line;
71/// Strategy enum and encode() dispatcher.
72pub mod strategy;
73/// Structural encoding strategies (null byte, overlong UTF-8, chunked, HPP).
74pub mod structural;
75/// Unicode and HTML entity encoding strategies.
76pub mod unicode;
77/// URL-based encoding strategies (single, double, triple).
78pub mod url;
79
80#[cfg(test)]
81mod tests;
82
83// Re-export everything for backwards compatibility (LAW 2).
84pub use crate::error::EncodeError;
85pub use layered::{aggressiveness, encode_layered, layered_combinations};
86pub use strategy::{Strategy, all_strategies, encode};