Skip to main content

Module encoding

Module encoding 

Source
Expand description

Payload encoding strategies — transform payloads to bypass WAF keyword detection.

Each strategy changes HOW the payload looks without changing WHAT it does. The server decodes the payload back to its original form, but the WAF fails to match it against its rules.

§Scope

Every module here is a WAF-evasion primitive: it transforms a payload so the WAF’s keyword / regex / signature matcher misses it while the origin’s normalizer / parser still recovers the original. Modules whose attack target is the origin application (template engines, deserializers, databases, etc) do NOT belong in wafrift — those are sibling Santh tools.

§Module structure

ModuleResponsibility
strategyStrategy enum and encode() dispatcher
urlURL, double-URL, and triple-URL encoding
unicodeUnicode \uXXXX, %uXXXX, JSON, and HTML entity encoding
keywordCase alternation, whitespace/comment insertion, SQL obfuscation
structuralNull byte, overlong UTF-8, chunked split, HPP, compression
layeredMulti-strategy chaining and aggressiveness scoring
invisiblePlan 9 tag chars, variation selectors, ligatures, soft hyphens
path_normRFC 3986 §5.2.4 differential path-normalization variants
request_lineMethod / version / URI-form tricks (WAF↔origin parser disagreement)
raceSingle-packet attack frame builders (Kettle BH23)
method_overrideX-HTTP-Method-Override / _method framework re-interpret tricks
cache_poisonX-Forwarded-* + web cache deception + Vary confusion

Re-exports§

pub use crate::error::EncodeError;
pub use layered::aggressiveness;
pub use layered::encode_layered;
pub use layered::layered_combinations;
pub use strategy::Strategy;
pub use strategy::all_strategies;
pub use strategy::encode;

Modules§

cache_poison
HTTP cache poisoning payloads: X-Forwarded-Host/Scheme/Port, X-Original-URL, X-Host (Akamai), Forwarded (RFC 7239), X-Backend-Host, loopback-trust headers, web cache deception paths (5 extensions × null-byte / semicolon / traversal forms), cache key normalization variants, Vary header confusion, status code poisoning, HTTP/2 :authority split. HTTP cache poisoning payload library.
invisible
Invisible-character & tag-character encoders (Plan 9 tag chars, variation selectors, stylistic ligatures, enclosed alphanumerics, soft hyphens, word joiners). Looks identical, normalizes identical, byte stream is unrecognizable. Invisible-character & tag-character encoders.
keyword
Keyword manipulation strategies (case, whitespace, comments). Keyword manipulation encoding strategies.
layered
Multi-strategy layering and aggressiveness scoring. Multi-strategy encoding chains and aggressiveness scoring.
method_override
HTTP method-override confusion: framework re-interprets the request method from X-HTTP-Method-Override header (3 name variants), _method form field / query / multipart, chunked trailer, or header+form disagreement. Wire method shown to WAF is POST; framework executes DELETE/PUT/PATCH/etc. HTTP method-override confusion library.
path_norm
Path-normalization differential encoders (dot-segment variants, percent-encoded slash/dot, double-encoded, Tomcat semicolon, IIS backslash, fullwidth slash, overlong UTF-8 dot). Each variant is RFC 3986 §5.2.4-equivalent to the same target — but most WAFs don’t run that exact algorithm. Path-normalization differential encoders.
race
Single-packet race-condition primitives (Kettle BH23 “Smashing the State Machine”): HTTP/1.1 pipelined coalesce + HTTP/2 last-byte-sync frame builders. Builds wire bytes only; the transport layer handles the TCP_NODELAY-off + writev coalesce. Single-packet race-condition primitives.
request_line
HTTP request-line differential tricks: exotic methods (WebDAV, CalDAV, cache-private), method case/whitespace tricks, version strings (HTTP/0.9, HTTP/1.99, HTTP/2.0-on-h1-wire), absolute-form URI (RFC 7230 §5.3.2), asterisk-form, authority-form. HTTP request-line differential encoders.
strategy
Strategy enum and encode() dispatcher. Strategy enum and main encode() dispatcher.
structural
Structural encoding strategies (null byte, overlong UTF-8, chunked, HPP). Structural encoding strategies — byte-level and framing manipulations.
unicode
Unicode and HTML entity encoding strategies. Unicode and HTML entity encoding strategies.
url
URL-based encoding strategies (single, double, triple). URL-based encoding strategies.