pub fn json_unicode_alnum(payload: &str) -> StringExpand description
Partial JSON Unicode escape — encodes ASCII alphanumeric chars as
\uXXXX while leaving structural punctuation (quotes, operators,
whitespace) bare.
Bypass mechanism: Keyword fingerprint rules (UNION, SELECT, alert,
script, eval, …) match against the byte sequence. Splitting the
keyword across Unicode escapes defeats them — the origin’s JSON
parser / JS engine re-materializes the keyword at the application
layer, but the WAF sees UNION in the wire
bytes and finds no UNION. Distinct from unicode_encode which
escapes EVERY char (high \u density flags some heuristic WAFs);
this leaves the SQL/HTML/JS structural skeleton visible, so the
payload still looks like data.
Idempotent: pre-existing \uXXXX sequences in the input are
detected and passed through verbatim — second-pass tampering does
not re-escape an already-escaped char.
Context: ONLY safe when the target parser performs JSON-style / JavaScript-style Unicode decoding. Inert against raw HTTP parameters (you’ll send literal backslash-u bytes).