Expand description
Path-prefix mutations — restructure the URI path so the WAF’s prefix-match ACL sees a different shape than the origin parser eventually serves.
§Why this is a distinct module from crate::url_mutate
url_mutate operates on path SEGMENT bytes and on QUERY VALUE
bytes. The mutations here operate on path STRUCTURE — they change
how the path is delimited, not what’s inside it. Lumping them into
UrlStrategy would force a value-byte mutator and a path-shape
mutator into one enum and produce category errors at the call
sites that build attack pipelines.
§What’s here
§PathPrefixStrategy::DoubleSlash — CVE-2025-29914 (Coraza WAF < 3.3.3)
Coraza historically used Go’s net/url::Parse() which treats URIs
starting with // as protocol-relative — //admin is parsed as
Host = "admin", Path = "". A Coraza ACL of the form
SecRule REQUEST_URI "@beginsWith /admin" does not fire because
REQUEST_URI was populated from the parsed Path field, which is
empty. The HTTP origin behind Coraza (nginx, Caddy, Envoy) re-parses
the raw request line, normalises //admin back to /admin, and
serves the protected resource. Confirmed CVSS 5.4; fixed in
Coraza 3.3.3. Every unpatched Coraza deployment with any
prefix-match ACL is bypassed by a one-character path edit.
§PathPrefixStrategy::TripleSlash
Stretches DoubleSlash further — some normalisers collapse /// →
/ only after the first decode, so an origin that decodes once and
a WAF that decodes zero times see different forms. Useful when a
WAF normalises // but not ///.
§PathPrefixStrategy::SlashDot / SlashDotSlash
/./admin and /.//admin. RFC 3986 §5.2.4 says these resolve to
/admin after segment normalisation. WAFs that match the raw
REQUEST_URI literal miss them; origins that apply RFC normalisation
(Apache, IIS, most reverse proxies) serve the protected path.
§Reachability
Exposed through mutate_url_with_prefix(). The strategy engine
drives this via a new Technique::PathPrefix(...) arm; the
parser-diff path family probes each variant in turn against the
authorised target.
Pass 21 R62 — frontier technique #4 per the 2025 research scan.
Enums§
Functions§
- mutate_
path_ prefix - Apply a path-prefix mutation to a path-and-query string. Returns the mutated form and the technique label.