pub struct JsonDupKeyTamper;Expand description
JSON duplicate-key parser-disagreement (frontier 2026, WAFFLED corpus / arxiv.org/abs/2503.10846). Wraps a payload in a duplicate-key JSON envelope: the WAF’s JSON inspector consumes the FIRST key occurrence (a benign sentinel) and skips the duplicate; the backend’s deserialiser consumes the LAST (PHP/Apache/Rails) or merges (ASP.NET) and unwraps the attack payload. Confirmed against all five major WAFs (AWS / Azure / Cloudflare / Cloud Armor / ModSec) by the WAFFLED 2025 study — 557 JSON bypasses across the corpus.
The harness uses param "q" as the colliding key — the same
default param wafrift’s scan loop uses for URL-query carriers,
so a SQL/XSS/SSTI payload that already works as ?q=<P> lands
in the JSON-body channel via the same key name. When the
emitted shape is delivered to a non-JSON sink (HTML / form), the
JSON wrapping is a no-op WAF defeat: the WAF still inspects the
bytes, but the bytes themselves carry the payload in a form
most WAFs DO NOT score (the rule corpus matches on the unwrapped
payload string, not the JSON envelope).