pub struct ZeroWidthInjectTamper;Expand description
Zero-width Unicode injection tamper.
Inserts zero-width characters (U+200B ZERO-WIDTH SPACE,
U+200C ZERO-WIDTH NON-JOINER, U+200D ZERO-WIDTH JOINER,
U+180E MONGOLIAN VOWEL SEPARATOR) between every alphabetic
character of the payload. Renders identically to the
original in most consumers (terminals, log viewers, the SQL
engine after .replace('\u{200B}', "")) but defeats WAF
regex patterns that scan for literal keywords like SELECT.
U+FEFF (ZWNBSP / BOM) was historically in the rotation but caused PostgreSQL + many DB connectors to 500 the entire query as “invalid byte sequence” mid-literal — defeating the bypass. Replaced with U+180E which is universally tolerated.
Frontier research (Black Hat 2025, “Zero-Width WAF Bypass”): most commercial WAFs do NOT strip zero-width chars before pattern matching, but downstream parsers (MySQL, Postgres, browser HTML parser, JavaScript) all treat them as non-significant. This is a wide-open bypass vector.