Module body_padding

Expand description

Body-size inspection bypass.

Cloud WAFs only inspect the leading N bytes of a request body: Cloudflare Pro 8 KB, Cloudflare Enterprise 128 KB, AWS WAF 8/16/64 KB depending on tier, Akamai 8 KB by default. If we prepend ≥ N bytes of inert junk in front of the real payload, the WAF rule engine never sees the malicious bytes — they’re past its inspection window — and the origin still parses the body correctly.

This module produces structurally-valid padded bodies for the four content-types we routinely inject into:

application/json — wrap original in an object with a leading junk field: {"_w":"<N bytes>","payload":<original>}.
application/x-www-form-urlencoded — prepend _w=<N bytes>& to the original body.
multipart/form-data — prepend a junk part with the same boundary, before the real parts.
any other content-type (raw text, XML, etc.) — fall back to a _w query-style prefix only if the body is empty; otherwise refuse and return the original. Padding inside an opaque body would corrupt it; honesty over false-victory.

The junk is alphabetic ASCII (A-Z cycled). It carries no SQL, XSS, or shell metacharacters, so the WAF won’t flag the padding itself even if it does inspect a partial slice.

Enums§

PadOutcome: Result of a padding attempt.

Constants§

MAX_USEFUL_PAD: Hard cap on padding size to prevent OOM from accidental requested_bytes = usize::MAX (deliberate abuse or arithmetic underflow upstream). 8 MiB is well above any documented cloud-WAF inspection window (Cloudflare Enterprise tops out at 128 KiB).
MIN_USEFUL_PAD: Smallest padding worth applying. Anything below this won’t reliably push a real payload past a WAF’s inspection window.
PAD_KEY: Marker prefix for the padding field/key. Stable across calls so a post-hoc test can verify the padding was applied.

Functions§

known_threshold_values: Set of all numeric thresholds used by known_thresholds, for clap value-validation in the proxy.
known_thresholds: List of well-known WAF inspection thresholds (bytes). Useful for callers picking a sane requested_bytes default.
looks_padded: Reverse-check: does body look like it carries a wafrift-padded prefix? Used in tests + diagnostic logging.
pad: Pad body with at least requested_bytes of inert filler, choosing a structure-preserving strategy based on content_type.