Crate wafrift_oracle

Expand description

Payload oracles — semantic validation across injection types.

The oracle system ensures that evasion transforms preserve exploit semantics. Each oracle understands the structural invariants of a specific injection type and rejects transforms that would render the payload inert.

§Architecture

PayloadOracle (trait)
├── SqlOracle       — SQL AST parsing via sqlparser
├── XssOracle       — HTML tag/event/exec structure validation
├── SstiOracle      — Template delimiter and expression validation
├── CmdiOracle      — Shell separator + command validation
├── PathOracle      — Directory traversal sequence validation
├── LdapOracle      — LDAP filter syntax validation
└── SsrfOracle      — URL structure and host validation

§Usage

use wafrift_oracle::traits::PayloadOracle;
use wafrift_oracle::xss::XssOracle;

let oracle = XssOracle;
assert!(oracle.is_semantically_valid(
    "<script>alert(1)</script>",
    "<ScRiPt>alert(1)</sCrIpT>",
));

Pick the right oracle dynamically from the classified payload type — every grammar in wafrift-grammar has a matching oracle:

use wafrift_grammar::PayloadType;
use wafrift_oracle::oracle_for;

let oracle = oracle_for(PayloadType::Sql).unwrap();
assert_eq!(oracle.name(), "SQL");
assert!(oracle.is_semantically_valid("1 OR 1=1 --", "1 OR 1=1 --"));
// Mutilated payload that no longer parses as SQL: rejected.
assert!(!oracle.is_semantically_valid("1 OR 1=1 --", "1 O R 1=1 --"));

Reject SSRF mutations that lose the loopback target (a transformation engine can call this before emitting a variant):

use wafrift_oracle::ssrf::SsrfOracle;
use wafrift_oracle::traits::PayloadOracle;

let oracle = SsrfOracle;
// Same target, different on-the-wire encoding — kept.
assert!(oracle.is_semantically_valid("http://127.0.0.1/", "http://127.1/"));
// Pivot to a public host — semantics lost, rejected.
assert!(!oracle.is_semantically_valid("http://127.0.0.1/", "http://example.com/"));

Modules§

calibration: Per-target calibration session. Per-target calibration session.
cmdi: Command injection oracle. Command injection payload oracle.
ldap: LDAP injection oracle. LDAP injection payload oracle.
oob
path: Path traversal oracle. Path traversal payload oracle.
response_oracle: WAF response oracle. WAF response oracle.
signal_body_marker: Body-marker signal extractor. Body-marker signal extractor.
signal_connection: Connection-behavior signal extractor. Connection-behavior signal extractor.
signal_h2_goaway: H2 GOAWAY signal extractor. HTTP/2 GOAWAY frame signal extractor.
signal_headers: Response header signal extractor. WAF header signal classification.
signal_response_time: Response-time signal extractor. Response-time anomaly signal extractor.
signal_status_code: Status-code signal extractor. Status-code signal extractor.
sql: SQL AST oracle. SQL AST Oracle.
ssrf: SSRF (Server-Side Request Forgery) oracle. SSRF (Server-Side Request Forgery) payload oracle.
ssti: SSTI (Server-Side Template Injection) oracle. SSTI (Server-Side Template Injection) payload oracle.
traits: Oracle trait definition. Payload oracle trait — validates that evasion transforms preserve semantic meaning.
xss: XSS (Cross-Site Scripting) oracle. XSS payload oracle — validates that HTML/JS execution semantics survive transforms.

Structs§

SqlOracle: SQL oracle adapter that implements the PayloadOracle trait.

Functions§

oracle_for: Select the appropriate oracle for a given payload type.