Expand description
wafrift-proxy — forward HTTP proxy with per-host adaptive WAF evasion.
Slots between any intercepting proxy (Burp / Caido / mitmproxy) and the upstream target. On every forwarded request the proxy applies the full wafrift evasion pipeline (encoding + content-type switching + fingerprint rotation + body padding) and records bypasses to the per-WAF gene bank.
Key modules:
intercept— HTTP CONNECT tunnel handler (MITM TLS interception)mitm— TLS certificate minting + impersonation via BoringSSL (optional)upstream— Upstream forwarding with evasion pipeline appliedupstream_policy— Scope / skip rules (--only-host,--skip-path, …)rate_limit— Token-bucket rate limiter (per upstream host)tui— ratatui live dashboard (Flow / Overview / Hosts tabs)scope— Glob-based scope evaluationhop_by_hop— Hop-by-hop header stripping per RFC 7230 §6.1
The binary entry point lives in main.rs; this lib module exposes
the building blocks downstream consumers (the bench harness,
integration tests, third-party Rust code that embeds the proxy) need.
Modules§
- hop_
by_ hop - Hop-by-hop headers (RFC 7230 §6.1) must not be blindly forwarded through proxies.
- intercept
- Operator-driven intercept queue: pause every forward, surface it in the TUI, let the operator release / kill before upstream sees anything.
- mitm
- MITM (Man-in-the-Middle) functionality for HTTPS interception.
- rate_
limit - Per-host token-bucket rate limiter.
- scope
- Per-request scope filtering for the proxy.
- tui
- Terminal dashboard for
wafrift-proxy. - upstream
- Unified upstream HTTP client for
wafrift-proxy. - upstream_
policy - Upstream destination policy: literal-IP bogons and DNS SSRF-style checks.
Functions§
- extract_
host_ from_ header - Extract the host from a Host header, handling IPv6 bracket notation and bare IPv6 literals.