Skip to main content

wafrift_wafmodel/
lib.rs

1//! # wafrift-wafmodel — the WAF decompiler
2//!
3//! Stop searching a black box. **Reconstruct the WAF's decision
4//! boundary as an executable symbolic automaton**, then turn evasion
5//! from search into deduction:
6//!
7//! - **P1 — Decompile.** Active-learn the WAF (the [`learn`] module)
8//!   over a [`WafOracle`] into an [`Sfa`], spending the minimum
9//!   membership-query budget. Emit it as a provenance-stamped artifact.
10//! - **P1 — Mine.** Intersect the learned pass-language with an attack
11//!   grammar *offline* to harvest minimal-edit bypasses with no further
12//!   live queries.
13//! - **P2 — Solve.** Compose the learned WAF view with the pipeline's
14//!   normalization transducers and solve for inputs that survive every
15//!   stage (the double-decode trick, rediscovered — not hard-coded).
16//! - **P3 — Dominate.** The same model drives constrained adversarial
17//!   evasion of ML-WAFs *and* provable hole-closure for defenders.
18//!
19//! Everything here is zero-config and pure-Rust: no GPU, no external
20//! Coraza, no network required for the core. Acceleration (vyre/GPU,
21//! live HTTP oracles) is strictly additive.
22//!
23//! The crate is built bottom-up; each module is landed complete (no
24//! stubs) before the next depends on it. This file only declares
25//! modules that are fully implemented.
26
27#![forbid(unsafe_code)]
28
29/// The shipped Tier-B OWASP-CRS-derived ruleset (XSS 941 + SQLi 942),
30/// embedded so `wafrift audit`/`harden` work zero-config with no files
31/// to fetch. Parse with [`SimRegexWaf::from_toml`].
32#[must_use]
33pub fn default_crs_ruleset() -> &'static str {
34    include_str!("../rules/crs/core.toml")
35}
36
37pub mod artifact;
38pub mod booster;
39pub mod canon;
40pub mod ensemble_dilution;
41pub mod equiv_bridge;
42pub mod equiv_query;
43pub mod error;
44pub mod filter_profile;
45pub mod harden;
46pub mod learn;
47pub mod mine;
48pub mod mlwaf;
49pub mod normalize;
50pub mod oracle;
51pub mod origin_probe;
52pub mod outcome;
53pub mod sfa;
54pub mod solve;
55pub mod transduce;
56
57pub use artifact::{LearnedModel, Provenance};
58pub use booster::WafBoosterScorer;
59pub use canon::{CanonView, Channel, Segment, canonicalize};
60pub use ensemble_dilution::RuleGroup;
61pub use equiv_bridge::{norm_mismatch_members, sink_for_tag, solution_member};
62pub use equiv_query::{ChainedEq, PacBound, SampledEq, UcbBanditEq, WMethodEq};
63pub use error::{Result, WafModelError};
64pub use filter_profile::{
65    DecodeGap, FilterProfile, TokenFinding, TokenProbe, Verdict, battery_from_toml, characterize,
66    default_battery as default_filter_battery, probe_decode_gaps,
67};
68pub use harden::{ClosureReport, synthesize_closure};
69pub use learn::{
70    Alphabet, BoundedExhaustiveEq, EquivalenceOracle, LearnReport, kv_learn, l_star,
71    l_star_budgeted, passive_learn,
72};
73pub use mine::{attack_grammar, mine_bypasses, minimal_bypass, waf_diff};
74pub use mlwaf::{MlEvasion, MlWaf, evade_ml};
75pub use normalize::{Transform, apply_chain};
76pub use oracle::{ChannelSet, FnOracle, Rule, SimRegexWaf, WafOracle};
77pub use origin_probe::{
78    FnReflector, OriginScan, ReflectionOracle, detect_origin_normalization, scan_origin,
79};
80pub use outcome::Outcome;
81pub use sfa::{BytePred, Sfa, StateId};
82pub use solve::{Solution, solve_bypass};
83pub use transduce::{Pipeline, Stage, json_unescape, url_decode_once};