32
Attack Scripts
12
Attack Phases
5
Protocols Tested
142
Proxy Unit Tests
Why we attack our own proxy
pqcrypta-proxy is our open-source Rust reverse proxy sitting in front of every request to pqcrypta.com. It handles HTTP/1.1, HTTP/2, HTTP/3 (QUIC), and WebTransport while running a custom WAF, JA3/JA4 TLS fingerprinting, rate limiting, circuit breaker, and GeoIP. We built this red-team suite to continuously verify that none of those defences can be bypassed. Every script targets a real attack class. Results go into our security review cycle.
- ✓ WAF bypass & advanced evasion
- ✓ HTTP request smuggling across all protocol versions
- ✓ Timing oracle & side-channel analysis
- ✓ Auth, session & privilege escalation
- ✓ SSRF with IPv6 & DNS rebinding
- ✓ Cryptographic API fuzzing (31 algorithms)
- ✓ AI / LLM prompt injection & context bleed
- ✓ XXE, SSTI, file upload, gRPC/Protobuf
- ✓ Container escape & CI/CD pipeline exposure
- ✓ Supply chain & dependency confusion
- ✓ Data privacy & PII leakage
- ✓ Race conditions with 50-concurrent requests
pqcrypta-proxy โ open source on GitHub
Rust ยท MIT/Apache-2.0 ยท HTTP/3 ยท QUIC ยท WebTransport ยท PQC TLS (X25519MLKEM768) ยท JA3/JA4 fingerprinting ยท WAF ยท Rate limiting ยท Circuit breaker
Proxy defences under test
- ▶ WAF security blocklist + bot blocklist
- ▶ JA3/JA4 TLS fingerprint classification
- ▶ Rate limiting per IP / per route
- ▶ Circuit breaker (open/half-open/closed)
- ▶ GeoIP + IP blocklist
- ▶ CSP headers (nonce-based, no unsafe-inline)
- ▶ HSTS + security header suite
- ▶ X25519MLKEM768 hybrid PQC key exchange
Suite infrastructure
- Language
- Bash (POSIX-compatible)
- Config
config.shโ one file, all targets & ports- Required tools
- bash, curl, python3, openssl, nc, dig, jq
- Optional tools
- hey, websocat, grpcurl, testssl.sh, nikto
- Output
- Per-script .out files + summary.tsv
- Exit codes
- 0=pass ยท 1=warn/finding ยท 2=error ยท 3=scope fail
- Timing stats
- 50 samples ยท Python statistics ยท 3ฯ threshold
- Race tool
- hey -n 50 -c 50 (fallback: curl &)
- Portable
- Works against any pqcrypta-proxy deployment
Authorized testing only. The suite targets whatever hosts are set in
config.sh.
scope_guard.sh enforces the allowlist โ out-of-scope targets are refused in non-interactive mode.
Do not run against systems you do not own or have explicit written authorization to test.
All 32 Attack Scripts
Click any phase filter to narrow the view. Each card links to the script source.
Filter by phase:
01 ยท Phase 1
Tests common WAF evasion: encoding tricks, chunked payloads, case variants, Unicode normalisation, split-path bypass, and obfuscated SQL/XSS patterns.
HTTP/1.1
HTTP/2
HTTP/3
14 ยท Phase 2
Fingerprinting, information disclosure, directory enumeration, server headers, error message leakage, and technology stack identification.
HTTP/1.1
HTTP/2
12 ยท Phase 2
Second-order evasion: multi-level encoding, null bytes, chunked TE smuggling, Unicode homographs, JSON parameter pollution.
HTTP/1.1
HTTP/2
HTTP/3
02 ยท Phase 3
Probes fake user-agents, missing browser headers, headless markers, and IPv6 XFF spoofing to test bot-detection logic.
HTTP/1.1
HTTP/2
03 ยท Phase 3
Host header injection, X-Forwarded-For spoofing, request smuggling via header manipulation, and IPv6 address variants.
HTTP/1.1
HTTP/2
07 ยท Phase 4
Full protocol coverage: CL.TE and TE.CL via raw TCP (port 80), HTTP/1.1 over TLS, H2 TE rejection (RFC 9113 ยง8.2.2), TE.TE obfuscation (5 variants), H2 Rapid Reset (CVE-2023-44487), and WebTransport port probe.
HTTP/1.1
HTTP/2
HTTP/3
WebTransport
06 ยท Phase 4
Cipher suite strength, protocol version negotiation (TLS 1.0โ1.3), certificate validity, OCSP stapling, HSTS enforcement, and X25519MLKEM768 hybrid PQC key exchange detection.
HTTP/1.1
HTTP/2
HTTP/3
13 ยท Phase 4
WebSocket upgrade security, unauthenticated upgrade, invalid Bearer token, token-in-query-string bypass, upgrade against /admin/, and RFC 8441 HTTP/2 WebSocket.
HTTP/1.1
HTTP/2
WebSocket
WebTransport
08 ยท Phase 5
Weaponising the proxy against internal services via URL parameters, Referer, and redirect chains. Covers IPv4, IPv6 (::1, fd00:ec2::254), AWS/GCP metadata, and DNS rebinding.
HTTP/1.1
HTTP/2
HTTP/3
09 ยท Phase 5
Web cache poisoning via unkeyed headers (X-Forwarded-Host, X-Original-URL), and cache deception via path traversal and extension manipulation.
HTTP/1.1
HTTP/2
05 ยท Phase 5
API key bypass, JWT algorithm confusion (RS256โHS256, none), missing auth on endpoints, key enumeration timing, and permission escalation attempts.
HTTP/1.1
HTTP/2
10 ยท Phase 5
Malformed inputs to all 31 encryption algorithms: empty payloads, oversized data, wrong key formats, type confusion, boundary conditions, and corrupt ciphertext.
HTTP/1.1
HTTP/2
11 ยท Phase 5
50-sample statistical analysis (3ฯ threshold) for padding oracle, API-key oracle, login timing, and WAF timing side-channels. --local flag for 3 ms floor vs 15 ms remote.
HTTP/1.1
HTTP/2
04 ยท Phase 5
Burst requests against all API endpoints to trigger throttling, 429 response validation, and per-route limit verification.
HTTP/1.1
HTTP/2
HTTP/3
15 ยท Phase 6
Session fixation, token replay, brute-force lockout, cookie security flags (Secure, HttpOnly, SameSite), and session invalidation after logout.
HTTP/1.1
HTTP/2
19 ยท Phase 6
OTP brute-force, OTP replay attack, backup code enumeration, MFA step-skip via partial tokens, 2FA endpoint discovery.
HTTP/1.1
HTTP/2
20 ยท Phase 6
Horizontal and vertical privilege escalation, IDOR via numeric/UUID IDs, admin-endpoint access from unprivileged sessions, path-based access control bypass.
HTTP/1.1
HTTP/2
16 ยท Phase 7
Race conditions via hey (50-concurrent), type confusion, integer overflow in API fields, negative-value inputs, and duplicate-request replay.
HTTP/1.1
HTTP/2
17 ยท Phase 7
CSP header parsing and scoring, unsafe-inline/unsafe-eval detection, missing directives, Subresource Integrity checks, and script gadget enumeration.
HTTP/1.1
HTTP/2
23 ยท Phase 7
DOM XSS sinks, postMessage origin validation, localStorage secret leakage, prototype pollution gadgets, and third-party script integrity.
HTTP/1.1
HTTP/2
21 ยท Phase 8
npm/crates.io namespace squatting probes, SBOM disclosure, lockfile exposure, dependency confusion attack surface enumeration.
HTTP/1.1
22 ยท Phase 8
Cloud metadata endpoint SSRF (169.254.169.254 + IPv6), IAM credential exposure, misconfigured S3/GCS buckets, internal port scan via redirect chains.
HTTP/1.1
HTTP/2
18 ยท Phase 8
Retry storms, partial connection failures, cache desync scenarios, configuration staleness under load, and circuit-breaker trigger verification.
HTTP/1.1
HTTP/2
24 ยท Phase 9
Sensitive path enumeration (logs, exports, backups), response body scanning for PII patterns (email, SSN, credit card), and error-message information leakage.
HTTP/1.1
HTTP/2
25 ยท Phase 10
Docker daemon port exposure, Kubernetes API unauthenticated access, kubelet probes, etcd exposure, container escape path traversal, and SSRF to metadata services.
HTTP/1.1
HTTP/2
26 ยท Phase 10
CI config file exposure (Makefile, Taskfile.yml, Jenkinsfile, .travis.yml), build artifact disclosure, webhook forgery, GitHub Actions secret enumeration.
HTTP/1.1
HTTP/2
27 ยท Phase 10
DB port exposure scan, admin interface enumeration (phpMyAdmin, Adminer), NoSQL injection (MongoDB operator injection), backup file disclosure, and SQL timing inference.
HTTP/1.1
HTTP/2
28 ยท Phase 11
Prompt injection against the wizard chatbot, jailbreaks, system-prompt extraction, cross-session context bleed (IDOR on /history), SSE stream poisoning.
HTTP/1.1
HTTP/2
29 ยท Phase 12
XML External Entity via application/xml and text/xml endpoints, SSRF via XXE (metadata, INTERNAL_API_PORT, config.php, /proc/self/environ), SVG XXE, content-type confusion, Billion Laughs DoS probe.
HTTP/1.1
HTTP/2
30 ยท Phase 12
15 engine probe pairs (Jinja2, Twig, Smarty, Blade, Pebble, Velocity, Mako, ERB) via GET params, JSON POST, form POST, and HTTP headers.
HTTP/1.1
HTTP/2
31 ยท Phase 12
PHP shell disguised as .pdf, double extension (.php.pdf), null-byte bypass, JPEG polyglot, MIME confusion, SVG XSS, SVG XXE, HTML stored XSS, path traversal filename, zip bomb, CRLF in Content-Disposition.
HTTP/1.1
HTTP/2
32 ยท Phase 12
Port scan for 14 gRPC ports, content-type detection, server reflection enumeration, malformed protobuf frame fuzzing (6 cases), gRPC-Web gateway probes, metadata auth bypass.
HTTP/1.1
HTTP/2
Phase Map
The suite is ordered so reconnaissance and low-noise tests run first, escalating to destructive/noisy tests last.
| Phase | Category | Scripts | Focus |
|---|---|---|---|
| Phase 1 | Reconnaissance | 01 | Low-noise information gathering before any active probing |
| Phase 2 | WAF Bypass | 14 12 | Direct and encoded attack payloads against the WAF ruleset |
| Phase 3 | Bot Detection & Headers | 02 03 | Identity spoofing, header manipulation, IPv6 bypass paths |
| Phase 4 | Protocol & Transport | 07 06 13 | HTTP smuggling across all versions, TLS, WebSocket, WebTransport |
| Phase 5 | API & Injection | 08 09 05 10 11 04 | SSRF, cache poison, auth bypass, crypto fuzzing, timing, rate limit |
| Phase 6 | Auth & Session | 15 19 20 | Authentication hardening, session security, MFA bypass, RBAC |
| Phase 7 | Business Logic & Client | 16 17 23 | Race conditions, type confusion, CSP analysis, DOM security |
| Phase 8 | Infrastructure | 21 22 18 | Supply chain, cloud metadata, resilience under chaos |
| Phase 9 | Data Privacy | 24 | PII leakage, sensitive file exposure, error message disclosure |
| Phase 10 | Platform Security | 25 26 27 | Container escape, CI/CD pipeline, database & storage exposure |
| Phase 11 | AI / LLM | 28 | Prompt injection, jailbreaks, cross-session bleed, SSE poisoning |
| Phase 12 | Advanced Injection | 29 30 31 32 | XXE, SSTI, file upload polyglots, gRPC/Protobuf fuzzing |
Protocol Coverage
pqcrypta-proxy supports every major HTTP transport. The pentest suite validates each one independently so a defence bypass in one version is not hidden by another.
HTTP/1.1
HTTP/2
HTTP/3
QUIC
WebTransport
WebSocket
HTTP/1.1
- ✓ All WAF bypass scripts use
--http1.1explicitly - ✓ CL.TE and TE.CL smuggling via raw
ncon port 80 - ✓ CL.TE and TE.CL over TLS (curl
--http1.1) - ✓ TE.TE obfuscation: 5 variants + tab-separated
- ✓ Baseline for all timing oracle comparisons
HTTP/2
- ✓ TE header rejection per RFC 9113 ยง8.2.2 (should return 400)
- ✓ H2 Rapid Reset / Continuation Flood probe (CVE-2023-44487)
- ✓ RFC 8441 WebSocket over HTTP/2 upgrade
- ✓ H2โH1 downgrade detection (proxy must sanitise TE)
- ✓ All API auth, timing, and SSRF tests run against HTTP/2
HTTP/3 / QUIC
- ✓
curl --http3with Alt-Svc fallback detection - ✓ Rate-limit tests repeat against HTTP/3 endpoint
- ✓ WAF bypass payloads sent over QUIC transport
- ✓ TLS script verifies ALPN negotiation for h3
WebTransport (:4433)
- ✓ TCP reachability probe on port 4433
- ✓ HTTP/3 QUIC frame probe against the WebTransport endpoint
- ✓ WebSocket upgrade test with RFC 8441 HTTP/2 path
- ✓ Auth bypass via unauthenticated upgrade
HTTP/3 availability: If the test runner's curl build lacks HTTP/3 support,
scripts fall back gracefully to HTTP/2 and log the limitation. The proxy's QUIC endpoint
(
${API_HOST}:${QUIC_PORT} in config.sh) also advertises Alt-Svc so browsers auto-upgrade.
Running the Suite
All scripts live in scripts/. Run the whole suite via run_all.sh
or target individual scripts or phases.
Configuration
All target-specific values live in a single config.sh. Edit it once to point the suite at any pqcrypta-proxy deployment โ no changes needed inside the individual scripts.
# Key settings in config.sh โ override any value with an env var or edit the file
TARGET="https://your-proxy.example.com" # web app URL
API_TARGET="https://api.your-proxy.example.com" # API server URL
INTERNAL_API_PORT=3003 # backend API port (SSRF probes)
PROXY_ADMIN_PORT=8082 # proxy metrics port
QUIC_PORT=4433 # QUIC / WebTransport port
PROJECT_NAME="yourproject" # S3 bucket names, npm probes
GITHUB_REPO="YourOrg/your-proxy-repo" # CI/CD checks
CHAT_BASE="${API_TARGET}/chatbot" # AI/LLM endpoint
BRUTE_CREDS=("admin:admin" "admin:${PROJECT_NAME}" ...) # auth tests
Every setting can be overridden at run-time without editing the file:
TARGET=https://staging.example.com API_TARGET=https://api.staging.example.com ./run_all.sh
Quick start
# 1. Clone or copy the suite
git clone https://github.com/PQCrypta/pqcrypta-proxy
cp -r pentests/ /opt/pqc-pentest && cd /opt/pqc-pentest
# 2. Edit config.sh with your target endpoints
vi config.sh
# 3. Verify required tools are present
./preflight.sh
# 4. Full run (all 32 scripts)
./run_all.sh
# Skip slow tests (TLS deep-scan, resilience/chaos)
./run_all.sh --skip-slow
# Tighter timing thresholds for local/LAN targets (3 ms floor vs 15 ms)
./run_all.sh --local
# Single phase only
./run_all.sh --phase 5
# Combine flags
./run_all.sh --local --skip-slow --phase 12
Run a single script
# Config auto-sources relative to the script location โ no absolute path needed
bash scripts/07_advanced_smuggling.sh
bash scripts/11_timing_oracle.sh --local
# Or override a single value for one run
QUIC_PORT=443 bash scripts/07_advanced_smuggling.sh
Output & results
results/
โโโ run_20260522_153000/
โโโ 01_waf_bypass.out
โโโ 07_advanced_smuggling.out
โโโ ...
โโโ summary.tsv # phase TAB script TAB name TAB status TAB findings TAB warns TAB duration_s
Exit codes
- 0
- All scripts passed โ no findings, no warnings
- 1
- At least one
[WARN]or[VULN]finding - 2
- One or more scripts failed with an error
- 3
- Preflight check failed or scope guard refused the target
Required tools
bash requiredShell runtime โ 5.0+
curl requiredHTTP/1.1, HTTP/2 + HTTP/3 support recommended
python3 requiredTiming statistics (statistics.mean / pstdev)
openssl requiredTLS/certificate inspection
nc requiredRaw TCP smuggling probes
dig requiredDNS / IPv6 AAAA lookups
jq requiredJSON response parsing
hey optionalRace-condition tests (50-concurrent) โ
go install github.com/rakyll/hey@latestwebsocat optionalWebSocket tests โ
cargo install websocatgrpcurl optionalgRPC reflection enumeration โ
go install github.com/fullstorydev/grpcurl/cmd/grpcurl@latesttestssl.shoptionalExtended TLS scan (script 06)
nikto optionalSupplemental web scan (script 14)
Timing oracle methodology
Script 11 uses a rigorous statistical approach to avoid false positives over internet-latency jitter:
- ✓ 50 samples per group (configurable)
- ✓ Python
statistics.mean+pstdevper group - ✓ Alert threshold: 3ฯ above baseline mean
- ✓ Minimum floor: 15 ms (remote) ยท 3 ms (--local)
- ✓ Tests: API key oracle ยท admin login ยท decrypt padding ยท WAF timing
Scope & Rules of Engagement
Scope is defined entirely in config.sh โ set TARGET and API_TARGET
to your pqcrypta-proxy deployment. scope_guard.sh resolves the target IP on every run
and refuses to continue in non-interactive mode if the resolved IP was not expected.
Setting your scope in config.sh
# Point the suite at your deployment
TARGET="https://proxy.yourdomain.com"
API_TARGET="https://api.yourdomain.com"
# scope_guard.sh auto-builds ALLOWED_TARGETS from TARGET + API_TARGET.
# To hard-lock a specific IP (e.g., staging server):
# ALLOWED_TARGETS=("https://proxy.yourdomain.com")
# ...and scope_guard.sh resolves + cross-checks at run time.
✔ In scope (PQCrypta production example)
- https://pqcrypta.com โ public web application (PHP + Vite frontend)
- https://api.pqcrypta.com โ REST API server (Rust,
INTERNAL_API_PORT=3003) - https://api.pqcrypta.com:
QUIC_PORT=4433 โ QUIC / WebTransport endpoint
✘ Always out of scope
- Any host or IP not configured in
config.sh - Third-party services (payment processors, CDN, DNS providers, package registries)
- Infrastructure not owned by the target organisation
- DoS / denial-of-service attacks against production systems
scope_guard.sh resolves TARGET to an IP on each run and compares it
against the expected allowed list. Non-interactive mode exits with code 3 if the IP is not matched โ
this prevents accidental runs against wrong environments (e.g., after a DNS change or misconfigured config.sh).
Pentest bypass IP (pqcrypta-proxy feature)
pqcrypta-proxy supports a pentest_bypass_ips list in its config (e.g.
/etc/pqcrypta/proxy-config.toml). Add your pentest runner IP here so
rate-limiting and auto-block do not interfere with the test run:
[proxy]
# IPs exempt from rate-limit and auto-block โ WAF still runs
pentest_bypass_ips = ["YOUR.RUNNER.IP.HERE"]
- ✓ Rate-limiting and auto-block are disabled for listed IPs
- ▶ WAF rules still execute โ attack payloads still return 403
- ▶ Allows testing WAF detection without being locked out mid-run
- ▶ Script 04 (rate limiting) requires a non-bypassed IP to test the limiter itself
gRPC coverage gap
Script 32 probes for accidentally-exposed gRPC surfaces. The public surface is REST-only. The following require internal network access and are not covered externally:
- ▶ Full method enumeration against known service definitions
- ▶ Authenticated gRPC calls with valid credentials
- ▶ Streaming RPC abuse (bidirectional)
- ▶ Protobuf deserialization of known message schemas
All gRPC ports returned [CLOSED] in external port scan โ no exposed gRPC surface detected.
About pqcrypta-proxy
pqcrypta-proxy is the open-source Rust reverse proxy that handles every request to pqcrypta.com. It was designed from the ground up for post-quantum security and protocol completeness.
github.com/PQCrypta/pqcrypta-proxy
Open source ยท MIT / Apache-2.0 ยท Contributions welcome
Protocol support
- ✓ HTTP/1.1 โ persistent connections
- ✓ HTTP/2 โ full multiplexing
- ✓ HTTP/3 โ QUIC transport (UDP)
- ✓ WebTransport over HTTP/3
- ✓ WebSocket (RFC 6455 + RFC 8441 H2)
- ✓ ACME / Let's Encrypt automation
- ✓ OCSP stapling
- ✓ mTLS client certificates
Security layer
- ✓ X25519MLKEM768 hybrid PQC key exchange
- ✓ JA3 TLS fingerprinting
- ✓ JA4 TLS fingerprinting
- ✓ WAF security + bot blocklist
- ✓ Rate limiting per-IP, per-route
- ✓ Circuit breaker pattern
- ✓ GeoIP filtering
- ✓ 0-RTT replay protection
Observability
- ✓ OpenTelemetry distributed tracing
- ✓ W3C TraceContext propagation
- ✓ Structured audit logging
- ✓ Per-route metrics
- ✓ Health check endpoints
- ✓ WAF blocked-request tracking
Traffic management
- ✓ Weighted load balancing
- ✓ Canary deployments
- ✓ Traffic shadowing / mirroring
- ✓ RFC 9111 response cache
- ✓ Brotli / Zstd / Gzip compression
- ✓ Hop-by-hop header stripping
Test coverage
109
Unit Tests
10
Integration Tests
11
Config Tests
142
Total Passing
# Build and test pqcrypta-proxy locally
git clone https://github.com/PQCrypta/pqcrypta-proxy
cd pqcrypta-proxy
cargo test
cargo clippy
cargo build --release
Related pages
- pqcproxy/
- Full technical documentation โ architecture, configuration, PQC details, all 142 tests
- proxy-plane/
- Real-time proxy metrics dashboard โ RPS, latency, circuit breaker state, WAF blocks
- security-systems/
- Live security monitoring โ WAF events, blocked IPs, SLO tracking