{"id":51063562,"url":"https://github.com/toxy4ny/cortisol","last_synced_at":"2026-06-23T04:30:26.635Z","repository":{"id":330336725,"uuid":"1122454796","full_name":"toxy4ny/cortisol","owner":"toxy4ny","description":"WAF Bypass \u0026 Normalization Stress Tester (for Red Teams)","archived":false,"fork":false,"pushed_at":"2025-12-25T09:39:20.000Z","size":70,"stargazers_count":8,"open_issues_count":0,"forks_count":1,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-12-26T09:43:41.770Z","etag":null,"topics":["cybersecurity","cybersecurity-tools","education","redteam","redteam-tools","redteaming","tools","waf","waf-bypass"],"latest_commit_sha":null,"homepage":"","language":"Zig","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/toxy4ny.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-12-24T19:05:46.000Z","updated_at":"2025-12-26T08:03:50.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/toxy4ny/cortisol","commit_stats":null,"previous_names":["toxy4ny/cortisol"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/toxy4ny/cortisol","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/toxy4ny%2Fcortisol","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/toxy4ny%2Fcortisol/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/toxy4ny%2Fcortisol/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/toxy4ny%2Fcortisol/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/toxy4ny","download_url":"https://codeload.github.com/toxy4ny/cortisol/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/toxy4ny%2Fcortisol/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34675970,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-23T02:00:07.161Z","response_time":65,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cybersecurity","cybersecurity-tools","education","redteam","redteam-tools","redteaming","tools","waf","waf-bypass"],"created_at":"2026-06-23T04:30:24.134Z","updated_at":"2026-06-23T04:30:26.620Z","avatar_url":"https://github.com/toxy4ny.png","language":"Zig","funding_links":[],"categories":[],"sub_categories":[],"readme":"# 🧪 cortisol — WAF Bypass \u0026 Normalization Stress Tester (for Red Teams)\n\n\u003e **Lab Mode Only** — Never test without explicit written permission.\n\n`cortisol` is a lightweight, offensive security CLI tool designed to **stress-test web application firewalls (WAFs)** by exploiting inconsistencies in URL normalization logic. It helps red teams and penetration testers identify potential bypasses for common protections against **SQLi, XSS, SSRF, and Path Traversal** — especially when WAFs decode payloads **only once**, while the backend decodes them **multiple times**.\n\nInspired by real-world bug bounty findings like:\n\n```\n/api/v1/%2e%2e/%2e%2e/config?id=1%252bUNION%252bSELECT%252bsecrets--\n```\n\n`cortisol` automates the generation and testing of **multi-encoded payloads** to detect behavioral differences in WAF vs. application responses.\n\n---\n\n## 🔍 How It Works: The Normalization Bypass Theory\n\nMany WAFs apply security rules **after a single URL-decoding step**, while web servers (e.g., Apache, Nginx, Tomcat) may **decode multiple times** before passing the request to the application.\n\nThis mismatch creates an opportunity:\n\n| Encoding Level | WAF Sees                | Backend Decodes To      | Result                     |\n|----------------|-------------------------|--------------------------|----------------------------|\n| Raw            | `'`                     | `'`                      | Blocked (if WAF active)    |\n| Single (%27)   | `%27`                   | `'`                      | Often blocked              |\n| **Double (%2527)** | `%2527` → `%27`     | `%27` → `'`              | ✅ **WAF bypass possible!** |\n\nCommon bypass techniques include:\n- Double/triple URL encoding (`%252f` → `/`)\n- Mixed case (`%2f` vs `%2F`)\n- Path obfuscation (`..%2f`, `....//`, `%2e%2e/`)\n- UTF-8 overlong sequences (e.g., `%c0%af`)\n\n`cortisol` systematically tests these variants and highlights responses that **differ from a benign baseline**, indicating potential bypass.\n\n---\n\n## 🚀 Features\n\n- 🔍 **Auto WAF Detection** — identifies Cloudflare, AWS WAF, Sucuri, Imperva, ModSecurity, Akamai, and more via HTTP headers.\n- 🧬 **Multi-Encoding Payloads** — raw, single, double, and triple URL encoding for each vector.\n- 📊 **Smart Diff Analysis** — compares status codes and response sizes against a clean request.\n- 🎯 **Attack Templates** — built-in payloads for:\n  - SQL Injection (`sqli`)\n  - Local File Inclusion (`lfi`)\n  - Server-Side Request Forgery (`ssrf`)\n  - Cross-Site Scripting (`xss`)\n- 🖥️ **Beautiful CLI** — ASCII banner + colorized output via `rich`.\n- 📁 **JSONL Logging** — machine-readable results for integration with SIEM or custom pipelines.\n\n---\n\n## ⚠️ Ethical Use Only\n\n\u003e **`cortisol` is for authorized penetration testing and bug bounty programs ONLY.**  \n\u003e Never scan systems without explicit written consent. Misuse may violate laws like the CFAA or GDPR.\n\nThis tool runs in **lab mode** by default (no consent checks), intended for controlled environments like:\n- Internal red team exercises\n- CTFs and training labs (e.g., `testfire.net`)\n- Client engagements **with signed scope**\n\n---\n\n## 🛠️ Installation\n\n```bash\ngit clone https://github.com/toxy4ny/cortisol.git\ncd cortisol\npip install -r requirements.txt\n```\n\nOr install directly:\n```bash\npip install requests click rich\n```\n\n\u003e ✅ Works on **Parrot OS, Kali, Ubuntu 24.04, and Athena OS**.\n\n---\n\n## ▶️ Usage Examples\n\n### Basic XSS Test\n```bash\npython3 cortisol.py -t https://target.com/search -p q -a xss\n```\n\n### SQLi Fuzzing with Output Logging\n```bash\npython3 cortisol.py \\\n  --target https://api.client.local/user \\\n  --param id \\\n  --attack sqli \\\n  --output ./logs/cortisol-sqli-20251225.jsonl\n```\n\n### Verbose Mode (show full URLs)\n```bash\npython3 cortisol.py -t https://testfire.net/index.jsp -p content -a xss -v\n```\n\n---\n\n## 📤 Sample Output\n\n```\nWAF Bypass \u0026 Normalization Stress Tester\nLab Mode — Use only in authorized environments\n\nTarget: https://testfire.net/index.jsp\nParam: content\nAttack: XSS\n\n🔍 Probing for WAF...\n🛡️  Detected WAF: Unknown or No WAF Detected\n\n┏━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━┳━━━━━━━━┳━━━━━━┳━━━━━━━┓\n┃ Vector                   ┃ Encoding ┃ Status ┃ Size ┃ Diff? ┃\n┡━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━╇━━━━━━━━╇━━━━━━╇━━━━━━━┩\n│ \u003cscript\u003ealert(1)\u003c/scr... │   raw    │  200   │ 6889 │  ✅   │\n│ %253Cscript%253Ealert... │  double  │  200   │ 6992 │  ✅   │\n└──────────────────────────┴──────────┴────────┴──────┴───────┘\n```\n\n✅ = response differs from baseline → **potential vulnerability**\n\n---\n\n## 📂 Output Format (JSONL)\n\nEach line in the log file is a JSON object:\n\n```json\n{\n  \"timestamp\": 1712345678.123,\n  \"target\": \"https://target.com/api\",\n  \"param\": \"id\",\n  \"attack\": \"sqli\",\n  \"payload\": \"1%2527%2520UNION...\",\n  \"encoding\": \"double\",\n  \"status\": 200,\n  \"size\": 4096,\n  \"diff\": true,\n  \"detected_waf\": \"Cloudflare\"\n}\n```\n\nPerfect for ingestion into **Supabase**, **Elasticsearch**, or custom analytics dashboards.\n\n---\n\n## 🧪 Lab Testing Tip\n\nUse **IBM’s Testfire** (a legal, vulnerable web app) for safe practice:\n\n```bash\npython3 cortisol.py -t https://testfire.net/index.jsp -p content -a xss\n```\n\n\u003e 💡 Note: `testfire.net` has no WAF, so all payloads reflect directly — ideal for validating tool behavior.\n\n---\n\n## 🔮 Future Roadmap\n\n- [ ] Reflected XSS confirmation (HTML parsing)\n- [ ] Path traversal fuzzing (`/api/%2e%2e/config`)\n- [ ] Integration with **Nikki AI** for RAG-powered attack suggestions\n- [ ] Consent scope validation (for production engagements)\n- [ ] Dockerized version\n---\n\n## 🤝 Contribution\n\nBug reports, WAF signatures, and new bypass techniques welcome!  \nThis tool is built **by red teamers, for red teamers**.\n\n\u003e 🔒 Remember: With great power comes great responsibility.\n\n---\n\n## 📜 License\n\nMIT — for educational and authorized security testing only.\n\n---\n\n\u003e **Author**: toxy4ny / Hackteam.Red  \n\u003e **GitHub**: [github.com/toxy4ny/cortisol](https://github.com/toxy4ny/cortisol)  \n\u003e **Inspired by**: Real-world bug bounty writeups \u0026 WAFW00F logic\n\n---\n\n*Use wisely. Test legally. Break responsibly.*\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftoxy4ny%2Fcortisol","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftoxy4ny%2Fcortisol","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftoxy4ny%2Fcortisol/lists"}