Red team string transformation library for offensive security operations, penetration testing, and evasion techniques.
A comprehensive Rust library providing 60+ string obfuscation and transformation functions for red team, blue team, and purple team security operations. Perfect for building security tools like Caido and Burp Suite extensions, phishing frameworks, WAF bypass testing, and bot detection evasion.
- Red Team: WAF bypass, XSS/SQL injection evasion, phishing domain generation, payload obfuscation
- Blue Team: Security control testing, filter validation, detection system testing
- Purple Team: Collaborative testing, baseline establishment, continuous improvement
π View Detailed Use Cases - Comprehensive security testing scenarios
- 60+ transformation functions - Encoding, obfuscation, injection testing, web security
- Zero dependencies - Core library uses only Rust's standard library
- Builder pattern API - Chain transformations with
TransformBuilder - Multi-language support - Rust, JavaScript, Python, Go via HTTP API
- CLI tool - Optional command-line interface
- Production-ready - Performance optimized, well-documented, thoroughly tested
Core source of truth: crates/redstr/src. The historical repository-root src/ layout is legacy and no longer used.
π Performance Benchmarks | π§ API Reference
- For Tool Developers: Integrate into Caido, Burp Suite, or custom security tools
- For Pen Testers: Generate payload variations, bypass filters, test input validation
- For Researchers: Test detection engines, research evasion techniques
Advantages:
- Native Rust performance with type-safe API
- Zero required dependencies - easy to audit
- 60+ functions covering modern security techniques
Add this to your Cargo.toml:
[dependencies]
redstr = "*"[dependencies]
redstr = { version = "*", features = ["serde"] }API Server (Recommended for all languages):
# Install the HTTP API server
cargo install redstr-server
# Or use Docker
docker pull arvid-berndtsson/redstr-serverSee API Server Documentation for usage examples in JavaScript, Python, Go, Ruby, and more.
Available Packages:
- npm:
npm install redstr(JavaScript/TypeScript) - PyPI:
pip install redstr(Python)
Coming Soon:
- π Homebrew:
brew install redstr(macOS/Linux) - π Go Module:
go get github.com/arvid-berndtsson/redstr-go - π Raycast Extension: Quick launcher integration
Track progress in our roadmap.
use redstr::{
randomize_capitalization, leetspeak, homoglyph_substitution,
base64_encode, random_user_agent, domain_typosquat
};
fn main() {
// Random capitalization
let result = randomize_capitalization("Hello World");
println!("{}", result); // "HeLlO wOrLd"
// Leetspeak for filter testing
let obfuscated = leetspeak("password");
println!("{}", obfuscated); // "p@55w0rd"
// Homoglyph substitution for phishing tests
let spoofed = homoglyph_substitution("admin@example.com");
println!("{}", spoofed); // "Π°dmΡn@Π΅xΠ°mple.com" (Cyrillic)
// Random user agent for bot evasion
let ua = random_user_agent();
}Chain multiple transformations:
use redstr::TransformBuilder;
// Complex payload generation
let payload = TransformBuilder::new("SELECT * FROM users")
.case_swap()
.base64()
.build();π View More Examples | π§ API Reference
use redstr::{random_user_agent, domain_typosquat, TransformBuilder};
// Web security testing - randomize requests
let ua = random_user_agent();
// Phishing detection - generate domain variations
let suspicious = domain_typosquat("paypal.com");
// WAF bypass - chain transformations
let payload = TransformBuilder::new("SELECT * FROM users")
.case_swap()
.url_encode()
.build();π Detailed Integration Examples - Caido, Burp Suite, EvilJinx, and more
An optional CLI is available for quick testing:
# Install with CLI feature
cargo install redstr --features cli
# Usage
redstr [options] [mode] <text...>
redstr [options] random-user-agent
redstr leetspeak "password" # β "p@55w0rd"
redstr base64 "hello" # β "aGVsbG8="Useful options:
--list-modeslists all available modes--jsonoutputs{ mode, input, output }--seed <u64>enables deterministic output forrandomandcase-swap
π Complete CLI Reference - All transformation modes and examples
All functions accept &str and return String. Key functions include:
Encoding: base64_encode, url_encode, hex_encode, html_entity_encode
Obfuscation: leetspeak, homoglyph_substitution, case_swap, unicode_variations
Injection Testing: sql_comment_injection, xss_tag_variations, path_traversal
Web Security: random_user_agent, domain_typosquat, js_string_concat
Case Conversion: to_camel_case, to_snake_case, to_kebab_case
π Complete API Reference - All 60+ functions with examples
Zero required dependencies - Core library uses only Rust's standard library.
Optional: serde feature for serialization support.
# Build library
cargo build --release
# Build with CLI
cargo build --release --features cli
# Run tests
cargo testOfficial integrations (separate repositories):
- redstr-server - HTTP API server
- redstr-burp - Burp Suite extension
- redstr-caido - Caido plugin
- redstr-eviljinx - EvilJinx integration
- redstr-owasp-zap - OWASP ZAP add-on
Building your own integration? See Integration Guidelines
Contributions are welcome! This library is designed for the security community. Whether you're adding new transformation functions, improving documentation, or reporting issues, your input helps make security testing more effective.
See CONTRIBUTING.md for development guidelines and docs/INTEGRATION_GUIDELINES.md for integration guidance.
- API Reference - Complete function reference
- CLI Reference - Command-line tool documentation
- Use Cases - Security testing scenarios
- Integration Examples - Tool integration patterns
- docs.rs/redstr - Full library documentation
- crates/redstr/examples/ - Code examples
This library is intended for authorized security testing, research, and defensive security purposes only. Users are responsible for ensuring they have proper authorization before using these techniques on systems they do not own or have explicit permission to test.
This project is licensed under the MIT License. See the LICENSE file for details.