woodpecker-appstore

woodpecker-appstore / ghost-bits-encoder

Public

ghost-bits-encoder 是一个面向 Woodpecker 的辅助插件,围绕 Ghost Bits / Unicode 高位包装思路,提供通用编解码、JSON 相关编码、URL 相关编码以及若干专项辅助能力。

43
0
50% credibility
Found May 21, 2026 at 43 stars -- GitGems finds repos before they trend. Get early access to the next one.
Sign Up Free
AI Analysis
Java
AI Summary

This is a security testing plugin for the Woodpecker framework that helps penetration testers create disguised versions of text inputs. It transforms ordinary-looking text into Unicode characters from different writing systems (Chinese, Greek, Arabic, etc.) that appear harmless to security filters but get interpreted as the original text by Java applications. The tool includes specialized encoders for testing JSON parsers, web servers, and various Java frameworks, making it useful for legitimate security assessments but also capable of being used for malicious WAF bypass attempts.

How It Works

1
🔍 You discover a security testing tool

You hear about a tool that helps security testers create different versions of text to test how applications handle tricky inputs.

2
📦 You install the plugin in Woodpecker

You add this helper to your security testing toolkit, which gives you a collection of encoding tools in one convenient place.

3
You encode sensitive text into harmless-looking characters

You type in something like '../..' and the tool transforms it into mysterious-looking Chinese or Greek characters that look completely different but mean the same thing.

4
🔄 You get multiple variations to try

Each time you encode, you receive five different versions using different writing systems, giving you options to see which one works best.

5
You choose your testing approach
📋
JSON testing

For testing JSON parsers, you encode only the text inside quotes while keeping the structure intact

🌐
URL testing

For testing web servers, you create encoded URLs that look different but get interpreted correctly

🔤
Hidden payloads

For testing how applications handle special data, you hide Base64 or binary content inside safe-looking characters

🎉 You successfully test application security

You find which encodings slip past protections and which ones get caught, helping you understand real-world security gaps.

Sign up to see the full architecture

4 more

Sign Up Free

Star Growth

See how this repo grew from 43 to 43 stars Sign Up Free
Repurpose This Repo

Repurpose is a Pro feature

Generate ready-to-use prompts for X threads, LinkedIn posts, blog posts, YouTube scripts, and more -- with full repo context baked in.

Unlock Repurpose
AI-Generated Review

What is ghost-bits-encoder?

Ghost-bits-encoder is a plugin for the Woodpecker security testing framework that provides encoding utilities to bypass Web Application Firewalls. It works by mapping the low 8 bits of text into visible Unicode characters that look harmless to WAFs but还原 to the original payload when Java's type system truncates the high bytes. The plugin offers 11 different encoding modes targeting specific scenarios: basic encode/decode, JSON manipulation for FastJSON and Jackson, URL encoding variants for Jetty, and specialized helpers for Base64, CRLF injection, and BCEL payloads.

Why is it gaining traction?

The tool is built around a specific Java casting behavior that many WAFs fail to account for. Instead of a one-size-fits-all encoder, it provides targeted variants for different parsing points in the Java ecosystem. Each encoding tab generates random output from different Unicode blocks, giving testers multiple variants to try against the same target. The inclusion of specific helpers for FastJSON and Jackson deserialization attacks makes it valuable for security researchers working on known vulnerability classes.

Who should use this?

Security testers working with Java backends who need to craft WAF bypass payloads will get the most value from this tool. It is particularly useful when testing FastJSON or Jackson deserialization endpoints, Jetty-based URL routing, or any application that passes user input through Java's character truncation. The CRLF and BCEL helpers serve narrow but real use cases in SMTP and classloader exploitation research.

Verdict

This is a specialized tool for a specific niche, and it does the job well for what it targets. The 0.5% credibility score reflects that this is a small, single-vendor project with limited community validation. At 43 stars, the adoption is minimal, and the documentation, while complete, lacks real-world test case documentation. If you work with Java security testing regularly, it belongs in your toolkit. For general-purpose encoding needs, look elsewhere.

Sign up to read the full AI review Sign Up Free

Similar repos coming soon.