search

Rust 101

A comprehensive series on learning Rust through building a real-world Web Application Firewall scanner.

hashtag
Series Overview

When I decided to build a WAF bypass testing tool, I chose Rust for its performance, safety, and excellent async capabilities. This series documents my journey from Rust novice to shipping a production security tool published on crates.io.

All examples in this series come from my open-source project: simple-waf-scannerarrow-up-right - a tool that performs WAF detection and bypass testing with 280+ payloads, concurrent scanning, and OWASP Top 10:2025 alignment.

hashtag
Why This Series?

Most Rust tutorials use toy examples. This series teaches Rust through building actual production software that:

  • Handles real-world HTTP requests and responses

  • Manages concurrent operations safely

  • Processes JSON payloads and structured data

  • Implements proper error handling

  • Ships as both a CLI tool and library

hashtag
What We'll Build

By following this series, you'll understand the Rust code behind a security tool that:

  • Detects WAFs: Identifies 11+ popular WAF solutions (Cloudflare, AWS WAF, Akamai, etc.)

  • Tests Evasion Techniques: 7+ bypass methods with encoding, obfuscation, and mutation

  • Concurrent Scanning: Async/await with Tokio for fast parallel requests

  • Structured Payloads: JSON-based payload system with 280+ attack vectors

  • CLI & Library: Both command-line tool and reusable library

  • Published Crate: Available on crates.io for others to use

hashtag
Series Structure

hashtag
Part 1: Getting Started with Rust - Setting Up and Basic Types

  • Installing Rust toolchain

  • Project structure with Cargo

  • Basic types and data structures

  • Working with strings and collections

  • Pattern matching and enums

From my project: Configuration structs, payload structures, severity enums

hashtag
Part 2: Ownership, Borrowing, and Lifetimes - Rust's Memory Safety

  • Ownership rules and move semantics

  • Borrowing and references

  • Lifetimes and their annotations

  • Common ownership patterns

  • Smart pointers (Box, Rc, Arc)

From my project: Sharing HTTP client across tasks, payload data management

hashtag
Part 3: Error Handling and Result Types - Robust Production Code

  • Result and Option types

  • Error propagation with ? operator

  • Custom error types

  • Error handling patterns

  • Logging and debugging

From my project: HTTP request errors, JSON parsing failures, validation errors

hashtag
Part 4: Async Programming with Tokio - Concurrent Execution

  • Understanding async/await

  • The Tokio runtime

  • Futures and spawning tasks

  • Concurrent request handling

  • Rate limiting and delays

From my project: Parallel payload testing, concurrent HTTP requests, async main

hashtag
Part 5: HTTP Clients and Real-World Integration

  • Making HTTP requests with reqwest

  • Parsing responses and headers

  • JSON serialization/deserialization

  • Building a CLI with clap

  • Publishing to crates.io

From my project: WAF detection logic, payload testing, CLI implementation

hashtag
Prerequisites

  • Basic programming knowledge (any language)

  • Familiarity with command line

  • Understanding of HTTP basics

  • Interest in systems programming

hashtag
Tools You'll Need

hashtag
Key Dependencies We'll Explore

From the project's Cargo.toml:

  • tokio: Async runtime for concurrent operations

  • reqwest: HTTP client for making requests

  • serde: Serialization/deserialization framework

  • serde_json: JSON handling

  • clap: Command-line argument parsing

  • colored: Terminal output formatting

hashtag
Learning Philosophy

This series follows a production-first approach:

  1. Real code, real challenges: Learn from actual code that ships

  2. Incremental understanding: Start simple, build complexity

  3. Practical examples: Every concept tied to working features

  4. Error-driven learning: Common mistakes and how to fix them

  5. Best practices: Production-ready patterns from day one

hashtag
What Makes This Project Good for Learning?

The WAF scanner demonstrates core Rust concepts:

Memory Safety

  • No garbage collection overhead

  • Zero-cost abstractions

  • Safe concurrent access to shared data

Type Safety

  • Strong typing prevents bugs

  • Enums for representing states

  • Pattern matching for exhaustive handling

Performance

  • Concurrent HTTP requests

  • Efficient string handling

  • Minimal runtime overhead

Developer Experience

  • Cargo for package management

  • Excellent error messages

  • Great documentation tools

hashtag
Project Stats

The complete project features:

  • 280+ security payloads

  • 11+ WAF fingerprints

  • 7+ evasion techniques

  • Concurrent scanning support

  • JSON output for automation

  • Published on crates.io

hashtag
Getting Help

While working through this series:

hashtag
Next Steps

Start with Part 1: Getting Started with Rust to set up your environment and understand the project structure.

This series documents my journey building a production security tool in Rust. Every code example is from real, working software that's actively maintained and used.

PreviousPart 7: Real-World Applications and Use CasesNextPart 1: Getting Started with Rust - Setting Up and Basic Types

Last updated