1-SEC
Deep Dive9 min read

Normalization Pipelines: The Secret to Stopping Sophisticated Injection Attacks

Attackers use encoding and double-obfuscation to bypass WAFs. Learn how 1-SEC's 8-phase normalization pipeline peels back the layers to reveal the hidden threat.

1S

WAF Logic Engineer

Injection ProtectionNormalization PipelineWAF bypassobfuscationsecurity architecturedeep diveinjection detection

Why Traditional WAFs Fail

A traditional firewall looks for strings like `SELECT * FROM`. An attacker knows this, so they send `%53%45%4C%45%43%54` (URL encoded), or worse, they use Unicode homoglyphs that look like English letters but aren't. If your security tool only sees the encoded version, the attack sails through.

Inside the 1-SEC Normalizer

Before we even check for threats, we "normalize" every piece of input through 8 distinct phases.

Phase 1-3: Decoding & De-obfuscation

We handle URL encoding, Base64, and Hex encoding recursively. If an attacker triple-encodes a payload, 1-SEC peels it all back until the raw intent is revealed.

Phase 4-6: Canonicalization

We resolve weird pathing like `../../` and handle null-byte injections. We also normalize Unicode to ensure that a "fake" 'a' (like the Cyrillic 'а') is treated as its Latin equivalent for detection purposes.

Phase 7-8: Structural Analysis

Finally, we strip non-functional whitespace and comments that are specifically designed to break regex patterns. By the time the input reaches our detection engine, it is "naked," and the attack is obvious.

Continue Reading

Architecture

Drop-In Security: How a Single Binary Replaces Your Entire Security Stack

Learn how 1-SEC's single-binary architecture consolidates 16 security modules into one executable. No containers, no dependencies, no configuration required — just download and run.

Architecture

Why We Built Our Security Event Bus on NATS JetStream

The technical story behind 1-SEC's embedded event bus. Why we chose NATS JetStream over Kafka, RabbitMQ, and Redis for a security-focused event streaming architecture.

Application Security

SQL Injection in 2026: Why the Oldest Web Vulnerability Is Still Dangerous

SQLi was first documented in 1998. Nearly three decades later, it remains a top-5 web application vulnerability. Here's why it persists and how modern open source tools detect it.

← Browse all 84 articles

Try 1-SEC Today

Open source, single binary, 16 security modules. Download and run in under 60 seconds.

View on GitHubRead the Docs