{"id":1160,"date":"2023-11-24T07:00:49","date_gmt":"2023-11-24T06:00:49","guid":{"rendered":"https:\/\/avydos.com\/fuzzing-smugglers-a-dive-into-attacking-wafs-2\/"},"modified":"2026-03-25T15:27:18","modified_gmt":"2026-03-25T14:27:18","slug":"fuzzing-smugglers-a-dive-into-attacking-wafs-2","status":"publish","type":"post","link":"https:\/\/blog.kybervandals.com\/fuzzing-smugglers-attacking-wafs\/","title":{"rendered":"Fuzzing Smugglers \/ A dive into attacking WAFs"},"content":{"rendered":"

TL;DR:<\/h3>\n\n
\n
\n
\n

Utilizing a blend of header smuggling and header fuzzing, sophisticated HTTP attack techniques can effectively deliver DDoS payloads, either by evading detection by Web Application Firewalls (WAFs) or by targeting WAF-encoders themselves.<\/strong><\/h2>\n<\/div>\n<\/div>\n<\/div>\n\n

Long Version<\/h3>\n\n

During our DDoS-Tests we are constantly looking for new attack-vectors to be used in more sophisticated scenarios, aka RedTeamings. Last year we wrote about „Stack-Attacks“<\/a>, and with this article we want to dive into this realms again and presenting an interesting attack-vector that targets the stack between the edge of a network and applications, this time: the WAF.<\/p>\n

Many companies are using WAFs to protect their webservices and at minimum a ruleset that protects against OWASP Top 10 attacks. Any WAF we have looked at implements some sort of de-obfuscation to find attacking payloads that are decoded as Unicode, Hex, B64 etc. De-Obfuscation is usually done by internal decoders, and this decoding can be „expensive“, in terms of processing power.<\/p>\n

And „expensive“ operations on the target_side is what we want as an attacker, since this behavior might lead to a successful DDoS.<\/p>\n

Sooooo … with that knowledge above and our play instinct been activated, we build a traffic-generator-prototype that could:<\/p>\n

load different payloads like shellshock<\/a>, sqlinjections, xxe-attacks or custom stringsencode the payload with different encoders (HEX, Unicode, HTMLEntities, URLEncode, Base64 and a handfull more)add the encoded payload to different parts of the request (headers, POST-payload, URLs)use any HTTP-Request-Methods and Content-Types randomly, like GET\/POST\/POST_JSON\/HEAD\/OPTIONSadd variable amount of custom headers from a list of possible request-headers<\/a> and add either garbage or the encoded payload as value for the header<\/p>\n

That generator ended up to be basically a big fuzzing-tool for webrequests to see what happens if you throw garbage onto WAFs. <\/p>\n

And, oh boi, that thing makes fun.<\/p>\n

With that yet very brutal method we were able to achieve different things, depending on the used WAF-Technology:<\/p>\n

reach backend-servers we did not expected (similar to request-smuggeling)overloading WAF-payload-encoders and thus disabling them effectivelygetting the attack successfully delivered through the WAF<\/p>\n

These are some findings that are interesting:<\/p>\n

crafting POSTS usually never forced a Response-Status 412\/417POST-Requests(and rarely HEAD\/TRACE\/OPTIONS) can be the better attackvector, if the method is not blocked during attack-preparation we could measure a significant timedelay when we enforced errors on the WAF (503), resulting in roughly twice the requesttime than with all other requests, leading to the conclusion, that this particular request is kind of „more expensive“ on the WAF, a good indicator for a usable attackvector. Later on in the real attackscemario we simply deep-fried the WAF the more header you fake, the more blocks by WAF, but also more forced errors on the backend\/WAF and lesser successfull requests<\/p>\n

Below you will find screenshots of the behavior of different WAFs\/Providers, and since we are in talks with vendors to test and fix their problems, we will not name them here (yet), but besides 2 of the big names, we found ways to sneak past WAFs or attack the WAF directly nearly everywhere, both in cloud and OnPrem-Appliances.<\/p>\n

Screenshot 1: forcing HTTP-Errors 502 (Backend) and 503 (WAF) during a test<\/p>\n\n

the following output shows Target 1 with GET\/POST-request, protectecd by a WAF with forced errors and Target 2, our own Testsite, not protected by a WAF, thus no HTTP Errors 403\/401<\/p>\n\n

\n
\n
<\/div>\n
<\/div>\n
<\/div>\n<\/div>\n<\/div>\n

Conclusion<\/h3>\n\n

There is a growing interest in abusing HTTP-Requests for any kind of malicious activities, as @deadvolvo<\/a> had shown in his recent research, released in the articles „From Akamai to F5 to NTLM… with love.“<\/a> and „HTTP is dead… Long live HTTP?!“<\/a>.<\/p>\n

Using a naive approach, we found a couple of ways to abuse WAF-decoders or bypass WAFs to deliver payload to backends, that can be usefull in a DDoS-Attack.<\/p>\n

In realworl-tests, the blueteams had a hard time to mitigate the attack when delivered by a normal-sized botnet.<\/p>\n

We will explore this attackvector in more detail for the next RedTeaming engagements<\/p>\n\n

References and further inspirations:<\/h3>\n

<\/h3>\n\n

also readteaming https:\/\/twitter.com\/deadvolvo\/status\/1717633057044193768<\/a> https:\/\/blog.malicious.group\/from-akamai-to-f5-to-ntlm\/<\/a>https:\/\/offzone.moscow\/upload\/iblock\/11a\/sagouc86idiapdb8f29w41yaupqv6fwv.pdf<\/a>
https:\/\/rafa.hashnode.dev\/exploiting-http-parsers-inconsistencies<\/a>https:\/\/github.com\/Kludex\/python-multipart\/security\/advisories\/GHSA-2jv5-9r88-3w3p<\/a><\/p>","protected":false},"excerpt":{"rendered":"

TL;DR: Utilizing a blend of header smuggling and header fuzzing, sophisticated HTTP attack techniques can effectively deliver DDoS payloads, either by evading detection by Web Application Firewalls (WAFs) or by targeting WAF-encoders themselves. Long Version During our DDoS-Tests we are constantly looking for new attack-vectors to be used in more sophisticated scenarios, aka RedTeamings. Last […]<\/p>","protected":false},"author":2,"featured_media":1161,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","_links_to":"https:\/\/blog.kybervandals.com\/fuzzing-smugglers-attacking-wafs\/","_links_to_target":"_blank"},"categories":[1],"tags":[],"class_list":["post-1160","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-allgemein"],"yoast_head":"\nFuzzing Smugglers \/ A dive into attacking WAFs - avydos.com<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/avydos.com\/en\/fuzzing-smugglers-a-dive-into-attacking-wafs-2\/\" \/>\n<meta property=\"og:locale\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Fuzzing Smugglers \/ A dive into attacking WAFs - avydos.com\" \/>\n<meta property=\"og:description\" content=\"TL;DR: Utilizing a blend of header smuggling and header fuzzing, sophisticated HTTP attack techniques can effectively deliver DDoS payloads, either by evading detection by Web Application Firewalls (WAFs) or by targeting WAF-encoders themselves. Long Version During our DDoS-Tests we are constantly looking for new attack-vectors to be used in more sophisticated scenarios, aka RedTeamings. Last […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/avydos.com\/en\/fuzzing-smugglers-a-dive-into-attacking-wafs-2\/\" \/>\n<meta property=\"og:site_name\" content=\"avydos.com\" \/>\n<meta property=\"article:published_time\" content=\"2023-11-24T06:00:49+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-03-25T14:27:18+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/avydos.com\/wp-content\/uploads\/2023\/11\/header-ZDLhFi-1024x391.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1024\" \/>\n\t<meta property=\"og:image:height\" content=\"391\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Monja Janneck\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Monja Janneck\" \/>\n\t<meta name=\"twitter:label2\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/avydos.com\/fuzzing-smugglers-a-dive-into-attacking-wafs-2\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/avydos.com\/fuzzing-smugglers-a-dive-into-attacking-wafs-2\/\"},\"author\":{\"name\":\"Monja Janneck\",\"@id\":\"https:\/\/avydos.com\/#\/schema\/person\/cb5e49332c0c6f21c98f578e0a2b1393\"},\"headline\":\"Fuzzing Smugglers \/ A dive into attacking WAFs\",\"datePublished\":\"2023-11-24T06:00:49+00:00\",\"dateModified\":\"2026-03-25T14:27:18+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/avydos.com\/fuzzing-smugglers-a-dive-into-attacking-wafs-2\/\"},\"wordCount\":706,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/avydos.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/avydos.com\/fuzzing-smugglers-a-dive-into-attacking-wafs-2\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/avydos.com\/wp-content\/uploads\/2023\/11\/header-ZDLhFi.png\",\"articleSection\":[\"Allgemein\"],\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/avydos.com\/fuzzing-smugglers-a-dive-into-attacking-wafs-2\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/avydos.com\/fuzzing-smugglers-a-dive-into-attacking-wafs-2\/\",\"url\":\"https:\/\/avydos.com\/fuzzing-smugglers-a-dive-into-attacking-wafs-2\/\",\"name\":\"Fuzzing Smugglers \/ A dive into attacking WAFs - avydos.com\",\"isPartOf\":{\"@id\":\"https:\/\/avydos.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/avydos.com\/fuzzing-smugglers-a-dive-into-attacking-wafs-2\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/avydos.com\/fuzzing-smugglers-a-dive-into-attacking-wafs-2\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/avydos.com\/wp-content\/uploads\/2023\/11\/header-ZDLhFi.png\",\"datePublished\":\"2023-11-24T06:00:49+00:00\",\"dateModified\":\"2026-03-25T14:27:18+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/avydos.com\/fuzzing-smugglers-a-dive-into-attacking-wafs-2\/#breadcrumb\"},\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/avydos.com\/fuzzing-smugglers-a-dive-into-attacking-wafs-2\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\/\/avydos.com\/fuzzing-smugglers-a-dive-into-attacking-wafs-2\/#primaryimage\",\"url\":\"https:\/\/avydos.com\/wp-content\/uploads\/2023\/11\/header-ZDLhFi.png\",\"contentUrl\":\"https:\/\/avydos.com\/wp-content\/uploads\/2023\/11\/header-ZDLhFi.png\",\"width\":2000,\"height\":763},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/avydos.com\/fuzzing-smugglers-a-dive-into-attacking-wafs-2\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Startseite\",\"item\":\"https:\/\/avydos.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Fuzzing Smugglers \/ A dive into attacking WAFs\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/avydos.com\/#website\",\"url\":\"https:\/\/avydos.com\/\",\"name\":\"avydos.com\",\"description\":\"Avydos ist ein DDoS-Stresstest-Selftesting-Service f\u00fcr Security Engineers: DDoS-Bedrohungssimulationen selbstst\u00e4ndig testen unter realen Angriffs-Bedingungen.\",\"publisher\":{\"@id\":\"https:\/\/avydos.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/avydos.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-GB\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/avydos.com\/#organization\",\"name\":\"Avydos by zeroBS GmbH\",\"alternateName\":\"Avydos by zeroBS GmbH\",\"url\":\"https:\/\/avydos.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\/\/avydos.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/avydos.com\/wp-content\/uploads\/2023\/11\/android-chrome-256x256-1.png\",\"contentUrl\":\"https:\/\/avydos.com\/wp-content\/uploads\/2023\/11\/android-chrome-256x256-1.png\",\"width\":256,\"height\":256,\"caption\":\"Avydos by zeroBS GmbH\"},\"image\":{\"@id\":\"https:\/\/avydos.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/avydos.com\/#\/schema\/person\/cb5e49332c0c6f21c98f578e0a2b1393\",\"name\":\"Monja Janneck\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\/\/avydos.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/84f7b27e05b2e57cd9d3dcd5d52bc93ecaf7b931e6bd21fb45d5f4166ac106ce?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/84f7b27e05b2e57cd9d3dcd5d52bc93ecaf7b931e6bd21fb45d5f4166ac106ce?s=96&d=mm&r=g\",\"caption\":\"Monja Janneck\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Fuzzing Smugglers \/ A dive into attacking WAFs - avydos.com","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/avydos.com\/en\/fuzzing-smugglers-a-dive-into-attacking-wafs-2\/","og_locale":"en_GB","og_type":"article","og_title":"Fuzzing Smugglers \/ A dive into attacking WAFs - avydos.com","og_description":"TL;DR: Utilizing a blend of header smuggling and header fuzzing, sophisticated HTTP attack techniques can effectively deliver DDoS payloads, either by evading detection by Web Application Firewalls (WAFs) or by targeting WAF-encoders themselves. Long Version During our DDoS-Tests we are constantly looking for new attack-vectors to be used in more sophisticated scenarios, aka RedTeamings. Last […]","og_url":"https:\/\/avydos.com\/en\/fuzzing-smugglers-a-dive-into-attacking-wafs-2\/","og_site_name":"avydos.com","article_published_time":"2023-11-24T06:00:49+00:00","article_modified_time":"2026-03-25T14:27:18+00:00","og_image":[{"width":1024,"height":391,"url":"https:\/\/avydos.com\/wp-content\/uploads\/2023\/11\/header-ZDLhFi-1024x391.png","type":"image\/png"}],"author":"Monja Janneck","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Monja Janneck","Estimated reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/avydos.com\/fuzzing-smugglers-a-dive-into-attacking-wafs-2\/#article","isPartOf":{"@id":"https:\/\/avydos.com\/fuzzing-smugglers-a-dive-into-attacking-wafs-2\/"},"author":{"name":"Monja Janneck","@id":"https:\/\/avydos.com\/#\/schema\/person\/cb5e49332c0c6f21c98f578e0a2b1393"},"headline":"Fuzzing Smugglers \/ A dive into attacking WAFs","datePublished":"2023-11-24T06:00:49+00:00","dateModified":"2026-03-25T14:27:18+00:00","mainEntityOfPage":{"@id":"https:\/\/avydos.com\/fuzzing-smugglers-a-dive-into-attacking-wafs-2\/"},"wordCount":706,"commentCount":0,"publisher":{"@id":"https:\/\/avydos.com\/#organization"},"image":{"@id":"https:\/\/avydos.com\/fuzzing-smugglers-a-dive-into-attacking-wafs-2\/#primaryimage"},"thumbnailUrl":"https:\/\/avydos.com\/wp-content\/uploads\/2023\/11\/header-ZDLhFi.png","articleSection":["Allgemein"],"inLanguage":"en-GB","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/avydos.com\/fuzzing-smugglers-a-dive-into-attacking-wafs-2\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/avydos.com\/fuzzing-smugglers-a-dive-into-attacking-wafs-2\/","url":"https:\/\/avydos.com\/fuzzing-smugglers-a-dive-into-attacking-wafs-2\/","name":"Fuzzing Smugglers \/ A dive into attacking WAFs - avydos.com","isPartOf":{"@id":"https:\/\/avydos.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/avydos.com\/fuzzing-smugglers-a-dive-into-attacking-wafs-2\/#primaryimage"},"image":{"@id":"https:\/\/avydos.com\/fuzzing-smugglers-a-dive-into-attacking-wafs-2\/#primaryimage"},"thumbnailUrl":"https:\/\/avydos.com\/wp-content\/uploads\/2023\/11\/header-ZDLhFi.png","datePublished":"2023-11-24T06:00:49+00:00","dateModified":"2026-03-25T14:27:18+00:00","breadcrumb":{"@id":"https:\/\/avydos.com\/fuzzing-smugglers-a-dive-into-attacking-wafs-2\/#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["https:\/\/avydos.com\/fuzzing-smugglers-a-dive-into-attacking-wafs-2\/"]}]},{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/avydos.com\/fuzzing-smugglers-a-dive-into-attacking-wafs-2\/#primaryimage","url":"https:\/\/avydos.com\/wp-content\/uploads\/2023\/11\/header-ZDLhFi.png","contentUrl":"https:\/\/avydos.com\/wp-content\/uploads\/2023\/11\/header-ZDLhFi.png","width":2000,"height":763},{"@type":"BreadcrumbList","@id":"https:\/\/avydos.com\/fuzzing-smugglers-a-dive-into-attacking-wafs-2\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Startseite","item":"https:\/\/avydos.com\/"},{"@type":"ListItem","position":2,"name":"Fuzzing Smugglers \/ A dive into attacking WAFs"}]},{"@type":"WebSite","@id":"https:\/\/avydos.com\/#website","url":"https:\/\/avydos.com\/","name":"avydos.com","description":"Avydos is a DDoS stress test self-testing service for security engineers: test DDoS threat simulations independently under real attack conditions.","publisher":{"@id":"https:\/\/avydos.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/avydos.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-GB"},{"@type":"Organization","@id":"https:\/\/avydos.com\/#organization","name":"Avydos by zeroBS GmbH","alternateName":"Avydos by zeroBS GmbH","url":"https:\/\/avydos.com\/","logo":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/avydos.com\/#\/schema\/logo\/image\/","url":"https:\/\/avydos.com\/wp-content\/uploads\/2023\/11\/android-chrome-256x256-1.png","contentUrl":"https:\/\/avydos.com\/wp-content\/uploads\/2023\/11\/android-chrome-256x256-1.png","width":256,"height":256,"caption":"Avydos by zeroBS GmbH"},"image":{"@id":"https:\/\/avydos.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/avydos.com\/#\/schema\/person\/cb5e49332c0c6f21c98f578e0a2b1393","name":"Monja Janneck","image":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/avydos.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/84f7b27e05b2e57cd9d3dcd5d52bc93ecaf7b931e6bd21fb45d5f4166ac106ce?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/84f7b27e05b2e57cd9d3dcd5d52bc93ecaf7b931e6bd21fb45d5f4166ac106ce?s=96&d=mm&r=g","caption":"Monja Janneck"}}]}},"_links":{"self":[{"href":"https:\/\/avydos.com\/en\/wp-json\/wp\/v2\/posts\/1160","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/avydos.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/avydos.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/avydos.com\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/avydos.com\/en\/wp-json\/wp\/v2\/comments?post=1160"}],"version-history":[{"count":1,"href":"https:\/\/avydos.com\/en\/wp-json\/wp\/v2\/posts\/1160\/revisions"}],"predecessor-version":[{"id":1487,"href":"https:\/\/avydos.com\/en\/wp-json\/wp\/v2\/posts\/1160\/revisions\/1487"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/avydos.com\/en\/wp-json\/wp\/v2\/media\/1161"}],"wp:attachment":[{"href":"https:\/\/avydos.com\/en\/wp-json\/wp\/v2\/media?parent=1160"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/avydos.com\/en\/wp-json\/wp\/v2\/categories?post=1160"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/avydos.com\/en\/wp-json\/wp\/v2\/tags?post=1160"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}