@qball-inc/the-bulwark 1.0.0

package/skills/bug-magnet-data/data/strings/injection.yaml

@@ -0,0 +1,208 @@
+metadata:
+  version: "1.0.0"
+  last_updated: "2026-02-01"
+  source_urls:
+    - "https://owasp.org/www-project-web-security-testing-guide/v42/6-Appendix/C-Fuzz_Vectors"
+
+category: strings
+subcategory: injection
+tier: T1
+severity: security
+
+bugs_caught:
+  - "SQL injection"
+  - "Cross-site scripting (XSS)"
+  - "Command injection"
+  - "Path traversal"
+
+values:
+  # SQL Injection - Safe for automation
+  sql_basic:
+    value: "' OR '1'='1"
+    bugs_caught:
+      - "SQL injection via string concatenation"
+    safe_for_automation: true
+    context_required: "Raw SQL queries"
+
+  sql_comment:
+    value: "' OR 1=1--"
+    bugs_caught:
+      - "SQL injection with comment"
+    safe_for_automation: true
+    context_required: "Raw SQL queries"
+
+  sql_union:
+    value: "' UNION SELECT NULL--"
+    bugs_caught:
+      - "SQL injection UNION attack"
+    safe_for_automation: true
+    context_required: "Raw SQL queries"
+
+  sql_stacked:
+    value: "'; SELECT 1--"
+    bugs_caught:
+      - "Stacked query injection"
+    safe_for_automation: true
+    context_required: "Raw SQL queries"
+
+  # SQL Injection - Destructive (manual only)
+  sql_drop:
+    value: "'; DROP TABLE users--"
+    bugs_caught:
+      - "SQL injection allowing data destruction"
+    safe_for_automation: false
+    manual_only: true
+    context_required: "Raw SQL queries"
+
+  sql_truncate:
+    value: "'; TRUNCATE TABLE users--"
+    bugs_caught:
+      - "SQL injection data deletion"
+    safe_for_automation: false
+    manual_only: true
+    context_required: "Raw SQL queries"
+
+  # XSS - Safe patterns
+  xss_script_tag:
+    value: "<script>alert('XSS')</script>"
+    bugs_caught:
+      - "Reflected XSS"
+      - "Unescaped output"
+    safe_for_automation: true
+    context_required: "HTML rendering"
+
+  xss_img_onerror:
+    value: "<img src=x onerror=alert('XSS')>"
+    bugs_caught:
+      - "Event handler XSS"
+    safe_for_automation: true
+    context_required: "HTML rendering"
+
+  xss_svg:
+    value: "<svg onload=alert('XSS')>"
+    bugs_caught:
+      - "SVG-based XSS"
+    safe_for_automation: true
+    context_required: "HTML rendering"
+
+  xss_href_javascript:
+    value: "javascript:alert('XSS')"
+    bugs_caught:
+      - "JavaScript protocol XSS"
+    safe_for_automation: true
+    context_required: "URL handling"
+
+  xss_data_uri:
+    value: "data:text/html,<script>alert('XSS')</script>"
+    bugs_caught:
+      - "Data URI XSS"
+    safe_for_automation: true
+    context_required: "URL handling"
+
+  xss_encoded:
+    value: "&lt;script&gt;alert('XSS')&lt;/script&gt;"
+    bugs_caught:
+      - "Double encoding XSS"
+    safe_for_automation: true
+    context_required: "HTML rendering"
+
+  # Command Injection - Safe for detection
+  cmd_semicolon:
+    value: "; echo vulnerable"
+    bugs_caught:
+      - "Command injection via semicolon"
+    safe_for_automation: true
+    context_required: "Shell execution"
+
+  cmd_pipe:
+    value: "| echo vulnerable"
+    bugs_caught:
+      - "Command injection via pipe"
+    safe_for_automation: true
+    context_required: "Shell execution"
+
+  cmd_backtick:
+    value: "`echo vulnerable`"
+    bugs_caught:
+      - "Command substitution injection"
+    safe_for_automation: true
+    context_required: "Shell execution"
+
+  cmd_dollar:
+    value: "$(echo vulnerable)"
+    bugs_caught:
+      - "Command substitution injection"
+    safe_for_automation: true
+    context_required: "Shell execution"
+
+  cmd_newline:
+    value: "foo\necho vulnerable"
+    bugs_caught:
+      - "Newline command injection"
+    safe_for_automation: true
+    context_required: "Shell execution"
+
+  # Command Injection - Destructive (manual only)
+  cmd_rm:
+    value: "; rm -rf /"
+    bugs_caught:
+      - "Destructive command injection"
+    safe_for_automation: false
+    manual_only: true
+    context_required: "Shell execution"
+
+  # Path Traversal
+  path_traversal_basic:
+    value: "../../../etc/passwd"
+    bugs_caught:
+      - "Path traversal"
+      - "Directory escape"
+    safe_for_automation: true
+
+  path_traversal_encoded:
+    value: "..%2F..%2F..%2Fetc%2Fpasswd"
+    bugs_caught:
+      - "URL-encoded path traversal"
+    safe_for_automation: true
+
+  path_traversal_double:
+    value: "....//....//etc/passwd"
+    bugs_caught:
+      - "Double-encoded path traversal"
+    safe_for_automation: true
+
+  path_traversal_null:
+    value: "../../../etc/passwd%00.jpg"
+    bugs_caught:
+      - "Null byte path traversal"
+    safe_for_automation: true
+
+  # LDAP Injection
+  ldap_wildcard:
+    value: "*"
+    bugs_caught:
+      - "LDAP wildcard injection"
+    safe_for_automation: true
+    context_required: "LDAP queries"
+
+  ldap_escape:
+    value: "*)(&"
+    bugs_caught:
+      - "LDAP filter injection"
+    safe_for_automation: true
+    context_required: "LDAP queries"
+
+  # XML/XXE
+  xml_entity:
+    value: "<!DOCTYPE foo [<!ENTITY xxe SYSTEM \"file:///etc/passwd\">]>"
+    bugs_caught:
+      - "XML external entity injection"
+    safe_for_automation: true
+    context_required: "XML parsing"
+
+  xml_billion_laughs:
+    value: "<!DOCTYPE lolz [<!ENTITY lol \"lol\">]>"
+    bugs_caught:
+      - "XML entity expansion DoS"
+    safe_for_automation: true
+    context_required: "XML parsing"

package/skills/bug-magnet-data/data/strings/special-chars.yaml

@@ -0,0 +1,190 @@
+metadata:
+  version: "1.0.0"
+  last_updated: "2026-02-01"
+  source_urls: []
+
+category: strings
+subcategory: special-chars
+tier: T1
+
+bugs_caught:
+  - "Escape sequence handling"
+  - "Quote nesting failures"
+  - "Control character issues"
+  - "Delimiter confusion"
+
+values:
+  single_quote:
+    value: "'"
+    bugs_caught:
+      - "SQL injection setup"
+      - "Quote escaping failures"
+    safe_for_automation: true
+
+  double_quote:
+    value: "\""
+    bugs_caught:
+      - "JSON parsing issues"
+      - "Quote escaping failures"
+    safe_for_automation: true
+
+  backtick:
+    value: "`"
+    bugs_caught:
+      - "Template literal issues"
+      - "Shell command injection"
+    safe_for_automation: true
+
+  backslash:
+    value: "\\"
+    bugs_caught:
+      - "Escape sequence handling"
+      - "Path handling on Windows"
+    safe_for_automation: true
+
+  forward_slash:
+    value: "/"
+    bugs_caught:
+      - "Path delimiter handling"
+      - "URL parsing"
+    safe_for_automation: true
+
+  newline:
+    value: "\n"
+    bugs_caught:
+      - "Newline handling"
+      - "Log injection"
+    safe_for_automation: true
+
+  carriage_return:
+    value: "\r"
+    bugs_caught:
+      - "CR handling"
+      - "HTTP response splitting"
+    safe_for_automation: true
+
+  crlf:
+    value: "\r\n"
+    bugs_caught:
+      - "Windows line ending handling"
+      - "HTTP header injection"
+    safe_for_automation: true
+
+  tab:
+    value: "\t"
+    bugs_caught:
+      - "Tab character handling"
+      - "TSV parsing"
+    safe_for_automation: true
+
+  mixed_quotes:
+    value: "He said \"it's fine\""
+    bugs_caught:
+      - "Nested quote handling"
+      - "Escaping in context"
+    safe_for_automation: true
+
+  curly_braces:
+    value: "{}"
+    bugs_caught:
+      - "Template placeholder handling"
+      - "JSON structure confusion"
+    safe_for_automation: true
+
+  square_brackets:
+    value: "[]"
+    bugs_caught:
+      - "Array notation confusion"
+      - "Regex character class"
+    safe_for_automation: true
+
+  parentheses:
+    value: "()"
+    bugs_caught:
+      - "Function call parsing"
+      - "Regex grouping"
+    safe_for_automation: true
+
+  angle_brackets:
+    value: "<>"
+    bugs_caught:
+      - "HTML/XML parsing"
+      - "Comparison operator confusion"
+    safe_for_automation: true
+
+  ampersand:
+    value: "&"
+    bugs_caught:
+      - "HTML entity handling"
+      - "URL parameter delimiter"
+    safe_for_automation: true
+
+  pipe:
+    value: "|"
+    bugs_caught:
+      - "Command chaining"
+      - "Delimiter confusion"
+    safe_for_automation: true
+
+  semicolon:
+    value: ";"
+    bugs_caught:
+      - "Command termination"
+      - "CSV parsing"
+    safe_for_automation: true
+
+  dollar_sign:
+    value: "$"
+    bugs_caught:
+      - "Variable expansion"
+      - "Currency handling"
+    safe_for_automation: true
+
+  at_sign:
+    value: "@"
+    bugs_caught:
+      - "Email parsing"
+      - "Mention handling"
+    safe_for_automation: true
+
+  hash:
+    value: "#"
+    bugs_caught:
+      - "Comment handling"
+      - "Anchor/fragment parsing"
+    safe_for_automation: true
+
+  percent:
+    value: "%"
+    bugs_caught:
+      - "URL encoding"
+      - "Format string"
+    safe_for_automation: true
+
+  asterisk:
+    value: "*"
+    bugs_caught:
+      - "Wildcard handling"
+      - "Regex quantifier"
+    safe_for_automation: true
+
+  control_char_bell:
+    value: "\x07"
+    bugs_caught:
+      - "Bell character handling"
+      - "Terminal escape"
+    safe_for_automation: true
+
+  control_char_backspace:
+    value: "\x08"
+    bugs_caught:
+      - "Backspace handling"
+      - "Log spoofing"
+    safe_for_automation: true
+
+  control_char_escape:
+    value: "\x1B"
+    bugs_caught:
+      - "ANSI escape sequences"
+      - "Terminal injection"
+    safe_for_automation: true

package/skills/bug-magnet-data/data/strings/unicode.yaml

@@ -0,0 +1,139 @@
+metadata:
+  version: "1.0.0"
+  last_updated: "2026-02-01"
+  source_urls:
+    - "https://github.com/minimaxir/big-list-of-naughty-strings"
+
+category: strings
+subcategory: unicode
+tier: T1
+
+bugs_caught:
+  - "Multi-byte character handling"
+  - "Normalization mismatches"
+  - "String length calculation errors"
+  - "Display vs storage length mismatch"
+
+values:
+  null_character:
+    value: "hello\x00world"
+    bugs_caught:
+      - "C-string termination confusion"
+      - "Null byte injection"
+    safe_for_automation: true
+
+  zero_width_space:
+    value: "hello\u200Bworld"
+    bugs_caught:
+      - "Invisible character handling"
+      - "String comparison failures"
+    safe_for_automation: true
+
+  zero_width_joiner:
+    value: "hello\u200Dworld"
+    bugs_caught:
+      - "Zero-width joiner handling"
+    safe_for_automation: true
+
+  zero_width_non_joiner:
+    value: "hello\u200Cworld"
+    bugs_caught:
+      - "Zero-width non-joiner handling"
+    safe_for_automation: true
+
+  rtl_override:
+    value: "hello\u202Eworld"
+    bugs_caught:
+      - "RTL override injection"
+      - "Display spoofing"
+    safe_for_automation: true
+
+  bom_utf8:
+    value: "\uFEFFhello"
+    bugs_caught:
+      - "BOM handling"
+      - "Invisible prefix issues"
+    safe_for_automation: true
+
+  emoji_basic:
+    value: "hello 😀 world"
+    bugs_caught:
+      - "Emoji character handling"
+      - "Length calculation (1 emoji = multiple bytes)"
+    safe_for_automation: true
+
+  emoji_zwj_sequence:
+    value: "👨‍👩‍👧‍👦"
+    bugs_caught:
+      - "Complex emoji handling"
+      - "Grapheme cluster length"
+    safe_for_automation: true
+    note: "Family emoji - single grapheme, multiple codepoints"
+
+  emoji_skin_tone:
+    value: "👋🏽"
+    bugs_caught:
+      - "Skin tone modifier handling"
+    safe_for_automation: true
+
+  combining_characters:
+    value: "é"
+    bugs_caught:
+      - "Combining diacritical marks"
+      - "Normalization differences (NFC vs NFD)"
+    safe_for_automation: true
+    note: "e + combining acute accent"
+
+  lookalike_cyrillic_a:
+    value: "pаypal"
+    bugs_caught:
+      - "Homoglyph attacks"
+      - "Visual spoofing"
+    safe_for_automation: true
+    note: "Contains Cyrillic 'а' not Latin 'a'"
+
+  mixed_scripts:
+    value: "Tωτ@ℓ"
+    bugs_caught:
+      - "Mixed script detection"
+      - "Security filtering bypass"
+    safe_for_automation: true
+
+  fullwidth_chars:
+    value: "ｈｅｌｌｏ"
+    bugs_caught:
+      - "Fullwidth vs halfwidth handling"
+    safe_for_automation: true
+
+  superscript_digits:
+    value: "10²"
+    bugs_caught:
+      - "Superscript number handling"
+      - "Numeric parsing"
+    safe_for_automation: true
+
+  mathematical_symbols:
+    value: "x∈ℝ"
+    bugs_caught:
+      - "Mathematical symbol handling"
+    safe_for_automation: true
+
+  cjk_characters:
+    value: "你好世界"
+    bugs_caught:
+      - "CJK character handling"
+      - "Multi-byte length"
+    safe_for_automation: true
+
+  arabic_text:
+    value: "مرحبا"
+    bugs_caught:
+      - "RTL text handling"
+      - "Arabic character support"
+    safe_for_automation: true
+
+  hebrew_text:
+    value: "שלום"
+    bugs_caught:
+      - "Hebrew RTL handling"
+    safe_for_automation: true

package/skills/bug-magnet-data/references/external-lists.md

@@ -0,0 +1,115 @@
+# External Edge Case Lists
+
+Reference URLs to maintained external sources. These are not embedded to avoid staleness.
+
+---
+
+## Big List of Naughty Strings (BLNS)
+
+**URL**: https://github.com/minimaxir/big-list-of-naughty-strings
+
+**Description**: A comprehensive list of strings that have a high probability of causing issues when used as user input. Created by Max Woolf, this is one of the most widely-used edge case string collections.
+
+**Categories covered**:
+- Reserved strings
+- Numeric strings
+- Special characters
+- Unicode edge cases
+- Emoji
+- Regional indicators
+- Script injection
+- SQL injection
+- XSS patterns
+- Server code injection
+
+**Format**: Text file with one string per line
+
+**License**: MIT
+
+**Last verified**: 2026-02-01
+
+---
+
+## OWASP Fuzz Vectors
+
+**URL**: https://owasp.org/www-project-web-security-testing-guide/v42/6-Appendix/C-Fuzz_Vectors
+
+**Description**: OWASP-maintained collection of fuzz testing vectors organized by vulnerability category. Part of the Web Security Testing Guide.
+
+**Categories covered**:
+- SQL Injection
+- LDAP Injection
+- XPath Injection
+- XML Injection
+- Command Injection
+- Cross-Site Scripting (XSS)
+- Format String Attacks
+- Buffer Overflow patterns
+- Integer Overflow patterns
+
+**Format**: Web page with categorized examples
+
+**License**: CC BY-SA 4.0
+
+**Last verified**: 2026-02-01
+
+---
+
+## SecLists
+
+**URL**: https://github.com/danielmiessler/SecLists
+
+**Description**: A collection of multiple types of lists used during security assessments. While primarily for penetration testing, contains valuable edge case data.
+
+**Relevant directories**:
+- `Fuzzing/` - General fuzzing payloads
+- `Payloads/` - Injection payloads
+- `Pattern-Matching/` - Detection patterns
+
+**Note**: This is a large repository. Reference specific files rather than the entire repo.
+
+**License**: MIT
+
+**Last verified**: 2026-02-01
+
+---
+
+## Unicode Confusables
+
+**URL**: https://www.unicode.org/Public/security/latest/confusables.txt
+
+**Description**: Official Unicode Consortium list of visually confusable characters. Essential for homoglyph attack testing.
+
+**Use cases**:
+- Username spoofing detection
+- Domain squatting detection
+- Visual similarity checks
+
+**Format**: Text file with mappings
+
+**License**: Unicode License
+
+**Last verified**: 2026-02-01
+
+---
+
+## Usage Guidelines
+
+1. **Don't embed copies**: These lists are maintained externally. Reference the URLs.
+
+2. **Check for updates**: External lists are updated periodically. The `last verified` date indicates when we confirmed the URL was valid.
+
+3. **Curate subsets**: The bug-magnet-data YAML files contain curated subsets of these lists, not full copies.
+
+4. **Attribution**: When using patterns from these sources, the data files include `source_urls` in metadata.
+
+---
+
+## Suggesting New Sources
+
+If you discover a valuable edge case source:
+
+1. Verify it's actively maintained
+2. Check licensing allows reference/citation
+3. Identify which categories it covers
+4. Add to this file with URL, description, and verification date