@waftester/cli 2.8.0

package/LICENSE

@@ -0,0 +1,80 @@
+Business Source License 1.1
+
+Parameters
+
+Licensor:             WAFtester
+Licensed Work:        WAFtester
+                      The Licensed Work is (c) 2026 WAFtester
+Additional Use Grant: You may use the Licensed Work for any purpose,
+                      except you may not use it to provide a commercial
+                      WAF testing, security scanning, or vulnerability
+                      assessment service to third parties.
+Change Date:          January 31, 2030
+Change License:       Apache License, Version 2.0
+
+Terms
+
+The Licensor hereby grants you the right to copy, modify, create derivative
+works, redistribute, and make non-production use of the Licensed Work. The
+Licensor may make an Additional Use Grant, above, permitting limited
+production use.
+
+Effective on the Change Date, or the fourth anniversary of the first publicly
+available distribution of a specific version of the Licensed Work under this
+License, whichever comes first, the Licensor hereby grants you rights under
+the terms of the Change License, and the rights granted in the paragraph
+above terminate.
+
+If your use of the Licensed Work does not comply with the requirements
+currently in effect as described in this License, you must purchase a
+commercial license from the Licensor, its affiliated entities, or authorized
+resellers, or you must refrain from using the Licensed Work.
+
+All copies of the original and modified Licensed Work, and derivative works
+of the Licensed Work, are subject to this License. This License applies
+separately for each version of the Licensed Work and the Change Date may vary
+for each version of the Licensed Work released by Licensor.
+
+You must conspicuously display this License on each original or modified copy
+of the Licensed Work. If you receive the Licensed Work in original or
+modified form from a third party, the terms and conditions set forth in this
+License apply to your use of that work.
+
+Any use of the Licensed Work in violation of this License will automatically
+terminate your rights under this License for the current and all other
+versions of the Licensed Work.
+
+This License does not grant you any right in any trademark or logo of
+Licensor or its affiliates (provided that you may use a trademark or logo of
+Licensor as expressly required by this License).
+
+TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE LICENSED WORK IS PROVIDED ON
+AN "AS IS" BASIS. LICENSOR HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS,
+EXPRESS OR IMPLIED, INCLUDING (WITHOUT LIMITATION) WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, AND
+TITLE.
+
+MariaDB hereby grants you permission to use this License's text to license
+your works, and to refer to it using the trademark "Business Source License",
+as long as you comply with the Covenants of Licensor below.
+
+Covenants of Licensor
+
+In consideration of the right to use this License's text and the "Business
+Source License" name and trademark, Licensor covenants to MariaDB, and to all
+other recipients of the licensed work to be provided by Licensor:
+
+1. To specify as the Change License the GPL Version 2.0 or any later version,
+   or a license that is compatible with GPL Version 2.0 or a later version,
+   where "compatible" means that software provided under the Change License can
+   be included in a program with software provided under GPL Version 2.0 or a
+   later version. Licensor may specify additional Change Licenses without
+   limitation.
+
+2. To either: (a) specify an additional grant of rights to use that does not
+   impose any additional restriction on the right granted in this License, as
+   the Additional Use Grant; or (b) insert the text "None".
+
+3. To specify a Change Date.
+
+4. Not to modify this License in any other way.

package/LICENSE-COMMUNITY

@@ -0,0 +1,28 @@
+MIT License
+
+Copyright (c) 2026 WAFtester
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
+---
+
+This license applies to the community payloads located in:
+  payloads/community/
+
+The core WAFtester software is licensed under BSL 1.1 (see LICENSE file).

package/README.md

@@ -0,0 +1,121 @@
+# @waftester/cli
+
+[![npm](https://img.shields.io/npm/v/@waftester/cli)](https://npmjs.com/package/@waftester/cli)
+[![downloads](https://img.shields.io/npm/dw/@waftester/cli)](https://npmjs.com/package/@waftester/cli)
+[![license](https://img.shields.io/npm/l/@waftester/cli)](https://github.com/waftester/waftester/blob/main/LICENSE)
+
+The most comprehensive WAF testing CLI & MCP server. Detect, fingerprint, and bypass Web Application Firewalls with 2,800+ payloads and quantitative security metrics.
+
+## Quick Start
+
+```bash
+# Run without installing
+npx -y @waftester/cli scan --target https://example.com
+
+# Or install globally
+npm install -g @waftester/cli
+waf-tester scan --target https://example.com
+```
+
+## MCP Server Setup
+
+WAFtester includes a built-in [Model Context Protocol](https://modelcontextprotocol.io/) server for AI-powered security testing from Claude Desktop, VS Code, Cursor, and other MCP clients.
+
+### Claude Desktop
+
+Add to `claude_desktop_config.json`:
+
+```json
+{
+  "mcpServers": {
+    "waf-tester": {
+      "command": "npx",
+      "args": ["-y", "@waftester/cli", "mcp"]
+    }
+  }
+}
+```
+
+### VS Code
+
+Add to `.vscode/mcp.json` in your workspace:
+
+```json
+{
+  "servers": {
+    "waf-tester": {
+      "command": "npx",
+      "args": ["-y", "@waftester/cli", "mcp"]
+    }
+  }
+}
+```
+
+### Cursor
+
+Add to Cursor MCP settings:
+
+```json
+{
+  "mcpServers": {
+    "waf-tester": {
+      "command": "npx",
+      "args": ["-y", "@waftester/cli", "mcp"]
+    }
+  }
+}
+```
+
+## CLI Usage
+
+```bash
+# Full automated assessment
+waf-tester auto -u https://target.com --smart
+
+# WAF vendor detection
+waf-tester vendor -u https://target.com
+
+# XSS payload testing
+waf-tester run -u https://target.com -category xss
+
+# Bypass discovery with tamper chains
+waf-tester bypass -u https://target.com --smart --tamper-auto
+
+# Version check
+waf-tester version
+```
+
+## Platform Support
+
+| Platform | Architecture | Package |
+|---|---|---|
+| macOS | x64 (Intel) | `@waftester/darwin-x64` |
+| macOS | arm64 (Apple Silicon) | `@waftester/darwin-arm64` |
+| Linux | x64 | `@waftester/linux-x64` |
+| Linux | arm64 | `@waftester/linux-arm64` |
+| Windows | x64 | `@waftester/win32-x64` |
+| Windows | arm64 | `@waftester/win32-arm64` |
+
+ARM64 platforms with x64 emulation (Rosetta 2, Windows WoW) are supported as fallback.
+
+## Environment Variables
+
+| Variable | Description |
+|---|---|
+| `WAF_TESTER_BINARY_PATH` | Override binary path (skip platform resolution) |
+| `WAF_TESTER_PAYLOAD_DIR` | Override bundled payload directory |
+| `WAF_TESTER_TEMPLATE_DIR` | Override bundled template directory |
+
+## License
+
+[Business Source License 1.1](https://github.com/waftester/waftester/blob/main/LICENSE) — converts to open source after the change date. See [LICENSE](https://github.com/waftester/waftester/blob/main/LICENSE) for full terms.
+
+Community payloads are licensed under [MIT](https://github.com/waftester/waftester/blob/main/LICENSE-COMMUNITY).
+
+## Links
+
+- [GitHub](https://github.com/waftester/waftester)
+- [Documentation](https://github.com/waftester/waftester/blob/main/docs/EXAMPLES.md)
+- [Installation Guide](https://github.com/waftester/waftester/blob/main/docs/INSTALLATION.md)
+- [Changelog](https://github.com/waftester/waftester/blob/main/CHANGELOG.md)
+- [Issues](https://github.com/waftester/waftester/issues)

package/bin/cli.js

@@ -0,0 +1,152 @@
+#!/usr/bin/env node
+
+"use strict";
+
+// — Runtime Node.js version check (engines field is advisory only) —
+const major = parseInt(process.versions.node.split(".")[0], 10);
+if (major < 16) {
+  console.error(
+    `WAFtester requires Node.js >= 16 (found ${process.version}).`
+  );
+  process.exit(1);
+}
+
+const { execFileSync } = require("child_process");
+const { existsSync } = require("fs");
+const path = require("path");
+
+const PLATFORMS = {
+  "darwin-x64": "@waftester/darwin-x64",
+  "darwin-arm64": "@waftester/darwin-arm64",
+  "linux-x64": "@waftester/linux-x64",
+  "linux-arm64": "@waftester/linux-arm64",
+  "win32-x64": "@waftester/win32-x64",
+  "win32-arm64": "@waftester/win32-arm64",
+};
+
+// ARM64 → x64 emulation fallback (Rosetta 2 / Windows ARM emulation)
+const EMULATION_FALLBACK = {
+  "darwin-arm64": "@waftester/darwin-x64",
+  "win32-arm64": "@waftester/win32-x64",
+};
+
+function resolvePkgBinary(packageName) {
+  const binaryName =
+    process.platform === "win32" ? "waf-tester.exe" : "waf-tester";
+  const pkgJsonPath = require.resolve(`${packageName}/package.json`);
+
+  // Yarn PnP: detect if resolved path is inside a .zip archive
+  if (pkgJsonPath.includes(".zip/")) {
+    console.error(
+      `WAFtester: binary resolved inside a zip archive (Yarn PnP).\n` +
+        `Set preferUnplugged: true for ${packageName} in .yarnrc.yml,\n` +
+        `or run: yarn unplug ${packageName}`
+    );
+    process.exit(1);
+  }
+
+  return path.join(path.dirname(pkgJsonPath), "bin", binaryName);
+}
+
+function getBinaryPath() {
+  // 1. Environment variable override (for development/debugging)
+  const envPath = process.env.WAF_TESTER_BINARY_PATH;
+  if (envPath) {
+    if (!existsSync(envPath)) {
+      console.error(
+        `WAFtester: WAF_TESTER_BINARY_PATH does not exist: ${envPath}\n` +
+          `Unset WAF_TESTER_BINARY_PATH to use the bundled binary.`
+      );
+      process.exit(1);
+    }
+    return envPath;
+  }
+
+  const platformKey = `${process.platform}-${process.arch}`;
+
+  // 2. Exact platform match
+  const packageName = PLATFORMS[platformKey];
+  if (packageName) {
+    try {
+      return resolvePkgBinary(packageName);
+    } catch {
+      // Fall through to emulation fallback
+    }
+  }
+
+  // 3. Emulation fallback (ARM64 → x64 via Rosetta 2 / WoW)
+  const fallbackPkg = EMULATION_FALLBACK[platformKey];
+  if (fallbackPkg) {
+    try {
+      const fallbackPath = resolvePkgBinary(fallbackPkg);
+      console.error(
+        `WAFtester: native binary for ${platformKey} not found.\n` +
+          `Falling back to x64 binary under emulation.`
+      );
+      return fallbackPath;
+    } catch {
+      // Fall through to error
+    }
+  }
+
+  // 4. Unsupported or missing — actionable error message
+  if (!packageName) {
+    console.error(
+      `WAFtester: unsupported platform ${platformKey}\n` +
+        `Supported: ${Object.keys(PLATFORMS).join(", ")}\n` +
+        `Install from source: ` +
+        `go install github.com/waftester/waftester/cmd/cli@latest`
+    );
+  } else {
+    console.error(
+      `WAFtester: ${packageName} is not installed.\n\n` +
+        `Try reinstalling:\n` +
+        `  npm install @waftester/cli\n\n` +
+        `If --no-optional was used:\n` +
+        `  npm install @waftester/cli --include=optional\n\n` +
+        `Or install from source:\n` +
+        `  go install github.com/waftester/waftester/cmd/cli@latest`
+    );
+  }
+  process.exit(1);
+}
+
+// — Set payload/template directories (user env vars take precedence) —
+const cliDir = path.resolve(__dirname, "..");
+if (!process.env.WAF_TESTER_PAYLOAD_DIR) {
+  process.env.WAF_TESTER_PAYLOAD_DIR = path.join(cliDir, "payloads");
+}
+if (!process.env.WAF_TESTER_TEMPLATE_DIR) {
+  process.env.WAF_TESTER_TEMPLATE_DIR = path.join(
+    cliDir,
+    "templates",
+    "nuclei"
+  );
+}
+
+// — Execute the Go binary (esbuild + Turbo pattern) —
+// execFileSync inherits stdio and throws on non-zero exit.
+// The thrown error's .status property contains the exit code.
+try {
+  execFileSync(getBinaryPath(), process.argv.slice(2), {
+    stdio: "inherit",
+    env: process.env,
+  });
+} catch (e) {
+  // execFileSync throws for non-zero exit OR spawn failure.
+  // Forward the child's exit code if available.
+  if (e && e.status != null) {
+    process.exit(e.status);
+  }
+  // Spawn failure (ENOENT, EACCES, etc.)
+  if (e && e.code === "ENOENT") {
+    console.error(`WAFtester: binary not found.`);
+    console.error(`Try reinstalling: npm install @waftester/cli`);
+  } else if (e && e.code === "EACCES") {
+    console.error(`WAFtester: permission denied.`);
+    console.error(`Try: chmod +x <binary path>`);
+  } else {
+    console.error(`WAFtester: ${(e && e.message) || e}`);
+  }
+  process.exit(1);
+}

package/package.json

@@ -0,0 +1,52 @@
+{
+  "name": "@waftester/cli",
+  "version": "2.8.0",
+  "description": "WAFtester — the most comprehensive WAF testing CLI & MCP server",
+  "license": "BUSL-1.1",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/waftester/waftester.git"
+  },
+  "homepage": "https://github.com/waftester/waftester",
+  "bugs": "https://github.com/waftester/waftester/issues",
+  "publishConfig": {
+    "access": "public",
+    "provenance": true
+  },
+  "keywords": [
+    "waf",
+    "security",
+    "testing",
+    "firewall",
+    "mcp",
+    "web-application-firewall",
+    "penetration-testing",
+    "owasp",
+    "sqli",
+    "xss",
+    "security-scanner",
+    "model-context-protocol",
+    "ai-security"
+  ],
+  "bin": {
+    "waf-tester": "bin/cli.js"
+  },
+  "files": [
+    "bin/",
+    "payloads/",
+    "templates/",
+    "LICENSE",
+    "LICENSE-COMMUNITY"
+  ],
+  "engines": {
+    "node": ">=16"
+  },
+  "optionalDependencies": {
+    "@waftester/darwin-x64": "2.8.0",
+    "@waftester/darwin-arm64": "2.8.0",
+    "@waftester/linux-x64": "2.8.0",
+    "@waftester/linux-arm64": "2.8.0",
+    "@waftester/win32-x64": "2.8.0",
+    "@waftester/win32-arm64": "2.8.0"
+  }
+}

package/payloads/community/README.md

@@ -0,0 +1,45 @@
+# Community Payloads
+
+Free, open-source attack payloads for WAF testing. Licensed under MIT.
+
+## Categories
+
+| Category | Description | Files |
+|----------|-------------|-------|
+| `auth/` | Authentication bypass payloads | JWT, OAuth, session attacks |
+| `injection/` | SQL, NoSQL, Command injection | SQLi, CMDi, LDAP |
+| `traversal/` | Path traversal attacks | LFI, directory traversal |
+| `xss/` | Cross-site scripting | Reflected, stored, DOM XSS |
+
+## Usage
+
+```bash
+# Run all community payloads
+waftester -u https://example.com -payloads community
+
+# Run specific category
+waftester -u https://example.com -payloads community/xss
+```
+
+## Contributing
+
+We welcome payload contributions! See [CONTRIBUTING.md](../../CONTRIBUTING.md) for guidelines.
+
+### Payload Format
+
+```json
+{
+  "id": "unique-id",
+  "name": "Human readable name",
+  "category": "xss|sqli|injection|traversal|auth",
+  "payload": "actual attack string",
+  "encoding": "none|url|base64|html",
+  "expected_block": true,
+  "cwe": "CWE-79",
+  "severity": "high|medium|low"
+}
+```
+
+## License
+
+MIT - See [LICENSE-COMMUNITY](../../LICENSE-COMMUNITY)

package/payloads/community/ai/ml-poisoning.json

@@ -0,0 +1,173 @@
+[
+  {
+      "id": "AI-ML-001",
+      "payload": "/api/assets?metadata={\"description\":\"<script>alert(1)</script>\"}",
+      "tags": [
+        "ml-poisoning",
+        "xss",
+        "metadata",
+        "quick",
+        "high"
+    ],
+      "expected_block": false,
+      "severity_hint": "High",
+      "notes": "XSS in ML-generated image description",
+      "category": "AI"
+  },
+  {
+      "id": "AI-ML-002",
+      "payload": "/api/assets/upload",
+      "method": "POST",
+      "body": "adversarial_image_with_misclassification_pattern.jpg",
+      "tags": [
+        "ml-poisoning",
+        "adversarial",
+        "classification",
+        "medium"
+    ],
+      "expected_block": false,
+      "severity_hint": "Medium",
+      "notes": "Adversarial image to poison ML classification",
+      "category": "AI"
+  },
+  {
+      "id": "AI-ML-003",
+      "payload": "/api/search/metadata?q=../../etc/passwd",
+      "tags": [
+        "ml-poisoning",
+        "path-traversal",
+        "high"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Path traversal in ML metadata search",
+      "category": "AI"
+  },
+  {
+      "id": "AI-ML-004",
+      "payload": "/api/assets?faces=[{\"name\":\"<img src=x onerror=alert(1)>\"}]",
+      "tags": [
+        "ml-poisoning",
+        "xss",
+        "face-recognition",
+        "quick",
+        "high"
+    ],
+      "expected_block": false,
+      "severity_hint": "High",
+      "notes": "XSS in face recognition metadata",
+      "category": "AI"
+  },
+  {
+      "id": "AI-ML-005",
+      "payload": "/api/assets?objects=[\"' OR '1'='1\"]",
+      "tags": [
+        "ml-poisoning",
+        "sqli",
+        "object-detection",
+        "high"
+    ],
+      "expected_block": false,
+      "severity_hint": "High",
+      "notes": "SQLi in object detection metadata",
+      "category": "AI"
+  },
+  {
+      "id": "AI-ML-006",
+      "payload": "/api/assets?description={{constructor.constructor('return process')().mainModule.require('child_process').execSync('id')}}",
+      "tags": [
+        "ml-poisoning",
+        "rce",
+        "ssti",
+        "critical"
+    ],
+      "expected_block": false,
+      "severity_hint": "Critical",
+      "notes": "SSTI/RCE in ML description field",
+      "category": "AI"
+  },
+  {
+      "id": "AI-ML-007",
+      "payload": "/api/assets?tags=[\"tag1\",\"tag2\",\"tag3\",...x10000]",
+      "tags": [
+        "ml-poisoning",
+        "dos",
+        "resource-exhaustion",
+        "quick",
+        "medium"
+    ],
+      "expected_block": false,
+      "severity_hint": "Medium",
+      "notes": "DoS via excessive ML tags",
+      "category": "AI"
+  },
+  {
+      "id": "AI-ML-008",
+      "payload": "/api/search/smart?q=UNION SELECT password FROM users--",
+      "tags": [
+        "ml-poisoning",
+        "sqli",
+        "smart-search",
+        "critical"
+    ],
+      "expected_block": false,
+      "severity_hint": "Critical",
+      "notes": "SQLi in AI-powered smart search",
+      "category": "AI"
+  },
+  {
+      "id": "AI-ML-009",
+      "payload": "/api/assets?location={\"latitude\":\"'; DROP TABLE assets;--\",\"longitude\":0}",
+      "tags": [
+        "ml-poisoning",
+        "sqli",
+        "geolocation",
+        "high"
+    ],
+      "expected_block": false,
+      "severity_hint": "High",
+      "notes": "SQLi in ML geolocation metadata",
+      "category": "AI"
+  },
+  {
+      "id": "AI-ML-010",
+      "payload": "/api/assets?ocr_text=javascript:alert(document.domain)",
+      "tags": [
+        "ml-poisoning",
+        "xss",
+        "ocr",
+        "quick",
+        "high"
+    ],
+      "expected_block": false,
+      "severity_hint": "High",
+      "notes": "XSS in OCR extracted text",
+      "category": "AI"
+  },
+  {
+      "id": "AI-ML-011",
+      "payload": "/api/search/clip?embedding=[0.1,0.2,...,NaN,...,0.5]",
+      "tags": [
+        "ml-poisoning",
+        "model-confusion",
+        "medium"
+    ],
+      "expected_block": false,
+      "severity_hint": "Medium",
+      "notes": "NaN injection in CLIP embedding search",
+      "category": "AI"
+  },
+  {
+      "id": "AI-ML-012",
+      "payload": "/api/assets?ml_metadata={\"confidence\":-1.5}",
+      "tags": [
+        "ml-poisoning",
+        "invalid-data",
+        "low"
+    ],
+      "expected_block": false,
+      "severity_hint": "Low",
+      "notes": "Negative confidence score injection",
+      "category": "AI"
+  }
+]