npm - @waftester/cli - Versions diffs - 2.8.0 - Mend

@waftester/cli 2.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (141) hide show

package/LICENSE +80 -0
package/LICENSE-COMMUNITY +28 -0
package/README.md +121 -0
package/bin/cli.js +152 -0
package/package.json +52 -0
package/payloads/community/README.md +45 -0
package/payloads/community/ai/ml-poisoning.json +173 -0
package/payloads/community/ai/prompt-injection.json +247 -0
package/payloads/community/ai/workflow-abuse.json +222 -0
package/payloads/community/auth/jwt.json +855 -0
package/payloads/community/auth/login-bypass.json +623 -0
package/payloads/community/auth/mfa.json +402 -0
package/payloads/community/auth/oauth.json +421 -0
package/payloads/community/auth/open-redirect.json +1028 -0
package/payloads/community/auth/session.json +404 -0
package/payloads/community/cache/deception.json +402 -0
package/payloads/community/cache/poisoning.json +403 -0
package/payloads/community/deserialization/gadget.json +375 -0
package/payloads/community/deserialization/prototype.json +370 -0
package/payloads/community/fuzz/content-type.json +397 -0
package/payloads/community/fuzz/headers.json +401 -0
package/payloads/community/fuzz/methods.json +397 -0
package/payloads/community/fuzz/obfuscation.json +362 -0
package/payloads/community/fuzz/special-chars.json +740 -0
package/payloads/community/fuzz/waf-bypass.json +452 -0
package/payloads/community/graphql/batching-abuse.json +271 -0
package/payloads/community/graphql/depth-limit.json +271 -0
package/payloads/community/graphql/introspection.json +267 -0
package/payloads/community/injection/crlf.json +569 -0
package/payloads/community/injection/ldap.json +357 -0
package/payloads/community/injection/nosqli.json +529 -0
package/payloads/community/injection/oscmd.json +662 -0
package/payloads/community/injection/rce-polyglots.json +452 -0
package/payloads/community/injection/sqli.json +681 -0
package/payloads/community/injection/ssti.json +584 -0
package/payloads/community/injection/upload-attacks.json +632 -0
package/payloads/community/injection/xpath.json +357 -0
package/payloads/community/injection/xxe.json +716 -0
package/payloads/community/logic/forced-browsing.json +405 -0
package/payloads/community/logic/idor.json +1026 -0
package/payloads/community/logic/privilege.json +337 -0
package/payloads/community/media/exif-injection.json +225 -0
package/payloads/community/media/metadata-poison.json +239 -0
package/payloads/community/protocol/http-smuggling.json +798 -0
package/payloads/community/protocol/http2-attacks.json +382 -0
package/payloads/community/protocol/websocket-abuse.json +375 -0
package/payloads/community/rate-limit/burst-simulation.json +286 -0
package/payloads/community/rate-limit/bypass-attempts.json +326 -0
package/payloads/community/rate-limit/zone-tests.json +332 -0
package/payloads/community/services/authentik.json +415 -0
package/payloads/community/services/immich.json +423 -0
package/payloads/community/services/n8n.json +366 -0
package/payloads/community/sqli-basic.json +182 -0
package/payloads/community/ssrf/cloud-metadata.json +999 -0
package/payloads/community/ssrf/dns-rebinding.json +503 -0
package/payloads/community/ssrf/internal-networks.json +627 -0
package/payloads/community/ssrf/protocol-smuggling.json +350 -0
package/payloads/community/ssti/multi-language-templates.json +191 -0
package/payloads/community/ssti/python-templates.json +200 -0
package/payloads/community/traversal/basic.json +675 -0
package/payloads/community/traversal/cloud-credentials.json +107 -0
package/payloads/community/traversal/config-files.json +193 -0
package/payloads/community/traversal/encoding.json +558 -0
package/payloads/community/traversal/null-byte.json +105 -0
package/payloads/community/traversal/symlink.json +93 -0
package/payloads/community/traversal/unicode.json +134 -0
package/payloads/community/traversal/unix-advanced.json +195 -0
package/payloads/community/traversal/windows-advanced.json +195 -0
package/payloads/community/waf-bypass/cloudflare-bypass.json +102 -0
package/payloads/community/waf-bypass/encoding-bypass.json +120 -0
package/payloads/community/waf-bypass/evasion-techniques.json +164 -0
package/payloads/community/waf-bypass/hpp-bypass.json +92 -0
package/payloads/community/waf-bypass/modsecurity-crs.json +220 -0
package/payloads/community/waf-bypass/protocol-attacks.json +101 -0
package/payloads/community/waf-bypass/sqlmap-tamper.json +252 -0
package/payloads/community/waf-bypass/unicode-charset.json +152 -0
package/payloads/community/waf-bypass/vendor-bypasses.json +72 -0
package/payloads/community/waf-validation/README.md +172 -0
package/payloads/community/waf-validation/bypass-techniques.json +272 -0
package/payloads/community/waf-validation/custom-rules.json +952 -0
package/payloads/community/waf-validation/evasion-techniques.json +272 -0
package/payloads/community/waf-validation/modsecurity-core.json +151 -0
package/payloads/community/waf-validation/owasp-top10.json +236 -0
package/payloads/community/waf-validation/regression-tests.json +227 -0
package/payloads/community/xss/csp-bypass.json +431 -0
package/payloads/community/xss/dom.json +389 -0
package/payloads/community/xss/filter-bypass.json +1242 -0
package/payloads/community/xss/mutation.json +263 -0
package/payloads/community/xss/polyglots.json +371 -0
package/payloads/community/xss/reflected.json +187 -0
package/payloads/community/xss/stored.json +330 -0
package/payloads/crlf-injection.json +182 -0
package/payloads/ids-map.json +155 -0
package/payloads/ldap-injection.json +182 -0
package/payloads/nosql-injection.json +227 -0
package/payloads/prototype-pollution.json +182 -0
package/payloads/request-smuggling.json +182 -0
package/payloads/version.json +28 -0
package/payloads/xss-advanced.json +227 -0
package/templates/README.md +221 -0
package/templates/nuclei/http/waf-bypass/crlf-bypass.yaml +146 -0
package/templates/nuclei/http/waf-bypass/lfi-bypass.yaml +152 -0
package/templates/nuclei/http/waf-bypass/nosqli-bypass.yaml +166 -0
package/templates/nuclei/http/waf-bypass/rce-bypass.yaml +171 -0
package/templates/nuclei/http/waf-bypass/sqli-basic.yaml +142 -0
package/templates/nuclei/http/waf-bypass/sqli-evasion.yaml +192 -0
package/templates/nuclei/http/waf-bypass/ssrf-bypass.yaml +130 -0
package/templates/nuclei/http/waf-bypass/ssti-bypass.yaml +147 -0
package/templates/nuclei/http/waf-bypass/xss-basic.yaml +163 -0
package/templates/nuclei/http/waf-bypass/xss-evasion.yaml +217 -0
package/templates/nuclei/http/waf-bypass/xxe-bypass.yaml +204 -0
package/templates/nuclei/http/waf-detection/akamai-detect.yaml +105 -0
package/templates/nuclei/http/waf-detection/aws-waf-detect.yaml +115 -0
package/templates/nuclei/http/waf-detection/azure-waf-detect.yaml +114 -0
package/templates/nuclei/http/waf-detection/cloudflare-detect.yaml +121 -0
package/templates/nuclei/http/waf-detection/modsecurity-detect.yaml +129 -0
package/templates/nuclei/workflows/waf-assessment-workflow.yaml +71 -0
package/templates/output/asff.tmpl +61 -0
package/templates/output/csv.tmpl +4 -0
package/templates/output/junit.tmpl +34 -0
package/templates/output/markdown-report.tmpl +92 -0
package/templates/output/slack-notification.tmpl +95 -0
package/templates/output/text-summary.tmpl +56 -0
package/templates/overrides/api-only.yaml +130 -0
package/templates/overrides/crs-tuning.yaml +204 -0
package/templates/overrides/false-positive-suppression.yaml +159 -0
package/templates/policies/owasp-top10.yaml +152 -0
package/templates/policies/pci-dss.yaml +124 -0
package/templates/policies/permissive.yaml +40 -0
package/templates/policies/standard.yaml +57 -0
package/templates/policies/strict.yaml +72 -0
package/templates/report-configs/compliance.yaml +173 -0
package/templates/report-configs/dark.yaml +136 -0
package/templates/report-configs/enterprise.yaml +175 -0
package/templates/report-configs/minimal.yaml +84 -0
package/templates/report-configs/print.yaml +139 -0
package/templates/workflows/api-scan.yaml +132 -0
package/templates/workflows/ci-gate.yaml +129 -0
package/templates/workflows/full-scan.yaml +133 -0
package/templates/workflows/quick-probe.yaml +80 -0
package/templates/workflows/waf-detection.yaml +89 -0

package/payloads/community/fuzz/special-chars.json ADDED Viewed

@@ -0,0 +1,740 @@
+[
+  {
+      "id": "FUZZ-CHAR-001",
+      "payload": "%00",
+      "tags": ["null-byte", "injection", "quick"],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Null byte injection",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-CHAR-002",
+      "payload": "%0a",
+      "tags": ["newline", "crlf"],
+      "expected_block": true,
+      "severity_hint": "Medium",
+      "notes": "Line feed injection",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-CHAR-003",
+      "payload": "%0d",
+      "tags": ["carriage-return", "crlf"],
+      "expected_block": true,
+      "severity_hint": "Medium",
+      "notes": "Carriage return injection",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-CHAR-004",
+      "payload": "%0d%0a",
+      "tags": ["crlf", "header-injection"],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "CRLF sequence",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-CHAR-005",
+      "payload": "%7f",
+      "tags": ["del", "control-char"],
+      "expected_block": true,
+      "severity_hint": "Low",
+      "notes": "DEL control character",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-CHAR-006",
+      "payload": "%ff",
+      "tags": ["high-byte", "binary"],
+      "expected_block": true,
+      "severity_hint": "Low",
+      "notes": "High byte injection",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-CHAR-007",
+      "payload": "\\t",
+      "tags": ["tab", "whitespace"],
+      "expected_block": false,
+      "severity_hint": "Low",
+      "notes": "Tab character",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-CHAR-008",
+      "payload": "\\n",
+      "tags": ["newline", "escape"],
+      "expected_block": false,
+      "severity_hint": "Low",
+      "notes": "Escaped newline",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-CHAR-009",
+      "payload": "\\r",
+      "tags": ["carriage-return", "escape"],
+      "expected_block": false,
+      "severity_hint": "Low",
+      "notes": "Escaped carriage return",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-CHAR-010",
+      "payload": "\\0",
+      "tags": ["null", "escape"],
+      "expected_block": true,
+      "severity_hint": "Medium",
+      "notes": "Escaped null",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-META-001",
+      "payload": "<>\"'%;)(&+",
+      "tags": ["metachar", "mixed", "quick"],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Mixed metacharacters",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-META-002",
+      "payload": "!@#$%^&*()",
+      "tags": ["metachar", "special"],
+      "expected_block": false,
+      "severity_hint": "Low",
+      "notes": "Common special characters",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-META-003",
+      "payload": "|",
+      "tags": ["pipe", "command"],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Pipe character",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-META-004",
+      "payload": "||",
+      "tags": ["double-pipe", "or"],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Double pipe OR",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-META-005",
+      "payload": "&",
+      "tags": ["ampersand", "command"],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Ampersand character",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-META-006",
+      "payload": "&&",
+      "tags": ["double-ampersand", "and"],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Double ampersand AND",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-META-007",
+      "payload": ";",
+      "tags": ["semicolon", "command"],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Semicolon command separator",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-META-008",
+      "payload": "`",
+      "tags": ["backtick", "command"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Backtick command substitution",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-META-009",
+      "payload": "$(",
+      "tags": ["command-sub", "bash"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Command substitution",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-META-010",
+      "payload": "${",
+      "tags": ["variable", "expansion"],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Variable expansion",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-META-011",
+      "payload": "#",
+      "tags": ["comment", "shell"],
+      "expected_block": false,
+      "severity_hint": "Low",
+      "notes": "Shell comment",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-META-012",
+      "payload": "--",
+      "tags": ["comment", "sql"],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "SQL comment",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-META-013",
+      "payload": "/**/",
+      "tags": ["comment", "multi-line"],
+      "expected_block": true,
+      "severity_hint": "Medium",
+      "notes": "Multi-line comment",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-META-014",
+      "payload": "//",
+      "tags": ["comment", "single-line"],
+      "expected_block": false,
+      "severity_hint": "Low",
+      "notes": "Single-line comment",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-META-015",
+      "payload": "\\",
+      "tags": ["backslash", "escape"],
+      "expected_block": false,
+      "severity_hint": "Low",
+      "notes": "Backslash escape",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-FORMAT-001",
+      "payload": "%s%s%s%s%s",
+      "tags": ["format-string", "string", "quick"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "String format specifiers",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-FORMAT-002",
+      "payload": "%x%x%x%x%x",
+      "tags": ["format-string", "hex"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Hex format specifiers",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-FORMAT-003",
+      "payload": "%n%n%n%n%n",
+      "tags": ["format-string", "write"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Write format specifiers",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-FORMAT-004",
+      "payload": "%p%p%p%p%p",
+      "tags": ["format-string", "pointer"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Pointer format specifiers",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-FORMAT-005",
+      "payload": "%d%d%d%d%d",
+      "tags": ["format-string", "integer"],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Integer format specifiers",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-FORMAT-006",
+      "payload": "%08x.%08x.%08x.%08x",
+      "tags": ["format-string", "padded"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Padded hex format",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-FORMAT-007",
+      "payload": "AAAA%08x.%08x.%08x.%08x",
+      "tags": ["format-string", "marker"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Format string with marker",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-BOUNDARY-001",
+      "payload": "-1",
+      "tags": ["integer", "negative"],
+      "expected_block": false,
+      "severity_hint": "Low",
+      "notes": "Negative integer",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-BOUNDARY-002",
+      "payload": "0",
+      "tags": ["integer", "zero"],
+      "expected_block": false,
+      "severity_hint": "Low",
+      "notes": "Zero value",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-BOUNDARY-003",
+      "payload": "2147483647",
+      "tags": ["integer", "max-int32"],
+      "expected_block": false,
+      "severity_hint": "Low",
+      "notes": "Max 32-bit signed integer",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-BOUNDARY-004",
+      "payload": "2147483648",
+      "tags": ["integer", "overflow"],
+      "expected_block": false,
+      "severity_hint": "Medium",
+      "notes": "Integer overflow",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-BOUNDARY-005",
+      "payload": "-2147483648",
+      "tags": ["integer", "min-int32"],
+      "expected_block": false,
+      "severity_hint": "Low",
+      "notes": "Min 32-bit signed integer",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-BOUNDARY-006",
+      "payload": "-2147483649",
+      "tags": ["integer", "underflow"],
+      "expected_block": false,
+      "severity_hint": "Medium",
+      "notes": "Integer underflow",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-BOUNDARY-007",
+      "payload": "9999999999999999999999999999",
+      "tags": ["integer", "large"],
+      "expected_block": false,
+      "severity_hint": "Medium",
+      "notes": "Very large integer",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-BOUNDARY-008",
+      "payload": "0xFFFFFFFF",
+      "tags": ["integer", "hex-max"],
+      "expected_block": false,
+      "severity_hint": "Low",
+      "notes": "Hex max uint32",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-BOUNDARY-009",
+      "payload": "1e308",
+      "tags": ["float", "large"],
+      "expected_block": false,
+      "severity_hint": "Low",
+      "notes": "Large float exponent",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-BOUNDARY-010",
+      "payload": "1e-308",
+      "tags": ["float", "small"],
+      "expected_block": false,
+      "severity_hint": "Low",
+      "notes": "Small float exponent",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-NULL-001",
+      "payload": "NULL",
+      "tags": ["null", "string"],
+      "expected_block": false,
+      "severity_hint": "Low",
+      "notes": "NULL string",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-NULL-002",
+      "payload": "null",
+      "tags": ["null", "lowercase"],
+      "expected_block": false,
+      "severity_hint": "Low",
+      "notes": "null string",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-NULL-003",
+      "payload": "(null)",
+      "tags": ["null", "pointer"],
+      "expected_block": false,
+      "severity_hint": "Low",
+      "notes": "Null pointer representation",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-NULL-004",
+      "payload": "nil",
+      "tags": ["null", "ruby"],
+      "expected_block": false,
+      "severity_hint": "Low",
+      "notes": "Ruby nil value",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-NULL-005",
+      "payload": "None",
+      "tags": ["null", "python"],
+      "expected_block": false,
+      "severity_hint": "Low",
+      "notes": "Python None value",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-NULL-006",
+      "payload": "undefined",
+      "tags": ["null", "javascript"],
+      "expected_block": false,
+      "severity_hint": "Low",
+      "notes": "JavaScript undefined",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-NULL-007",
+      "payload": "NaN",
+      "tags": ["nan", "number"],
+      "expected_block": false,
+      "severity_hint": "Low",
+      "notes": "Not a Number",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-NULL-008",
+      "payload": "Infinity",
+      "tags": ["infinity", "number"],
+      "expected_block": false,
+      "severity_hint": "Low",
+      "notes": "Infinity value",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-BOOL-001",
+      "payload": "true",
+      "tags": ["boolean", "true"],
+      "expected_block": false,
+      "severity_hint": "Low",
+      "notes": "Boolean true",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-BOOL-002",
+      "payload": "false",
+      "tags": ["boolean", "false"],
+      "expected_block": false,
+      "severity_hint": "Low",
+      "notes": "Boolean false",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-BOOL-003",
+      "payload": "TRUE",
+      "tags": ["boolean", "uppercase"],
+      "expected_block": false,
+      "severity_hint": "Low",
+      "notes": "Uppercase TRUE",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-BOOL-004",
+      "payload": "FALSE",
+      "tags": ["boolean", "uppercase"],
+      "expected_block": false,
+      "severity_hint": "Low",
+      "notes": "Uppercase FALSE",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-BOOL-005",
+      "payload": "1",
+      "tags": ["boolean", "numeric-true"],
+      "expected_block": false,
+      "severity_hint": "Low",
+      "notes": "Numeric true",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-BOOL-006",
+      "payload": "0",
+      "tags": ["boolean", "numeric-false"],
+      "expected_block": false,
+      "severity_hint": "Low",
+      "notes": "Numeric false",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-LONG-001",
+      "payload": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
+      "tags": ["buffer", "long-string", "quick"],
+      "expected_block": false,
+      "severity_hint": "Medium",
+      "notes": "100 A's buffer test",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-LONG-002",
+      "payload": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
+      "tags": ["buffer", "1k-string"],
+      "expected_block": false,
+      "severity_hint": "Medium",
+      "notes": "1000 character string",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-LONG-003",
+      "payload": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
+      "tags": ["buffer", "10k-string"],
+      "expected_block": false,
+      "severity_hint": "Medium",
+      "notes": "1000 character string (reduced from 10k for JSON compatibility)",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-UNICODE-001",
+      "payload": "Ā",
+      "tags": ["unicode", "latin-ext"],
+      "expected_block": false,
+      "severity_hint": "Low",
+      "notes": "Latin extended A",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-UNICODE-002",
+      "payload": "中文",
+      "tags": ["unicode", "cjk"],
+      "expected_block": false,
+      "severity_hint": "Low",
+      "notes": "Chinese characters",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-UNICODE-003",
+      "payload": "العربية",
+      "tags": ["unicode", "arabic", "rtl"],
+      "expected_block": false,
+      "severity_hint": "Low",
+      "notes": "Arabic RTL text",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-UNICODE-004",
+      "payload": "𝕳𝖊𝖑𝖑𝖔",
+      "tags": ["unicode", "gothic"],
+      "expected_block": false,
+      "severity_hint": "Low",
+      "notes": "Gothic mathematical symbols",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-UNICODE-005",
+      "payload": "🔥💉🐛",
+      "tags": ["unicode", "emoji"],
+      "expected_block": false,
+      "severity_hint": "Low",
+      "notes": "Emoji characters",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-UNICODE-006",
+      "payload": "‮RLO",
+      "tags": ["unicode", "bidi", "override"],
+      "expected_block": true,
+      "severity_hint": "Medium",
+      "notes": "Right-to-Left Override",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-UNICODE-007",
+      "payload": "‭LRO",
+      "tags": ["unicode", "bidi", "override"],
+      "expected_block": true,
+      "severity_hint": "Medium",
+      "notes": "Left-to-Right Override",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-UNICODE-008",
+      "payload": "",
+      "tags": ["unicode", "soft-hyphen"],
+      "expected_block": false,
+      "severity_hint": "Low",
+      "notes": "Soft hyphen (invisible)",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-UNICODE-009",
+      "payload": "",
+      "tags": ["unicode", "zwsp"],
+      "expected_block": false,
+      "severity_hint": "Medium",
+      "notes": "Zero-width space",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-UNICODE-010",
+      "payload": "‌",
+      "tags": ["unicode", "zwnj"],
+      "expected_block": false,
+      "severity_hint": "Medium",
+      "notes": "Zero-width non-joiner",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-EMPTY-001",
+      "payload": "",
+      "tags": ["empty", "string"],
+      "expected_block": false,
+      "severity_hint": "Low",
+      "notes": "Empty string",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-EMPTY-002",
+      "payload": "   ",
+      "tags": ["whitespace", "only"],
+      "expected_block": false,
+      "severity_hint": "Low",
+      "notes": "Whitespace only",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-EMPTY-003",
+      "payload": "\\t\\n\\r",
+      "tags": ["whitespace", "control"],
+      "expected_block": false,
+      "severity_hint": "Low",
+      "notes": "Control characters only",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-JSON-001",
+      "payload": "{}",
+      "tags": ["json", "empty-object"],
+      "expected_block": false,
+      "severity_hint": "Low",
+      "notes": "Empty JSON object",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-JSON-002",
+      "payload": "[]",
+      "tags": ["json", "empty-array"],
+      "expected_block": false,
+      "severity_hint": "Low",
+      "notes": "Empty JSON array",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-JSON-003",
+      "payload": "{\"__proto__\": {}}",
+      "tags": ["json", "prototype-pollution"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Prototype pollution attempt",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-JSON-004",
+      "payload": "{\"constructor\": {\"prototype\": {}}}",
+      "tags": ["json", "prototype-pollution"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Constructor prototype pollution",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-JSON-005",
+      "payload": "{\"a\": {\"b\": {\"c\": {\"d\": {\"e\": {}}}}}}",
+      "tags": ["json", "deep-nesting"],
+      "expected_block": false,
+      "severity_hint": "Low",
+      "notes": "Deeply nested JSON",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-XML-001",
+      "payload": "<?xml version=\"1.0\"?>",
+      "tags": ["xml", "declaration"],
+      "expected_block": false,
+      "severity_hint": "Low",
+      "notes": "XML declaration",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-XML-002",
+      "payload": "<!DOCTYPE test>",
+      "tags": ["xml", "doctype"],
+      "expected_block": true,
+      "severity_hint": "Medium",
+      "notes": "DOCTYPE declaration",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-XML-003",
+      "payload": "<![CDATA[]]>",
+      "tags": ["xml", "cdata"],
+      "expected_block": false,
+      "severity_hint": "Low",
+      "notes": "Empty CDATA section",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-XML-004",
+      "payload": "<!---->",
+      "tags": ["xml", "comment"],
+      "expected_block": false,
+      "severity_hint": "Low",
+      "notes": "Empty XML comment",
+      "category": "Fuzz"
+  },
+  {
+      "id": "FUZZ-XML-005",
+      "payload": "&amp;&lt;&gt;&quot;&apos;",
+      "tags": ["xml", "entities"],
+      "expected_block": false,
+      "severity_hint": "Low",
+      "notes": "XML entities",
+      "category": "Fuzz"
+  }
+]