npm - @waftester/cli - Versions diffs - 2.8.0 - Mend

@waftester/cli 2.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (141) hide show

package/LICENSE +80 -0
package/LICENSE-COMMUNITY +28 -0
package/README.md +121 -0
package/bin/cli.js +152 -0
package/package.json +52 -0
package/payloads/community/README.md +45 -0
package/payloads/community/ai/ml-poisoning.json +173 -0
package/payloads/community/ai/prompt-injection.json +247 -0
package/payloads/community/ai/workflow-abuse.json +222 -0
package/payloads/community/auth/jwt.json +855 -0
package/payloads/community/auth/login-bypass.json +623 -0
package/payloads/community/auth/mfa.json +402 -0
package/payloads/community/auth/oauth.json +421 -0
package/payloads/community/auth/open-redirect.json +1028 -0
package/payloads/community/auth/session.json +404 -0
package/payloads/community/cache/deception.json +402 -0
package/payloads/community/cache/poisoning.json +403 -0
package/payloads/community/deserialization/gadget.json +375 -0
package/payloads/community/deserialization/prototype.json +370 -0
package/payloads/community/fuzz/content-type.json +397 -0
package/payloads/community/fuzz/headers.json +401 -0
package/payloads/community/fuzz/methods.json +397 -0
package/payloads/community/fuzz/obfuscation.json +362 -0
package/payloads/community/fuzz/special-chars.json +740 -0
package/payloads/community/fuzz/waf-bypass.json +452 -0
package/payloads/community/graphql/batching-abuse.json +271 -0
package/payloads/community/graphql/depth-limit.json +271 -0
package/payloads/community/graphql/introspection.json +267 -0
package/payloads/community/injection/crlf.json +569 -0
package/payloads/community/injection/ldap.json +357 -0
package/payloads/community/injection/nosqli.json +529 -0
package/payloads/community/injection/oscmd.json +662 -0
package/payloads/community/injection/rce-polyglots.json +452 -0
package/payloads/community/injection/sqli.json +681 -0
package/payloads/community/injection/ssti.json +584 -0
package/payloads/community/injection/upload-attacks.json +632 -0
package/payloads/community/injection/xpath.json +357 -0
package/payloads/community/injection/xxe.json +716 -0
package/payloads/community/logic/forced-browsing.json +405 -0
package/payloads/community/logic/idor.json +1026 -0
package/payloads/community/logic/privilege.json +337 -0
package/payloads/community/media/exif-injection.json +225 -0
package/payloads/community/media/metadata-poison.json +239 -0
package/payloads/community/protocol/http-smuggling.json +798 -0
package/payloads/community/protocol/http2-attacks.json +382 -0
package/payloads/community/protocol/websocket-abuse.json +375 -0
package/payloads/community/rate-limit/burst-simulation.json +286 -0
package/payloads/community/rate-limit/bypass-attempts.json +326 -0
package/payloads/community/rate-limit/zone-tests.json +332 -0
package/payloads/community/services/authentik.json +415 -0
package/payloads/community/services/immich.json +423 -0
package/payloads/community/services/n8n.json +366 -0
package/payloads/community/sqli-basic.json +182 -0
package/payloads/community/ssrf/cloud-metadata.json +999 -0
package/payloads/community/ssrf/dns-rebinding.json +503 -0
package/payloads/community/ssrf/internal-networks.json +627 -0
package/payloads/community/ssrf/protocol-smuggling.json +350 -0
package/payloads/community/ssti/multi-language-templates.json +191 -0
package/payloads/community/ssti/python-templates.json +200 -0
package/payloads/community/traversal/basic.json +675 -0
package/payloads/community/traversal/cloud-credentials.json +107 -0
package/payloads/community/traversal/config-files.json +193 -0
package/payloads/community/traversal/encoding.json +558 -0
package/payloads/community/traversal/null-byte.json +105 -0
package/payloads/community/traversal/symlink.json +93 -0
package/payloads/community/traversal/unicode.json +134 -0
package/payloads/community/traversal/unix-advanced.json +195 -0
package/payloads/community/traversal/windows-advanced.json +195 -0
package/payloads/community/waf-bypass/cloudflare-bypass.json +102 -0
package/payloads/community/waf-bypass/encoding-bypass.json +120 -0
package/payloads/community/waf-bypass/evasion-techniques.json +164 -0
package/payloads/community/waf-bypass/hpp-bypass.json +92 -0
package/payloads/community/waf-bypass/modsecurity-crs.json +220 -0
package/payloads/community/waf-bypass/protocol-attacks.json +101 -0
package/payloads/community/waf-bypass/sqlmap-tamper.json +252 -0
package/payloads/community/waf-bypass/unicode-charset.json +152 -0
package/payloads/community/waf-bypass/vendor-bypasses.json +72 -0
package/payloads/community/waf-validation/README.md +172 -0
package/payloads/community/waf-validation/bypass-techniques.json +272 -0
package/payloads/community/waf-validation/custom-rules.json +952 -0
package/payloads/community/waf-validation/evasion-techniques.json +272 -0
package/payloads/community/waf-validation/modsecurity-core.json +151 -0
package/payloads/community/waf-validation/owasp-top10.json +236 -0
package/payloads/community/waf-validation/regression-tests.json +227 -0
package/payloads/community/xss/csp-bypass.json +431 -0
package/payloads/community/xss/dom.json +389 -0
package/payloads/community/xss/filter-bypass.json +1242 -0
package/payloads/community/xss/mutation.json +263 -0
package/payloads/community/xss/polyglots.json +371 -0
package/payloads/community/xss/reflected.json +187 -0
package/payloads/community/xss/stored.json +330 -0
package/payloads/crlf-injection.json +182 -0
package/payloads/ids-map.json +155 -0
package/payloads/ldap-injection.json +182 -0
package/payloads/nosql-injection.json +227 -0
package/payloads/prototype-pollution.json +182 -0
package/payloads/request-smuggling.json +182 -0
package/payloads/version.json +28 -0
package/payloads/xss-advanced.json +227 -0
package/templates/README.md +221 -0
package/templates/nuclei/http/waf-bypass/crlf-bypass.yaml +146 -0
package/templates/nuclei/http/waf-bypass/lfi-bypass.yaml +152 -0
package/templates/nuclei/http/waf-bypass/nosqli-bypass.yaml +166 -0
package/templates/nuclei/http/waf-bypass/rce-bypass.yaml +171 -0
package/templates/nuclei/http/waf-bypass/sqli-basic.yaml +142 -0
package/templates/nuclei/http/waf-bypass/sqli-evasion.yaml +192 -0
package/templates/nuclei/http/waf-bypass/ssrf-bypass.yaml +130 -0
package/templates/nuclei/http/waf-bypass/ssti-bypass.yaml +147 -0
package/templates/nuclei/http/waf-bypass/xss-basic.yaml +163 -0
package/templates/nuclei/http/waf-bypass/xss-evasion.yaml +217 -0
package/templates/nuclei/http/waf-bypass/xxe-bypass.yaml +204 -0
package/templates/nuclei/http/waf-detection/akamai-detect.yaml +105 -0
package/templates/nuclei/http/waf-detection/aws-waf-detect.yaml +115 -0
package/templates/nuclei/http/waf-detection/azure-waf-detect.yaml +114 -0
package/templates/nuclei/http/waf-detection/cloudflare-detect.yaml +121 -0
package/templates/nuclei/http/waf-detection/modsecurity-detect.yaml +129 -0
package/templates/nuclei/workflows/waf-assessment-workflow.yaml +71 -0
package/templates/output/asff.tmpl +61 -0
package/templates/output/csv.tmpl +4 -0
package/templates/output/junit.tmpl +34 -0
package/templates/output/markdown-report.tmpl +92 -0
package/templates/output/slack-notification.tmpl +95 -0
package/templates/output/text-summary.tmpl +56 -0
package/templates/overrides/api-only.yaml +130 -0
package/templates/overrides/crs-tuning.yaml +204 -0
package/templates/overrides/false-positive-suppression.yaml +159 -0
package/templates/policies/owasp-top10.yaml +152 -0
package/templates/policies/pci-dss.yaml +124 -0
package/templates/policies/permissive.yaml +40 -0
package/templates/policies/standard.yaml +57 -0
package/templates/policies/strict.yaml +72 -0
package/templates/report-configs/compliance.yaml +173 -0
package/templates/report-configs/dark.yaml +136 -0
package/templates/report-configs/enterprise.yaml +175 -0
package/templates/report-configs/minimal.yaml +84 -0
package/templates/report-configs/print.yaml +139 -0
package/templates/workflows/api-scan.yaml +132 -0
package/templates/workflows/ci-gate.yaml +129 -0
package/templates/workflows/full-scan.yaml +133 -0
package/templates/workflows/quick-probe.yaml +80 -0
package/templates/workflows/waf-detection.yaml +89 -0

package/payloads/community/injection/xpath.json ADDED Viewed

@@ -0,0 +1,357 @@
+[
+  {
+      "id": "INJ-XPATH-320",
+      "payload": "' or '1'='1",
+      "tags": [
+        "basic",
+        "quick"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "XPath classic boolean bypass - always true",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-XPATH-321",
+      "payload": "' or 1=1 or '1'='1",
+      "tags": [
+        "basic"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "XPath double boolean injection",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-XPATH-322",
+      "payload": "admin' or '1'='1' and '1'='1",
+      "tags": [
+        "basic",
+        "auth-bypass"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "XPath authentication bypass with AND",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-XPATH-323",
+      "payload": "'] | //password | a['a'='a",
+      "tags": [
+        "union",
+        "node-extraction"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "XPath node injection - extract all password nodes",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-XPATH-324",
+      "payload": "'] | //user[username='admin' and password='*'] | a['a'='a",
+      "tags": [
+        "enumeration"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "XPath user enumeration with wildcard",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-XPATH-325",
+      "payload": "count(//user)>0",
+      "tags": [
+        "blind",
+        "boolean"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "XPath blind boolean - check if users exist",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-XPATH-326",
+      "payload": "string-length(//user[1]/password)>5",
+      "tags": [
+        "blind",
+        "length"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "XPath blind - extract password length",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-XPATH-327",
+      "payload": "substring(//user[1]/password,1,1)='a'",
+      "tags": [
+        "blind",
+        "extraction"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "XPath blind - character-by-character extraction",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-XPATH-328",
+      "payload": "//user[contains(username,'admin')]",
+      "tags": [
+        "enumeration"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "XPath contains() function - username enumeration",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-XPATH-329",
+      "payload": "//user[starts-with(password,'pass')]",
+      "tags": [
+        "enumeration",
+        "prefix"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "XPath starts-with() - password prefix guessing",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-XPATH-330",
+      "payload": "'] | //* | a['a'='a",
+      "tags": [
+        "wildcard",
+        "enumeration"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "XPath wildcard - extract all nodes",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-XPATH-331",
+      "payload": "' and count(parent::*[position()=1])>0 and '1'='1",
+      "tags": [
+        "structure-discovery"
+    ],
+      "expected_block": true,
+      "severity_hint": "Medium",
+      "notes": "XPath parent node discovery",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-XPATH-332",
+      "payload": "'] | //user[@role='admin'] | a['a'='a",
+      "tags": [
+        "attribute",
+        "privilege"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "XPath attribute injection - extract admin users",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-XPATH-333",
+      "payload": "' or name()='username' or '1'='1",
+      "tags": [
+        "node-name"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "XPath name() function - node name discovery",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-XPATH-334",
+      "payload": "'] | //user[position()=1] | a['a'='a",
+      "tags": [
+        "position",
+        "enumeration"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "XPath position() - extract first user",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-XPATH-335",
+      "payload": "' or string-length(name(/*[1]))>0 or 'a'='b",
+      "tags": ["blind", "extraction"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Blind XPath - root element name length",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-XPATH-336",
+      "payload": "' or substring(name(/*[1]),1,1)='a' or 'a'='b",
+      "tags": ["blind", "char-extraction"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Blind XPath - character by character extraction",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-XPATH-337",
+      "payload": "' or count(//*[contains(.,'password')])>0 or 'a'='b",
+      "tags": ["blind", "password-search"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Blind XPath - search for password nodes",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-XPATH-338",
+      "payload": "admin']/parent::*/child::password | a[a='",
+      "tags": ["axis", "traversal"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "XPath axis navigation - parent/child traversal",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-XPATH-339",
+      "payload": "']/ancestor::*[1] | a['a'='a",
+      "tags": ["axis", "ancestor"],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "XPath ancestor axis injection",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-XPATH-340",
+      "payload": "']/following-sibling::* | a['a'='a",
+      "tags": ["axis", "sibling"],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "XPath following-sibling axis",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-XPATH-341",
+      "payload": "' or normalize-space(//secret)!='' or 'a'='b",
+      "tags": ["function", "secret-extraction"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "XPath normalize-space for secret extraction",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-XPATH-342",
+      "payload": "' or boolean(//config[contains(@type,'admin')]) or 'a'='b",
+      "tags": ["function", "config-access"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "XPath boolean config enumeration",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-XPATH-343",
+      "payload": "' or number(//user[1]/id)>0 or 'a'='b",
+      "tags": ["function", "numeric"],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "XPath number function injection",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-XPATH-344",
+      "payload": "' or starts-with(//user[1]/name,'a') or 'a'='b",
+      "tags": ["function", "string-match"],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "XPath starts-with for enumeration",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-XPATH-345",
+      "payload": "' or translate(//password,'abcdefghijklmnopqrstuvwxyz','ABCDEFGHIJKLMNOPQRSTUVWXYZ')!='' or 'a'='b",
+      "tags": ["function", "obfuscation"],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "XPath translate function for password extraction",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-XPATH-346",
+      "payload": "%27%20or%20%271%27%3d%271",
+      "tags": ["url-encoded", "bypass"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "URL-encoded XPath injection",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-XPATH-347",
+      "payload": "&#x27; or &#x27;1&#x27;=&#x27;1",
+      "tags": ["html-encoded", "bypass"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "HTML entity encoded XPath injection",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-XPATH-348",
+      "payload": "' or document('')//* or 'a'='b",
+      "tags": ["document-function", "advanced"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "XPath document() function injection",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-XPATH-349",
+      "payload": "']/descendant::*[local-name()='password'] | a['a'='a",
+      "tags": ["local-name", "namespace-bypass"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "XPath local-name() namespace bypass",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-XPATH-350",
+      "payload": "' or namespace-uri(/*[1])!='' or 'a'='b",
+      "tags": ["namespace-uri", "enumeration"],
+      "expected_block": true,
+      "severity_hint": "Medium",
+      "notes": "XPath namespace-uri enumeration",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-XPATH-351",
+      "payload": "' or ceiling(//price)>100 or 'a'='b",
+      "tags": ["math-function", "data-extraction"],
+      "expected_block": true,
+      "severity_hint": "Medium",
+      "notes": "XPath ceiling function injection",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-XPATH-352",
+      "payload": "' or concat(//user[1]/name,':',//user[1]/password)!='' or 'a'='b",
+      "tags": ["concat", "credential-extraction"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "XPath concat for credential extraction",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-XPATH-353",
+      "payload": "' or last()>0 or 'a'='b",
+      "tags": ["last-function", "count"],
+      "expected_block": true,
+      "severity_hint": "Medium",
+      "notes": "XPath last() function injection",
+      "category": "Injection"
+  },
+  {
+      "id": "INJ-XPATH-354",
+      "payload": "admin'[not(contains(.,'\")) or 'a'='a",
+      "tags": ["not-function", "bypass"],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "XPath not() function bypass",
+      "category": "Injection"
+  }
+]