npm - @waftester/cli - Versions diffs - 2.8.0 - Mend

@waftester/cli 2.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (141) hide show

package/LICENSE +80 -0
package/LICENSE-COMMUNITY +28 -0
package/README.md +121 -0
package/bin/cli.js +152 -0
package/package.json +52 -0
package/payloads/community/README.md +45 -0
package/payloads/community/ai/ml-poisoning.json +173 -0
package/payloads/community/ai/prompt-injection.json +247 -0
package/payloads/community/ai/workflow-abuse.json +222 -0
package/payloads/community/auth/jwt.json +855 -0
package/payloads/community/auth/login-bypass.json +623 -0
package/payloads/community/auth/mfa.json +402 -0
package/payloads/community/auth/oauth.json +421 -0
package/payloads/community/auth/open-redirect.json +1028 -0
package/payloads/community/auth/session.json +404 -0
package/payloads/community/cache/deception.json +402 -0
package/payloads/community/cache/poisoning.json +403 -0
package/payloads/community/deserialization/gadget.json +375 -0
package/payloads/community/deserialization/prototype.json +370 -0
package/payloads/community/fuzz/content-type.json +397 -0
package/payloads/community/fuzz/headers.json +401 -0
package/payloads/community/fuzz/methods.json +397 -0
package/payloads/community/fuzz/obfuscation.json +362 -0
package/payloads/community/fuzz/special-chars.json +740 -0
package/payloads/community/fuzz/waf-bypass.json +452 -0
package/payloads/community/graphql/batching-abuse.json +271 -0
package/payloads/community/graphql/depth-limit.json +271 -0
package/payloads/community/graphql/introspection.json +267 -0
package/payloads/community/injection/crlf.json +569 -0
package/payloads/community/injection/ldap.json +357 -0
package/payloads/community/injection/nosqli.json +529 -0
package/payloads/community/injection/oscmd.json +662 -0
package/payloads/community/injection/rce-polyglots.json +452 -0
package/payloads/community/injection/sqli.json +681 -0
package/payloads/community/injection/ssti.json +584 -0
package/payloads/community/injection/upload-attacks.json +632 -0
package/payloads/community/injection/xpath.json +357 -0
package/payloads/community/injection/xxe.json +716 -0
package/payloads/community/logic/forced-browsing.json +405 -0
package/payloads/community/logic/idor.json +1026 -0
package/payloads/community/logic/privilege.json +337 -0
package/payloads/community/media/exif-injection.json +225 -0
package/payloads/community/media/metadata-poison.json +239 -0
package/payloads/community/protocol/http-smuggling.json +798 -0
package/payloads/community/protocol/http2-attacks.json +382 -0
package/payloads/community/protocol/websocket-abuse.json +375 -0
package/payloads/community/rate-limit/burst-simulation.json +286 -0
package/payloads/community/rate-limit/bypass-attempts.json +326 -0
package/payloads/community/rate-limit/zone-tests.json +332 -0
package/payloads/community/services/authentik.json +415 -0
package/payloads/community/services/immich.json +423 -0
package/payloads/community/services/n8n.json +366 -0
package/payloads/community/sqli-basic.json +182 -0
package/payloads/community/ssrf/cloud-metadata.json +999 -0
package/payloads/community/ssrf/dns-rebinding.json +503 -0
package/payloads/community/ssrf/internal-networks.json +627 -0
package/payloads/community/ssrf/protocol-smuggling.json +350 -0
package/payloads/community/ssti/multi-language-templates.json +191 -0
package/payloads/community/ssti/python-templates.json +200 -0
package/payloads/community/traversal/basic.json +675 -0
package/payloads/community/traversal/cloud-credentials.json +107 -0
package/payloads/community/traversal/config-files.json +193 -0
package/payloads/community/traversal/encoding.json +558 -0
package/payloads/community/traversal/null-byte.json +105 -0
package/payloads/community/traversal/symlink.json +93 -0
package/payloads/community/traversal/unicode.json +134 -0
package/payloads/community/traversal/unix-advanced.json +195 -0
package/payloads/community/traversal/windows-advanced.json +195 -0
package/payloads/community/waf-bypass/cloudflare-bypass.json +102 -0
package/payloads/community/waf-bypass/encoding-bypass.json +120 -0
package/payloads/community/waf-bypass/evasion-techniques.json +164 -0
package/payloads/community/waf-bypass/hpp-bypass.json +92 -0
package/payloads/community/waf-bypass/modsecurity-crs.json +220 -0
package/payloads/community/waf-bypass/protocol-attacks.json +101 -0
package/payloads/community/waf-bypass/sqlmap-tamper.json +252 -0
package/payloads/community/waf-bypass/unicode-charset.json +152 -0
package/payloads/community/waf-bypass/vendor-bypasses.json +72 -0
package/payloads/community/waf-validation/README.md +172 -0
package/payloads/community/waf-validation/bypass-techniques.json +272 -0
package/payloads/community/waf-validation/custom-rules.json +952 -0
package/payloads/community/waf-validation/evasion-techniques.json +272 -0
package/payloads/community/waf-validation/modsecurity-core.json +151 -0
package/payloads/community/waf-validation/owasp-top10.json +236 -0
package/payloads/community/waf-validation/regression-tests.json +227 -0
package/payloads/community/xss/csp-bypass.json +431 -0
package/payloads/community/xss/dom.json +389 -0
package/payloads/community/xss/filter-bypass.json +1242 -0
package/payloads/community/xss/mutation.json +263 -0
package/payloads/community/xss/polyglots.json +371 -0
package/payloads/community/xss/reflected.json +187 -0
package/payloads/community/xss/stored.json +330 -0
package/payloads/crlf-injection.json +182 -0
package/payloads/ids-map.json +155 -0
package/payloads/ldap-injection.json +182 -0
package/payloads/nosql-injection.json +227 -0
package/payloads/prototype-pollution.json +182 -0
package/payloads/request-smuggling.json +182 -0
package/payloads/version.json +28 -0
package/payloads/xss-advanced.json +227 -0
package/templates/README.md +221 -0
package/templates/nuclei/http/waf-bypass/crlf-bypass.yaml +146 -0
package/templates/nuclei/http/waf-bypass/lfi-bypass.yaml +152 -0
package/templates/nuclei/http/waf-bypass/nosqli-bypass.yaml +166 -0
package/templates/nuclei/http/waf-bypass/rce-bypass.yaml +171 -0
package/templates/nuclei/http/waf-bypass/sqli-basic.yaml +142 -0
package/templates/nuclei/http/waf-bypass/sqli-evasion.yaml +192 -0
package/templates/nuclei/http/waf-bypass/ssrf-bypass.yaml +130 -0
package/templates/nuclei/http/waf-bypass/ssti-bypass.yaml +147 -0
package/templates/nuclei/http/waf-bypass/xss-basic.yaml +163 -0
package/templates/nuclei/http/waf-bypass/xss-evasion.yaml +217 -0
package/templates/nuclei/http/waf-bypass/xxe-bypass.yaml +204 -0
package/templates/nuclei/http/waf-detection/akamai-detect.yaml +105 -0
package/templates/nuclei/http/waf-detection/aws-waf-detect.yaml +115 -0
package/templates/nuclei/http/waf-detection/azure-waf-detect.yaml +114 -0
package/templates/nuclei/http/waf-detection/cloudflare-detect.yaml +121 -0
package/templates/nuclei/http/waf-detection/modsecurity-detect.yaml +129 -0
package/templates/nuclei/workflows/waf-assessment-workflow.yaml +71 -0
package/templates/output/asff.tmpl +61 -0
package/templates/output/csv.tmpl +4 -0
package/templates/output/junit.tmpl +34 -0
package/templates/output/markdown-report.tmpl +92 -0
package/templates/output/slack-notification.tmpl +95 -0
package/templates/output/text-summary.tmpl +56 -0
package/templates/overrides/api-only.yaml +130 -0
package/templates/overrides/crs-tuning.yaml +204 -0
package/templates/overrides/false-positive-suppression.yaml +159 -0
package/templates/policies/owasp-top10.yaml +152 -0
package/templates/policies/pci-dss.yaml +124 -0
package/templates/policies/permissive.yaml +40 -0
package/templates/policies/standard.yaml +57 -0
package/templates/policies/strict.yaml +72 -0
package/templates/report-configs/compliance.yaml +173 -0
package/templates/report-configs/dark.yaml +136 -0
package/templates/report-configs/enterprise.yaml +175 -0
package/templates/report-configs/minimal.yaml +84 -0
package/templates/report-configs/print.yaml +139 -0
package/templates/workflows/api-scan.yaml +132 -0
package/templates/workflows/ci-gate.yaml +129 -0
package/templates/workflows/full-scan.yaml +133 -0
package/templates/workflows/quick-probe.yaml +80 -0
package/templates/workflows/waf-detection.yaml +89 -0

package/payloads/community/protocol/http2-attacks.json ADDED Viewed

@@ -0,0 +1,382 @@
+[
+  {
+      "id": "PROTO-HTTP2-001",
+      "payload": ":method GET\r\n:path /\r\n:authority example.com\r\n:scheme https\r\n:method POST",
+      "tags": [
+        "pseudo-header",
+        "duplicate-method",
+        "quick",
+        "critical"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Duplicate :method pseudo-header (violates HTTP/2 spec)",
+      "destructive": false,
+      "category": "Protocol"
+  },
+  {
+      "id": "PROTO-HTTP2-002",
+      "payload": ":path /admin\r\n:method GET\r\n:authority example.com\r\n:scheme https",
+      "tags": [
+        "pseudo-header",
+        "reordering",
+        "quick"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Pseudo-headers not in required order (:method should be first)",
+      "destructive": false,
+      "category": "Protocol"
+  },
+  {
+      "id": "PROTO-HTTP2-003",
+      "payload": ":method GET\r\n:path /\r\nhost: example.com\r\n:authority example.com\r\n:scheme https",
+      "tags": [
+        "pseudo-header",
+        "after-regular",
+        "quick"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Pseudo-header after regular header (violates HTTP/2 spec)",
+      "destructive": false,
+      "category": "Protocol"
+  },
+  {
+      "id": "PROTO-HTTP2-004",
+      "payload": ":method GET\r\n:path /\r\n:authority example.com\r\n:scheme https\r\n:custom-header value",
+      "tags": [
+        "pseudo-header",
+        "custom"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Custom pseudo-header (only defined pseudo-headers are allowed)",
+      "destructive": false,
+      "category": "Protocol"
+  },
+  {
+      "id": "PROTO-HTTP2-005",
+      "payload": ":method GET\r\n:path /\r\n:authority example.com\r\nhost: different.com\r\n:scheme https",
+      "tags": [
+        "host-mismatch",
+        "quick"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Host header conflicts with :authority pseudo-header",
+      "destructive": false,
+      "category": "Protocol"
+  },
+  {
+      "id": "PROTO-HTTP2-006",
+      "payload": ":method GET\r\n:path /\r\n:authority example.com\r\n:scheme https\r\nConnection: keep-alive",
+      "tags": [
+        "forbidden-header",
+        "connection"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Connection header forbidden in HTTP/2",
+      "destructive": false,
+      "category": "Protocol"
+  },
+  {
+      "id": "PROTO-HTTP2-007",
+      "payload": ":method GET\r\n:path /\r\n:authority example.com\r\n:scheme https\r\nTransfer-Encoding: chunked",
+      "tags": [
+        "forbidden-header",
+        "te"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Transfer-Encoding forbidden in HTTP/2",
+      "destructive": false,
+      "category": "Protocol"
+  },
+  {
+      "id": "PROTO-HTTP2-008",
+      "payload": ":method GET\r\n:path /\r\n:authority example.com\r\n:scheme https\r\nUpgrade: h2c",
+      "tags": [
+        "forbidden-header",
+        "upgrade"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Upgrade header forbidden in HTTP/2",
+      "destructive": false,
+      "category": "Protocol"
+  },
+  {
+      "id": "PROTO-HTTP2-009",
+      "payload": ":method GET\r\n:path /\r\n:authority example.com\r\n:scheme https\r\nKeep-Alive: timeout=5",
+      "tags": [
+        "forbidden-header",
+        "keep-alive"
+    ],
+      "expected_block": true,
+      "severity_hint": "Medium",
+      "notes": "Keep-Alive header forbidden in HTTP/2",
+      "destructive": false,
+      "category": "Protocol"
+  },
+  {
+      "id": "PROTO-HTTP2-010",
+      "payload": ":method GET\r\n:path /\r\n:authority example.com\r\n:scheme https\r\nProxy-Connection: keep-alive",
+      "tags": [
+        "forbidden-header",
+        "proxy-connection"
+    ],
+      "expected_block": true,
+      "severity_hint": "Medium",
+      "notes": "Proxy-Connection header forbidden in HTTP/2",
+      "destructive": false,
+      "category": "Protocol"
+  },
+  {
+      "id": "PROTO-HTTP2-011",
+      "payload": ":method CONNECT\r\n:authority example.com:443",
+      "tags": [
+        "connect-method",
+        "tunnel"
+    ],
+      "expected_block": false,
+      "severity_hint": "Medium",
+      "notes": "Valid CONNECT method for tunneling (no :path or :scheme required)",
+      "destructive": false,
+      "category": "Protocol"
+  },
+  {
+      "id": "PROTO-HTTP2-012",
+      "payload": ":method CONNECT\r\n:path /\r\n:authority example.com:443\r\n:scheme https",
+      "tags": [
+        "connect-method",
+        "invalid-pseudo"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "CONNECT with :path and :scheme (forbidden for CONNECT)",
+      "destructive": false,
+      "category": "Protocol"
+  },
+  {
+      "id": "PROTO-HTTP2-013",
+      "payload": ":method GET\r\n:path /\r\n:authority example.com\r\n:scheme https\r\nTE: trailers",
+      "tags": [
+        "te-trailers"
+    ],
+      "expected_block": false,
+      "severity_hint": "Low",
+      "notes": "TE: trailers is allowed in HTTP/2 (only trailers value)",
+      "destructive": false,
+      "category": "Protocol"
+  },
+  {
+      "id": "PROTO-HTTP2-014",
+      "payload": ":method GET\r\n:path /\r\n:authority example.com\r\n:scheme https\r\nTE: gzip",
+      "tags": [
+        "te-invalid"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "TE header with value other than trailers (forbidden in HTTP/2)",
+      "destructive": false,
+      "category": "Protocol"
+  },
+  {
+      "id": "PROTO-HTTP2-015",
+      "payload": ":method GET\r\n:path /\r\n:authority \r\n:scheme https",
+      "tags": [
+        "empty-authority"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Empty :authority pseudo-header",
+      "destructive": false,
+      "category": "Protocol"
+  },
+  {
+      "id": "PROTO-HTTP2-016",
+      "payload": ":method GET\r\n:path \r\n:authority example.com\r\n:scheme https",
+      "tags": [
+        "empty-path"
+    ],
+      "expected_block": true,
+      "severity_hint": "Medium",
+      "notes": "Empty :path pseudo-header",
+      "destructive": false,
+      "category": "Protocol"
+  },
+  {
+      "id": "PROTO-HTTP2-017",
+      "payload": ":method GET\r\n:path /\r\n:authority example.com\r\n:scheme ",
+      "tags": [
+        "empty-scheme"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Empty :scheme pseudo-header",
+      "destructive": false,
+      "category": "Protocol"
+  },
+  {
+      "id": "PROTO-HTTP2-018",
+      "payload": ":method GET\r\n:path /\r\n:authority example.com\r\n:scheme ftp",
+      "tags": [
+        "invalid-scheme"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Invalid scheme (should be http or https)",
+      "destructive": false,
+      "category": "Protocol"
+  },
+  {
+      "id": "PROTO-HTTP2-019",
+      "payload": ":method GET\r\n:path /../etc/passwd\r\n:authority example.com\r\n:scheme https",
+      "tags": [
+        "path-traversal",
+        "quick"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Path traversal attempt in :path pseudo-header",
+      "destructive": false,
+      "category": "Protocol"
+  },
+  {
+      "id": "PROTO-HTTP2-020",
+      "payload": ":method GET\r\n:path /\\..\\..\\windows\\system32\r\n:authority example.com\r\n:scheme https",
+      "tags": [
+        "path-traversal",
+        "windows"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Windows path traversal in :path pseudo-header",
+      "destructive": false,
+      "category": "Protocol"
+  },
+  {
+      "id": "PROTO-HTTP2-021",
+      "payload": ":method GET\r\n:path //etc/passwd\r\n:authority example.com\r\n:scheme https",
+      "tags": [
+        "double-slash"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Double slash path anomaly",
+      "destructive": false,
+      "category": "Protocol"
+  },
+  {
+      "id": "PROTO-HTTP2-022",
+      "payload": ":method GET\r\n:path /admin\r\n:authority 127.0.0.1\r\n:scheme https",
+      "tags": [
+        "localhost-authority"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Localhost in :authority (potential SSRF)",
+      "destructive": false,
+      "category": "Protocol"
+  },
+  {
+      "id": "PROTO-HTTP2-023",
+      "payload": ":method GET\r\n:path /\r\n:authority 169.254.169.254\r\n:scheme http",
+      "tags": [
+        "imds-authority",
+        "quick"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "AWS IMDS IP in :authority (SSRF attempt)",
+      "destructive": false,
+      "category": "Protocol"
+  },
+  {
+      "id": "PROTO-HTTP2-024",
+      "payload": ":method GET\r\n:path /\r\n:authority example.com\r\n:scheme https\r\nContent-Length: 0",
+      "tags": [
+        "cl-with-get"
+    ],
+      "expected_block": true,
+      "severity_hint": "Medium",
+      "notes": "Content-Length on GET request in HTTP/2",
+      "destructive": false,
+      "category": "Protocol"
+  },
+  {
+      "id": "PROTO-HTTP2-025",
+      "payload": ":method POST\r\n:path /\r\n:authority example.com\r\n:scheme https\r\nContent-Length: 10\r\nContent-Length: 20",
+      "tags": [
+        "duplicate-cl"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Duplicate Content-Length headers in HTTP/2",
+      "destructive": false,
+      "category": "Protocol"
+  },
+  {
+      "id": "PROTO-HTTP2-026",
+      "payload": ":method GET\r\n:path /\r\n:authority example.com:80\r\n:scheme https",
+      "tags": [
+        "port-scheme-mismatch"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Port 80 with https scheme (port/scheme mismatch)",
+      "destructive": false,
+      "category": "Protocol"
+  },
+  {
+      "id": "PROTO-HTTP2-027",
+      "payload": ":method GET\r\n:path /\r\n:authority example.com:443\r\n:scheme http",
+      "tags": [
+        "port-scheme-mismatch"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Port 443 with http scheme (port/scheme mismatch)",
+      "destructive": false,
+      "category": "Protocol"
+  },
+  {
+      "id": "PROTO-HTTP2-028",
+      "payload": ":method GET\r\n:path /\r\n:authority example.com@attacker.com\r\n:scheme https",
+      "tags": [
+        "authority-injection"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Credential injection in :authority pseudo-header",
+      "destructive": false,
+      "category": "Protocol"
+  },
+  {
+      "id": "PROTO-HTTP2-029",
+      "payload": "PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n",
+      "tags": [
+        "connection-preface",
+        "downgrade"
+    ],
+      "expected_block": false,
+      "severity_hint": "Low",
+      "notes": "Valid HTTP/2 connection preface",
+      "destructive": false,
+      "category": "Protocol"
+  },
+  {
+      "id": "PROTO-HTTP2-030",
+      "payload": "PRI * HTTP/2.0\r\n\r\nXX\r\n\r\n",
+      "tags": [
+        "invalid-preface"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Invalid HTTP/2 connection preface (XX instead of SM)",
+      "destructive": false,
+      "category": "Protocol"
+  }
+]