npm - @waftester/cli - Versions diffs - 2.8.0 - Mend

@waftester/cli 2.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (141) hide show

package/LICENSE +80 -0
package/LICENSE-COMMUNITY +28 -0
package/README.md +121 -0
package/bin/cli.js +152 -0
package/package.json +52 -0
package/payloads/community/README.md +45 -0
package/payloads/community/ai/ml-poisoning.json +173 -0
package/payloads/community/ai/prompt-injection.json +247 -0
package/payloads/community/ai/workflow-abuse.json +222 -0
package/payloads/community/auth/jwt.json +855 -0
package/payloads/community/auth/login-bypass.json +623 -0
package/payloads/community/auth/mfa.json +402 -0
package/payloads/community/auth/oauth.json +421 -0
package/payloads/community/auth/open-redirect.json +1028 -0
package/payloads/community/auth/session.json +404 -0
package/payloads/community/cache/deception.json +402 -0
package/payloads/community/cache/poisoning.json +403 -0
package/payloads/community/deserialization/gadget.json +375 -0
package/payloads/community/deserialization/prototype.json +370 -0
package/payloads/community/fuzz/content-type.json +397 -0
package/payloads/community/fuzz/headers.json +401 -0
package/payloads/community/fuzz/methods.json +397 -0
package/payloads/community/fuzz/obfuscation.json +362 -0
package/payloads/community/fuzz/special-chars.json +740 -0
package/payloads/community/fuzz/waf-bypass.json +452 -0
package/payloads/community/graphql/batching-abuse.json +271 -0
package/payloads/community/graphql/depth-limit.json +271 -0
package/payloads/community/graphql/introspection.json +267 -0
package/payloads/community/injection/crlf.json +569 -0
package/payloads/community/injection/ldap.json +357 -0
package/payloads/community/injection/nosqli.json +529 -0
package/payloads/community/injection/oscmd.json +662 -0
package/payloads/community/injection/rce-polyglots.json +452 -0
package/payloads/community/injection/sqli.json +681 -0
package/payloads/community/injection/ssti.json +584 -0
package/payloads/community/injection/upload-attacks.json +632 -0
package/payloads/community/injection/xpath.json +357 -0
package/payloads/community/injection/xxe.json +716 -0
package/payloads/community/logic/forced-browsing.json +405 -0
package/payloads/community/logic/idor.json +1026 -0
package/payloads/community/logic/privilege.json +337 -0
package/payloads/community/media/exif-injection.json +225 -0
package/payloads/community/media/metadata-poison.json +239 -0
package/payloads/community/protocol/http-smuggling.json +798 -0
package/payloads/community/protocol/http2-attacks.json +382 -0
package/payloads/community/protocol/websocket-abuse.json +375 -0
package/payloads/community/rate-limit/burst-simulation.json +286 -0
package/payloads/community/rate-limit/bypass-attempts.json +326 -0
package/payloads/community/rate-limit/zone-tests.json +332 -0
package/payloads/community/services/authentik.json +415 -0
package/payloads/community/services/immich.json +423 -0
package/payloads/community/services/n8n.json +366 -0
package/payloads/community/sqli-basic.json +182 -0
package/payloads/community/ssrf/cloud-metadata.json +999 -0
package/payloads/community/ssrf/dns-rebinding.json +503 -0
package/payloads/community/ssrf/internal-networks.json +627 -0
package/payloads/community/ssrf/protocol-smuggling.json +350 -0
package/payloads/community/ssti/multi-language-templates.json +191 -0
package/payloads/community/ssti/python-templates.json +200 -0
package/payloads/community/traversal/basic.json +675 -0
package/payloads/community/traversal/cloud-credentials.json +107 -0
package/payloads/community/traversal/config-files.json +193 -0
package/payloads/community/traversal/encoding.json +558 -0
package/payloads/community/traversal/null-byte.json +105 -0
package/payloads/community/traversal/symlink.json +93 -0
package/payloads/community/traversal/unicode.json +134 -0
package/payloads/community/traversal/unix-advanced.json +195 -0
package/payloads/community/traversal/windows-advanced.json +195 -0
package/payloads/community/waf-bypass/cloudflare-bypass.json +102 -0
package/payloads/community/waf-bypass/encoding-bypass.json +120 -0
package/payloads/community/waf-bypass/evasion-techniques.json +164 -0
package/payloads/community/waf-bypass/hpp-bypass.json +92 -0
package/payloads/community/waf-bypass/modsecurity-crs.json +220 -0
package/payloads/community/waf-bypass/protocol-attacks.json +101 -0
package/payloads/community/waf-bypass/sqlmap-tamper.json +252 -0
package/payloads/community/waf-bypass/unicode-charset.json +152 -0
package/payloads/community/waf-bypass/vendor-bypasses.json +72 -0
package/payloads/community/waf-validation/README.md +172 -0
package/payloads/community/waf-validation/bypass-techniques.json +272 -0
package/payloads/community/waf-validation/custom-rules.json +952 -0
package/payloads/community/waf-validation/evasion-techniques.json +272 -0
package/payloads/community/waf-validation/modsecurity-core.json +151 -0
package/payloads/community/waf-validation/owasp-top10.json +236 -0
package/payloads/community/waf-validation/regression-tests.json +227 -0
package/payloads/community/xss/csp-bypass.json +431 -0
package/payloads/community/xss/dom.json +389 -0
package/payloads/community/xss/filter-bypass.json +1242 -0
package/payloads/community/xss/mutation.json +263 -0
package/payloads/community/xss/polyglots.json +371 -0
package/payloads/community/xss/reflected.json +187 -0
package/payloads/community/xss/stored.json +330 -0
package/payloads/crlf-injection.json +182 -0
package/payloads/ids-map.json +155 -0
package/payloads/ldap-injection.json +182 -0
package/payloads/nosql-injection.json +227 -0
package/payloads/prototype-pollution.json +182 -0
package/payloads/request-smuggling.json +182 -0
package/payloads/version.json +28 -0
package/payloads/xss-advanced.json +227 -0
package/templates/README.md +221 -0
package/templates/nuclei/http/waf-bypass/crlf-bypass.yaml +146 -0
package/templates/nuclei/http/waf-bypass/lfi-bypass.yaml +152 -0
package/templates/nuclei/http/waf-bypass/nosqli-bypass.yaml +166 -0
package/templates/nuclei/http/waf-bypass/rce-bypass.yaml +171 -0
package/templates/nuclei/http/waf-bypass/sqli-basic.yaml +142 -0
package/templates/nuclei/http/waf-bypass/sqli-evasion.yaml +192 -0
package/templates/nuclei/http/waf-bypass/ssrf-bypass.yaml +130 -0
package/templates/nuclei/http/waf-bypass/ssti-bypass.yaml +147 -0
package/templates/nuclei/http/waf-bypass/xss-basic.yaml +163 -0
package/templates/nuclei/http/waf-bypass/xss-evasion.yaml +217 -0
package/templates/nuclei/http/waf-bypass/xxe-bypass.yaml +204 -0
package/templates/nuclei/http/waf-detection/akamai-detect.yaml +105 -0
package/templates/nuclei/http/waf-detection/aws-waf-detect.yaml +115 -0
package/templates/nuclei/http/waf-detection/azure-waf-detect.yaml +114 -0
package/templates/nuclei/http/waf-detection/cloudflare-detect.yaml +121 -0
package/templates/nuclei/http/waf-detection/modsecurity-detect.yaml +129 -0
package/templates/nuclei/workflows/waf-assessment-workflow.yaml +71 -0
package/templates/output/asff.tmpl +61 -0
package/templates/output/csv.tmpl +4 -0
package/templates/output/junit.tmpl +34 -0
package/templates/output/markdown-report.tmpl +92 -0
package/templates/output/slack-notification.tmpl +95 -0
package/templates/output/text-summary.tmpl +56 -0
package/templates/overrides/api-only.yaml +130 -0
package/templates/overrides/crs-tuning.yaml +204 -0
package/templates/overrides/false-positive-suppression.yaml +159 -0
package/templates/policies/owasp-top10.yaml +152 -0
package/templates/policies/pci-dss.yaml +124 -0
package/templates/policies/permissive.yaml +40 -0
package/templates/policies/standard.yaml +57 -0
package/templates/policies/strict.yaml +72 -0
package/templates/report-configs/compliance.yaml +173 -0
package/templates/report-configs/dark.yaml +136 -0
package/templates/report-configs/enterprise.yaml +175 -0
package/templates/report-configs/minimal.yaml +84 -0
package/templates/report-configs/print.yaml +139 -0
package/templates/workflows/api-scan.yaml +132 -0
package/templates/workflows/ci-gate.yaml +129 -0
package/templates/workflows/full-scan.yaml +133 -0
package/templates/workflows/quick-probe.yaml +80 -0
package/templates/workflows/waf-detection.yaml +89 -0

package/payloads/community/auth/login-bypass.json ADDED Viewed

@@ -0,0 +1,623 @@
+[
+  {
+      "id": "AUTH-LOGIN-001",
+      "payload": "' or 1=1--",
+      "tags": ["sqli", "login-bypass", "quick", "critical"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Classic SQL injection login bypass",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-LOGIN-002",
+      "payload": "' or 1=1#",
+      "tags": ["sqli", "login-bypass", "mysql"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "MySQL comment login bypass",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-LOGIN-003",
+      "payload": "' or 1=1/*",
+      "tags": ["sqli", "login-bypass", "multiline"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Multi-line comment login bypass",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-LOGIN-004",
+      "payload": "admin'--",
+      "tags": ["sqli", "login-bypass", "admin"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Admin username SQL injection",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-LOGIN-005",
+      "payload": "admin' #",
+      "tags": ["sqli", "login-bypass", "admin"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Admin with MySQL comment",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-LOGIN-006",
+      "payload": "admin'/*",
+      "tags": ["sqli", "login-bypass", "admin"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Admin with multiline comment",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-LOGIN-007",
+      "payload": "' or ''='",
+      "tags": ["sqli", "login-bypass"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Empty string comparison bypass",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-LOGIN-008",
+      "payload": "' or 'x'='x",
+      "tags": ["sqli", "login-bypass"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "String equality bypass",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-LOGIN-009",
+      "payload": "\" or \"x\"=\"x",
+      "tags": ["sqli", "login-bypass", "double-quote"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Double quote string bypass",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-LOGIN-010",
+      "payload": "') or ('x'='x",
+      "tags": ["sqli", "login-bypass", "parenthesis"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Parenthesis escaped bypass",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-LOGIN-011",
+      "payload": "\" or 1=1--",
+      "tags": ["sqli", "login-bypass", "double-quote"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Double quote SQL bypass",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-LOGIN-012",
+      "payload": "admin\" or \"1\"=\"1",
+      "tags": ["sqli", "login-bypass", "admin"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Admin double quote bypass",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-LOGIN-013",
+      "payload": "1234 ' AND 1=0 UNION ALL SELECT 'admin', '81dc9bdb52d04dc20036dbd8313ed055",
+      "tags": ["sqli", "union", "md5-hash"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "UNION based login bypass with MD5 hash",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-LOGIN-014",
+      "payload": "' UNION SELECT 1,@@version--",
+      "tags": ["sqli", "union", "version"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "UNION select version info",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-LOGIN-015",
+      "payload": "' UNION ALL SELECT NULL,NULL--",
+      "tags": ["sqli", "union", "null"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "UNION null column enumeration",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-LOGIN-016",
+      "payload": "admin') or ('1'='1",
+      "tags": ["sqli", "login-bypass", "parenthesis"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Admin with parenthesis bypass",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-LOGIN-017",
+      "payload": "admin\") or (\"1\"=\"1",
+      "tags": ["sqli", "login-bypass", "double-quote"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Admin double quote parenthesis",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-LOGIN-018",
+      "payload": "' or a=a--",
+      "tags": ["sqli", "login-bypass", "alpha"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Alpha comparison bypass",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-LOGIN-019",
+      "payload": "\" or \"a\"=\"a",
+      "tags": ["sqli", "login-bypass"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Double quote alpha bypass",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-LOGIN-020",
+      "payload": "' or 0=0 #",
+      "tags": ["sqli", "login-bypass"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Zero comparison bypass",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-NOSQL-001",
+      "payload": "{\"$ne\": 1}",
+      "tags": ["nosql", "mongodb", "login-bypass", "quick"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "MongoDB not-equal bypass",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-NOSQL-002",
+      "payload": "{\"$gt\": \"\"}",
+      "tags": ["nosql", "mongodb", "login-bypass"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "MongoDB greater-than bypass",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-NOSQL-003",
+      "payload": "{\"$regex\": \".*\"}",
+      "tags": ["nosql", "mongodb", "regex"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "MongoDB regex match-all",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-NOSQL-004",
+      "payload": "{\"$where\": \"1==1\"}",
+      "tags": ["nosql", "mongodb", "where"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "MongoDB where clause bypass",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-NOSQL-005",
+      "payload": "true, $where: '1 == 1'",
+      "tags": ["nosql", "mongodb", "where"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "MongoDB where injection",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-NOSQL-006",
+      "payload": "', $or: [ {}, { 'a':'a' } ], $comment:'successful MongoDB injection'",
+      "tags": ["nosql", "mongodb", "or"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "MongoDB or injection",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-NOSQL-007",
+      "payload": "' || 'a'=='a",
+      "tags": ["nosql", "login-bypass"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "NoSQL OR bypass",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-NOSQL-008",
+      "payload": "' && this.password.match(/.*/)//+%00",
+      "tags": ["nosql", "mongodb", "regex-match"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "MongoDB password regex bypass",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-LDAP-001",
+      "payload": "*)(uid=*))(|(uid=*",
+      "tags": ["ldap", "injection", "login-bypass"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "LDAP injection login bypass",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-LDAP-002",
+      "payload": "*(|(objectclass=*))",
+      "tags": ["ldap", "injection", "wildcard"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "LDAP wildcard filter bypass",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-LDAP-003",
+      "payload": "*(|(uid=*))",
+      "tags": ["ldap", "injection"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "LDAP UID wildcard",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-LDAP-004",
+      "payload": "*)(objectClass=*",
+      "tags": ["ldap", "injection", "objectclass"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "LDAP objectClass injection",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-LDAP-005",
+      "payload": "x*)(&(|(objectclass=",
+      "tags": ["ldap", "injection", "complex"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Complex LDAP injection",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-XPATH-001",
+      "payload": "' or '1'='1",
+      "tags": ["xpath", "injection", "login-bypass"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "XPath injection login bypass",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-XPATH-002",
+      "payload": "' or ''='",
+      "tags": ["xpath", "injection"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "XPath empty string bypass",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-XPATH-003",
+      "payload": "x' or name()='username' or 'x'='y",
+      "tags": ["xpath", "injection", "name-function"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "XPath name function bypass",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-XPATH-004",
+      "payload": "//*",
+      "tags": ["xpath", "injection", "wildcard"],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "XPath wildcard select all",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-XPATH-005",
+      "payload": "count(/child::node())",
+      "tags": ["xpath", "injection", "function"],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "XPath count function injection",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-ENC-001",
+      "payload": "%27%20or%201%3D1--",
+      "tags": ["encoded", "login-bypass", "url-encoded"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "URL encoded SQL bypass",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-ENC-002",
+      "payload": "%27%20or%20%271%27%3D%271",
+      "tags": ["encoded", "login-bypass"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Fully URL encoded bypass",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-ENC-003",
+      "payload": "%bf' Or 1=1 -- 2",
+      "tags": ["encoded", "gbk", "multibyte"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "GBK multibyte encoding bypass",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-ENC-004",
+      "payload": "%bf%27 Or 1=1 -- 2",
+      "tags": ["encoded", "gbk"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "GBK quote encoding bypass",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-ENC-005",
+      "payload": "%c0%27 Or 1=1 -- 2",
+      "tags": ["encoded", "utf8", "overlong"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "UTF-8 overlong encoding bypass",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-ENUM-001",
+      "payload": "admin",
+      "tags": ["enumeration", "username", "common"],
+      "expected_block": false,
+      "severity_hint": "Low",
+      "notes": "Common admin username",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-ENUM-002",
+      "payload": "administrator",
+      "tags": ["enumeration", "username", "common"],
+      "expected_block": false,
+      "severity_hint": "Low",
+      "notes": "Administrator username",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-ENUM-003",
+      "payload": "root",
+      "tags": ["enumeration", "username", "common"],
+      "expected_block": false,
+      "severity_hint": "Low",
+      "notes": "Root username",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-ENUM-004",
+      "payload": "test",
+      "tags": ["enumeration", "username", "common"],
+      "expected_block": false,
+      "severity_hint": "Low",
+      "notes": "Test username",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-ENUM-005",
+      "payload": "guest",
+      "tags": ["enumeration", "username", "common"],
+      "expected_block": false,
+      "severity_hint": "Low",
+      "notes": "Guest username",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-DEFAULT-001",
+      "payload": "admin:admin",
+      "tags": ["default-creds", "admin"],
+      "expected_block": false,
+      "severity_hint": "Critical",
+      "notes": "Default admin credentials",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-DEFAULT-002",
+      "payload": "admin:password",
+      "tags": ["default-creds", "admin"],
+      "expected_block": false,
+      "severity_hint": "Critical",
+      "notes": "Common admin password",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-DEFAULT-003",
+      "payload": "root:root",
+      "tags": ["default-creds", "root"],
+      "expected_block": false,
+      "severity_hint": "Critical",
+      "notes": "Default root credentials",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-DEFAULT-004",
+      "payload": "admin:123456",
+      "tags": ["default-creds", "weak"],
+      "expected_block": false,
+      "severity_hint": "Critical",
+      "notes": "Common weak password",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-DEFAULT-005",
+      "payload": "user:user",
+      "tags": ["default-creds", "user"],
+      "expected_block": false,
+      "severity_hint": "High",
+      "notes": "Default user credentials",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-MAGIC-001",
+      "payload": "ffifdyop",
+      "tags": ["magic-hash", "md5", "php"],
+      "expected_block": false,
+      "severity_hint": "Critical",
+      "notes": "MD5 magic hash (0e...) bypass",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-MAGIC-002",
+      "payload": "240610708",
+      "tags": ["magic-hash", "md5", "php"],
+      "expected_block": false,
+      "severity_hint": "High",
+      "notes": "MD5 hash equals 0e462097431906509019562988736854",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-TYPE-001",
+      "payload": "password[]=",
+      "tags": ["type-juggling", "php", "array"],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "PHP array type juggling",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-TYPE-002",
+      "payload": "password[0]=x",
+      "tags": ["type-juggling", "php", "array"],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "PHP array index injection",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-TYPE-003",
+      "payload": "{\"password\": true}",
+      "tags": ["type-juggling", "json", "boolean"],
+      "expected_block": false,
+      "severity_hint": "High",
+      "notes": "JSON boolean type juggling",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-TYPE-004",
+      "payload": "{\"password\": 0}",
+      "tags": ["type-juggling", "json", "number"],
+      "expected_block": false,
+      "severity_hint": "High",
+      "notes": "JSON number type juggling",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-NULL-001",
+      "payload": "admin\\x00",
+      "tags": ["null-byte", "truncation"],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Null byte username truncation",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-NULL-002",
+      "payload": "admin%00",
+      "tags": ["null-byte", "encoded"],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "URL encoded null byte",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-NULL-003",
+      "payload": "admin\\0",
+      "tags": ["null-byte", "escape"],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Escaped null byte",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-UNICODE-001",
+      "payload": "ąďmín",
+      "tags": ["unicode", "normalization", "admin"],
+      "expected_block": false,
+      "severity_hint": "High",
+      "notes": "Unicode lookalike admin",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-UNICODE-002",
+      "payload": "ⒶⒹⓂⒾⓃ",
+      "tags": ["unicode", "circled", "admin"],
+      "expected_block": false,
+      "severity_hint": "High",
+      "notes": "Circled letter admin",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-CASE-001",
+      "payload": "ADMIN",
+      "tags": ["case", "uppercase"],
+      "expected_block": false,
+      "severity_hint": "Low",
+      "notes": "Uppercase admin attempt",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-CASE-002",
+      "payload": "Admin",
+      "tags": ["case", "mixed"],
+      "expected_block": false,
+      "severity_hint": "Low",
+      "notes": "Mixed case admin",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-SPACE-001",
+      "payload": "admin ",
+      "tags": ["whitespace", "trailing"],
+      "expected_block": false,
+      "severity_hint": "Medium",
+      "notes": "Trailing space bypass",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-SPACE-002",
+      "payload": " admin",
+      "tags": ["whitespace", "leading"],
+      "expected_block": false,
+      "severity_hint": "Medium",
+      "notes": "Leading space bypass",
+      "category": "Auth"
+  },
+  {
+      "id": "AUTH-SPACE-003",
+      "payload": "admin\\t",
+      "tags": ["whitespace", "tab"],
+      "expected_block": false,
+      "severity_hint": "Medium",
+      "notes": "Tab character bypass",
+      "category": "Auth"
+  }
+]