npm - @waftester/cli - Versions diffs - 2.8.0 - Mend

@waftester/cli 2.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (141) hide show

package/LICENSE +80 -0
package/LICENSE-COMMUNITY +28 -0
package/README.md +121 -0
package/bin/cli.js +152 -0
package/package.json +52 -0
package/payloads/community/README.md +45 -0
package/payloads/community/ai/ml-poisoning.json +173 -0
package/payloads/community/ai/prompt-injection.json +247 -0
package/payloads/community/ai/workflow-abuse.json +222 -0
package/payloads/community/auth/jwt.json +855 -0
package/payloads/community/auth/login-bypass.json +623 -0
package/payloads/community/auth/mfa.json +402 -0
package/payloads/community/auth/oauth.json +421 -0
package/payloads/community/auth/open-redirect.json +1028 -0
package/payloads/community/auth/session.json +404 -0
package/payloads/community/cache/deception.json +402 -0
package/payloads/community/cache/poisoning.json +403 -0
package/payloads/community/deserialization/gadget.json +375 -0
package/payloads/community/deserialization/prototype.json +370 -0
package/payloads/community/fuzz/content-type.json +397 -0
package/payloads/community/fuzz/headers.json +401 -0
package/payloads/community/fuzz/methods.json +397 -0
package/payloads/community/fuzz/obfuscation.json +362 -0
package/payloads/community/fuzz/special-chars.json +740 -0
package/payloads/community/fuzz/waf-bypass.json +452 -0
package/payloads/community/graphql/batching-abuse.json +271 -0
package/payloads/community/graphql/depth-limit.json +271 -0
package/payloads/community/graphql/introspection.json +267 -0
package/payloads/community/injection/crlf.json +569 -0
package/payloads/community/injection/ldap.json +357 -0
package/payloads/community/injection/nosqli.json +529 -0
package/payloads/community/injection/oscmd.json +662 -0
package/payloads/community/injection/rce-polyglots.json +452 -0
package/payloads/community/injection/sqli.json +681 -0
package/payloads/community/injection/ssti.json +584 -0
package/payloads/community/injection/upload-attacks.json +632 -0
package/payloads/community/injection/xpath.json +357 -0
package/payloads/community/injection/xxe.json +716 -0
package/payloads/community/logic/forced-browsing.json +405 -0
package/payloads/community/logic/idor.json +1026 -0
package/payloads/community/logic/privilege.json +337 -0
package/payloads/community/media/exif-injection.json +225 -0
package/payloads/community/media/metadata-poison.json +239 -0
package/payloads/community/protocol/http-smuggling.json +798 -0
package/payloads/community/protocol/http2-attacks.json +382 -0
package/payloads/community/protocol/websocket-abuse.json +375 -0
package/payloads/community/rate-limit/burst-simulation.json +286 -0
package/payloads/community/rate-limit/bypass-attempts.json +326 -0
package/payloads/community/rate-limit/zone-tests.json +332 -0
package/payloads/community/services/authentik.json +415 -0
package/payloads/community/services/immich.json +423 -0
package/payloads/community/services/n8n.json +366 -0
package/payloads/community/sqli-basic.json +182 -0
package/payloads/community/ssrf/cloud-metadata.json +999 -0
package/payloads/community/ssrf/dns-rebinding.json +503 -0
package/payloads/community/ssrf/internal-networks.json +627 -0
package/payloads/community/ssrf/protocol-smuggling.json +350 -0
package/payloads/community/ssti/multi-language-templates.json +191 -0
package/payloads/community/ssti/python-templates.json +200 -0
package/payloads/community/traversal/basic.json +675 -0
package/payloads/community/traversal/cloud-credentials.json +107 -0
package/payloads/community/traversal/config-files.json +193 -0
package/payloads/community/traversal/encoding.json +558 -0
package/payloads/community/traversal/null-byte.json +105 -0
package/payloads/community/traversal/symlink.json +93 -0
package/payloads/community/traversal/unicode.json +134 -0
package/payloads/community/traversal/unix-advanced.json +195 -0
package/payloads/community/traversal/windows-advanced.json +195 -0
package/payloads/community/waf-bypass/cloudflare-bypass.json +102 -0
package/payloads/community/waf-bypass/encoding-bypass.json +120 -0
package/payloads/community/waf-bypass/evasion-techniques.json +164 -0
package/payloads/community/waf-bypass/hpp-bypass.json +92 -0
package/payloads/community/waf-bypass/modsecurity-crs.json +220 -0
package/payloads/community/waf-bypass/protocol-attacks.json +101 -0
package/payloads/community/waf-bypass/sqlmap-tamper.json +252 -0
package/payloads/community/waf-bypass/unicode-charset.json +152 -0
package/payloads/community/waf-bypass/vendor-bypasses.json +72 -0
package/payloads/community/waf-validation/README.md +172 -0
package/payloads/community/waf-validation/bypass-techniques.json +272 -0
package/payloads/community/waf-validation/custom-rules.json +952 -0
package/payloads/community/waf-validation/evasion-techniques.json +272 -0
package/payloads/community/waf-validation/modsecurity-core.json +151 -0
package/payloads/community/waf-validation/owasp-top10.json +236 -0
package/payloads/community/waf-validation/regression-tests.json +227 -0
package/payloads/community/xss/csp-bypass.json +431 -0
package/payloads/community/xss/dom.json +389 -0
package/payloads/community/xss/filter-bypass.json +1242 -0
package/payloads/community/xss/mutation.json +263 -0
package/payloads/community/xss/polyglots.json +371 -0
package/payloads/community/xss/reflected.json +187 -0
package/payloads/community/xss/stored.json +330 -0
package/payloads/crlf-injection.json +182 -0
package/payloads/ids-map.json +155 -0
package/payloads/ldap-injection.json +182 -0
package/payloads/nosql-injection.json +227 -0
package/payloads/prototype-pollution.json +182 -0
package/payloads/request-smuggling.json +182 -0
package/payloads/version.json +28 -0
package/payloads/xss-advanced.json +227 -0
package/templates/README.md +221 -0
package/templates/nuclei/http/waf-bypass/crlf-bypass.yaml +146 -0
package/templates/nuclei/http/waf-bypass/lfi-bypass.yaml +152 -0
package/templates/nuclei/http/waf-bypass/nosqli-bypass.yaml +166 -0
package/templates/nuclei/http/waf-bypass/rce-bypass.yaml +171 -0
package/templates/nuclei/http/waf-bypass/sqli-basic.yaml +142 -0
package/templates/nuclei/http/waf-bypass/sqli-evasion.yaml +192 -0
package/templates/nuclei/http/waf-bypass/ssrf-bypass.yaml +130 -0
package/templates/nuclei/http/waf-bypass/ssti-bypass.yaml +147 -0
package/templates/nuclei/http/waf-bypass/xss-basic.yaml +163 -0
package/templates/nuclei/http/waf-bypass/xss-evasion.yaml +217 -0
package/templates/nuclei/http/waf-bypass/xxe-bypass.yaml +204 -0
package/templates/nuclei/http/waf-detection/akamai-detect.yaml +105 -0
package/templates/nuclei/http/waf-detection/aws-waf-detect.yaml +115 -0
package/templates/nuclei/http/waf-detection/azure-waf-detect.yaml +114 -0
package/templates/nuclei/http/waf-detection/cloudflare-detect.yaml +121 -0
package/templates/nuclei/http/waf-detection/modsecurity-detect.yaml +129 -0
package/templates/nuclei/workflows/waf-assessment-workflow.yaml +71 -0
package/templates/output/asff.tmpl +61 -0
package/templates/output/csv.tmpl +4 -0
package/templates/output/junit.tmpl +34 -0
package/templates/output/markdown-report.tmpl +92 -0
package/templates/output/slack-notification.tmpl +95 -0
package/templates/output/text-summary.tmpl +56 -0
package/templates/overrides/api-only.yaml +130 -0
package/templates/overrides/crs-tuning.yaml +204 -0
package/templates/overrides/false-positive-suppression.yaml +159 -0
package/templates/policies/owasp-top10.yaml +152 -0
package/templates/policies/pci-dss.yaml +124 -0
package/templates/policies/permissive.yaml +40 -0
package/templates/policies/standard.yaml +57 -0
package/templates/policies/strict.yaml +72 -0
package/templates/report-configs/compliance.yaml +173 -0
package/templates/report-configs/dark.yaml +136 -0
package/templates/report-configs/enterprise.yaml +175 -0
package/templates/report-configs/minimal.yaml +84 -0
package/templates/report-configs/print.yaml +139 -0
package/templates/workflows/api-scan.yaml +132 -0
package/templates/workflows/ci-gate.yaml +129 -0
package/templates/workflows/full-scan.yaml +133 -0
package/templates/workflows/quick-probe.yaml +80 -0
package/templates/workflows/waf-detection.yaml +89 -0

package/payloads/community/services/immich.json ADDED Viewed

@@ -0,0 +1,423 @@
+[
+  {
+    "id": "SVC-IMMICH-001",
+    "payload": "/api/assets/../../admin/config",
+    "tags": ["asset", "traversal", "admin-access", "quick", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Asset path traversal to admin config endpoint",
+    "category": "Service-Specific",
+    "service": "immich",
+    "endpoint": "/api/assets/"
+  },
+  {
+    "id": "SVC-IMMICH-002",
+    "payload": "/api/assets/..%2f..%2fuser%2fme",
+    "tags": ["asset", "traversal", "encoded", "high"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "Asset path traversal with URL encoding to user endpoint",
+    "category": "Service-Specific",
+    "service": "immich",
+    "endpoint": "/api/assets/"
+  },
+  {
+    "id": "SVC-IMMICH-003",
+    "payload": "/api/assets/../../../etc/passwd",
+    "tags": ["asset", "traversal", "file-read", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Asset path traversal attempting system file read",
+    "category": "Service-Specific",
+    "service": "immich",
+    "endpoint": "/api/assets/"
+  },
+  {
+    "id": "SVC-IMMICH-004",
+    "payload": "/api/assets/test%00.jpg",
+    "tags": ["asset", "null-byte", "quick", "high"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "Asset ID with null byte injection",
+    "category": "Service-Specific",
+    "service": "immich",
+    "endpoint": "/api/assets/"
+  },
+  {
+    "id": "SVC-IMMICH-005",
+    "payload": "/api/assets/../albums/shared",
+    "tags": ["asset", "traversal", "idor", "high"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "Asset traversal to shared albums (IDOR)",
+    "category": "Service-Specific",
+    "service": "immich",
+    "endpoint": "/api/assets/"
+  },
+  {
+    "id": "SVC-IMMICH-006",
+    "payload": "/api/assets",
+    "method": "DELETE",
+    "body": "{\"ids\":[\"*\"]}",
+    "tags": ["bulk", "injection", "data-destruction", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Bulk delete with wildcard injection",
+    "category": "Service-Specific",
+    "service": "immich",
+    "endpoint": "/api/assets"
+  },
+  {
+    "id": "SVC-IMMICH-007",
+    "payload": "/api/assets",
+    "method": "DELETE",
+    "body": "{\"ids\":[\"1 OR 1=1\"]}",
+    "tags": ["bulk", "sqli", "data-destruction", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Bulk delete with SQL injection in ID array",
+    "category": "Service-Specific",
+    "service": "immich",
+    "endpoint": "/api/assets"
+  },
+  {
+    "id": "SVC-IMMICH-008",
+    "payload": "/api/assets",
+    "method": "PUT",
+    "body": "{\"ids\":[\"../../admin/assets\"]}",
+    "tags": ["bulk", "traversal", "privilege-escalation", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Bulk update with path traversal in ID array",
+    "category": "Service-Specific",
+    "service": "immich",
+    "endpoint": "/api/assets"
+  },
+  {
+    "id": "SVC-IMMICH-009",
+    "payload": "/api/assets",
+    "method": "POST",
+    "body": "{\"ids\":[\"1\",\"2\",\"3\",\"...\"], \"repeat\": 10000}",
+    "tags": ["bulk", "dos", "resource-exhaustion", "high"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "Bulk operation with excessive ID count (DoS)",
+    "category": "Service-Specific",
+    "service": "immich",
+    "endpoint": "/api/assets"
+  },
+  {
+    "id": "SVC-IMMICH-010",
+    "payload": "/api/assets",
+    "method": "PUT",
+    "body": "{\"ids\":[\"%00null\",\"../user2\"]}",
+    "tags": ["bulk", "null-byte", "traversal", "high"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "Bulk update with null byte and traversal in IDs",
+    "category": "Service-Specific",
+    "service": "immich",
+    "endpoint": "/api/assets"
+  },
+  {
+    "id": "SVC-IMMICH-011",
+    "payload": "/api/assets/1/metadata",
+    "method": "PUT",
+    "body": "{\"exifData\":{\"UserComment\":\"<script>alert(1)</script>\"}}",
+    "tags": ["metadata", "xss", "stored", "high"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "Metadata injection with XSS in EXIF field",
+    "category": "Service-Specific",
+    "service": "immich",
+    "endpoint": "/api/assets/{id}/metadata"
+  },
+  {
+    "id": "SVC-IMMICH-012",
+    "payload": "/api/assets/1/metadata",
+    "method": "PUT",
+    "body": "{\"exifData\":{\"GPSLatitude\":\"../../config\"}}",
+    "tags": ["metadata", "traversal", "injection", "high"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "Metadata injection with path traversal in GPS field",
+    "category": "Service-Specific",
+    "service": "immich",
+    "endpoint": "/api/assets/{id}/metadata"
+  },
+  {
+    "id": "SVC-IMMICH-013",
+    "payload": "/api/assets/1/metadata",
+    "method": "PUT",
+    "body": "{\"customKey\":\"' OR '1'='1\"}",
+    "tags": ["metadata", "sqli", "injection", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Metadata injection with SQL injection in custom key",
+    "category": "Service-Specific",
+    "service": "immich",
+    "endpoint": "/api/assets/{id}/metadata"
+  },
+  {
+    "id": "SVC-IMMICH-014",
+    "payload": "/api/assets/1/metadata",
+    "method": "PUT",
+    "body": "{\"description\":\"{{constructor.constructor('return process.env')()}}\"}",
+    "tags": ["metadata", "ssti", "info-disclosure", "high"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "Metadata injection with SSTI attempting env leak",
+    "category": "Service-Specific",
+    "service": "immich",
+    "endpoint": "/api/assets/{id}/metadata"
+  },
+  {
+    "id": "SVC-IMMICH-015",
+    "payload": "/api/assets/1/metadata",
+    "method": "PUT",
+    "body": "{\"tags\":[\"$where\",\"this.password\"]}",
+    "tags": ["metadata", "nosqli", "injection", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Metadata injection with NoSQL injection in tags",
+    "category": "Service-Specific",
+    "service": "immich",
+    "endpoint": "/api/assets/{id}/metadata"
+  },
+  {
+    "id": "SVC-IMMICH-016",
+    "payload": "/api/devices",
+    "tags": ["device", "enumeration", "info-disclosure", "quick", "medium"],
+    "expected_block": false,
+    "severity_hint": "Medium",
+    "notes": "Device enumeration (should require auth)",
+    "category": "Service-Specific",
+    "service": "immich",
+    "endpoint": "/api/devices"
+  },
+  {
+    "id": "SVC-IMMICH-017",
+    "payload": "/api/devices/1",
+    "tags": ["device", "idor", "info-disclosure", "high"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "Device access via sequential ID (IDOR)",
+    "category": "Service-Specific",
+    "service": "immich",
+    "endpoint": "/api/devices/{id}"
+  },
+  {
+    "id": "SVC-IMMICH-018",
+    "payload": "/api/devices/../admin/devices",
+    "tags": ["device", "traversal", "admin-access", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Device traversal to admin devices endpoint",
+    "category": "Service-Specific",
+    "service": "immich",
+    "endpoint": "/api/devices"
+  },
+  {
+    "id": "SVC-IMMICH-019",
+    "payload": "/api/devices/test%2f..%2fadmin",
+    "tags": ["device", "traversal", "encoded", "high"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "Device enumeration with URL-encoded traversal",
+    "category": "Service-Specific",
+    "service": "immich",
+    "endpoint": "/api/devices/{id}"
+  },
+  {
+    "id": "SVC-IMMICH-020",
+    "payload": "/api/devices/00000000-0000-0000-0000-000000000001",
+    "tags": ["device", "enumeration", "predictable-id", "medium"],
+    "expected_block": false,
+    "severity_hint": "Medium",
+    "notes": "Device access via predictable UUID",
+    "category": "Service-Specific",
+    "service": "immich",
+    "endpoint": "/api/devices/{id}"
+  },
+  {
+    "id": "SVC-IMMICH-021",
+    "payload": "/api/face",
+    "method": "PUT",
+    "body": "{\"id\":\"../../admin/face\",\"data\":\"malicious_vector\"}",
+    "tags": ["ml", "poisoning", "traversal", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Face data poisoning with path traversal in ID",
+    "category": "Service-Specific",
+    "service": "immich",
+    "endpoint": "/api/face"
+  },
+  {
+    "id": "SVC-IMMICH-022",
+    "payload": "/api/face",
+    "method": "PUT",
+    "body": "{\"id\":\"<img src=x onerror=alert(1)>\",\"embedding\":[0.1,0.2]}",
+    "tags": ["ml", "xss", "stored", "high"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "Face data poisoning with XSS in face ID",
+    "category": "Service-Specific",
+    "service": "immich",
+    "endpoint": "/api/face"
+  },
+  {
+    "id": "SVC-IMMICH-023",
+    "payload": "/api/face",
+    "method": "PUT",
+    "body": "{\"personId\":\"../../../user-admin/person-1\",\"faceId\":\"1\"}",
+    "tags": ["ml", "traversal", "privilege-escalation", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Face person reassignment with path traversal",
+    "category": "Service-Specific",
+    "service": "immich",
+    "endpoint": "/api/face"
+  },
+  {
+    "id": "SVC-IMMICH-024",
+    "payload": "/api/face",
+    "method": "POST",
+    "body": "{\"embedding\":[999,999,999], \"personId\":\"admin\"}",
+    "tags": ["ml", "poisoning", "cross-user", "high"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "Face embedding poisoning targeting admin user",
+    "category": "Service-Specific",
+    "service": "immich",
+    "endpoint": "/api/face"
+  },
+  {
+    "id": "SVC-IMMICH-025",
+    "payload": "/api/face",
+    "method": "PUT",
+    "body": "{\"data\":{\"name\":\"{{7*7}}\",\"embedding\":[1,2,3]}}",
+    "tags": ["ml", "ssti", "injection", "high"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "Face data with SSTI in name field",
+    "category": "Service-Specific",
+    "service": "immich",
+    "endpoint": "/api/face"
+  },
+  {
+    "id": "SVC-IMMICH-026",
+    "payload": "/api/people/1/reassign",
+    "method": "POST",
+    "body": "{\"targetPersonId\":\"../../admin-person\"}",
+    "tags": ["person", "traversal", "face-hijacking", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Person reassignment with admin face hijacking",
+    "category": "Service-Specific",
+    "service": "immich",
+    "endpoint": "/api/people/{id}/reassign"
+  },
+  {
+    "id": "SVC-IMMICH-027",
+    "payload": "/api/people/1/merge",
+    "method": "POST",
+    "body": "{\"ids\":[\"../admin/person-1\",\"2\"]}",
+    "tags": ["person", "traversal", "privilege-escalation", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Person merge with path traversal in face ID",
+    "category": "Service-Specific",
+    "service": "immich",
+    "endpoint": "/api/people/{id}/merge"
+  },
+  {
+    "id": "SVC-IMMICH-028",
+    "payload": "/api/people/reassign",
+    "method": "POST",
+    "body": "{\"faceId\":\"1\",\"personId\":\"admin\"}",
+    "tags": ["person", "unauthorized", "face-hijacking", "high"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "Unauthorized person reassignment to admin",
+    "category": "Service-Specific",
+    "service": "immich",
+    "endpoint": "/api/people/reassign"
+  },
+  {
+    "id": "SVC-IMMICH-029",
+    "payload": "/api/search/metadata?query=' OR '1'='1",
+    "tags": ["search", "sqli", "quick", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Search with SQL injection in query",
+    "category": "Service-Specific",
+    "service": "immich",
+    "endpoint": "/api/search/metadata"
+  },
+  {
+    "id": "SVC-IMMICH-030",
+    "payload": "/api/search/metadata?query=../../config",
+    "tags": ["search", "traversal", "info-disclosure", "high"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "Search with path traversal in query",
+    "category": "Service-Specific",
+    "service": "immich",
+    "endpoint": "/api/search/metadata"
+  },
+  {
+    "id": "SVC-IMMICH-031",
+    "payload": "/api/search/smart?query=<script>alert(1)</script>",
+    "tags": ["search", "xss", "reflected", "high"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "Smart search with reflected XSS",
+    "category": "Service-Specific",
+    "service": "immich",
+    "endpoint": "/api/search/smart"
+  },
+  {
+    "id": "SVC-IMMICH-032",
+    "payload": "/api/search/person?name=*)(&(userPassword=*)",
+    "tags": ["search", "ldapi", "injection", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Person search with LDAP injection",
+    "category": "Service-Specific",
+    "service": "immich",
+    "endpoint": "/api/search/person"
+  },
+  {
+    "id": "SVC-IMMICH-033",
+    "payload": "/api/oauth/callback?code=malicious&state=../../admin/login",
+    "tags": ["oauth", "callback-manipulation", "quick", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "OAuth callback with traversal in state parameter",
+    "category": "Service-Specific",
+    "service": "immich",
+    "endpoint": "/api/oauth/callback"
+  },
+  {
+    "id": "SVC-IMMICH-034",
+    "payload": "/api/oauth/authorize?redirect_uri=https://evil.com",
+    "tags": ["oauth", "open-redirect", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "OAuth authorize with open redirect",
+    "category": "Service-Specific",
+    "service": "immich",
+    "endpoint": "/api/oauth/authorize"
+  },
+  {
+    "id": "SVC-IMMICH-035",
+    "payload": "/api/oauth/mobile/redirect?url=javascript:alert(1)",
+    "tags": ["oauth", "xss", "javascript-protocol", "critical"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "OAuth mobile redirect with javascript: protocol",
+    "category": "Service-Specific",
+    "service": "immich",
+    "endpoint": "/api/oauth/mobile/redirect"
+  }
+]