npm - @waftester/cli - Versions diffs - 2.8.0 - Mend

@waftester/cli 2.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (141) hide show

package/LICENSE +80 -0
package/LICENSE-COMMUNITY +28 -0
package/README.md +121 -0
package/bin/cli.js +152 -0
package/package.json +52 -0
package/payloads/community/README.md +45 -0
package/payloads/community/ai/ml-poisoning.json +173 -0
package/payloads/community/ai/prompt-injection.json +247 -0
package/payloads/community/ai/workflow-abuse.json +222 -0
package/payloads/community/auth/jwt.json +855 -0
package/payloads/community/auth/login-bypass.json +623 -0
package/payloads/community/auth/mfa.json +402 -0
package/payloads/community/auth/oauth.json +421 -0
package/payloads/community/auth/open-redirect.json +1028 -0
package/payloads/community/auth/session.json +404 -0
package/payloads/community/cache/deception.json +402 -0
package/payloads/community/cache/poisoning.json +403 -0
package/payloads/community/deserialization/gadget.json +375 -0
package/payloads/community/deserialization/prototype.json +370 -0
package/payloads/community/fuzz/content-type.json +397 -0
package/payloads/community/fuzz/headers.json +401 -0
package/payloads/community/fuzz/methods.json +397 -0
package/payloads/community/fuzz/obfuscation.json +362 -0
package/payloads/community/fuzz/special-chars.json +740 -0
package/payloads/community/fuzz/waf-bypass.json +452 -0
package/payloads/community/graphql/batching-abuse.json +271 -0
package/payloads/community/graphql/depth-limit.json +271 -0
package/payloads/community/graphql/introspection.json +267 -0
package/payloads/community/injection/crlf.json +569 -0
package/payloads/community/injection/ldap.json +357 -0
package/payloads/community/injection/nosqli.json +529 -0
package/payloads/community/injection/oscmd.json +662 -0
package/payloads/community/injection/rce-polyglots.json +452 -0
package/payloads/community/injection/sqli.json +681 -0
package/payloads/community/injection/ssti.json +584 -0
package/payloads/community/injection/upload-attacks.json +632 -0
package/payloads/community/injection/xpath.json +357 -0
package/payloads/community/injection/xxe.json +716 -0
package/payloads/community/logic/forced-browsing.json +405 -0
package/payloads/community/logic/idor.json +1026 -0
package/payloads/community/logic/privilege.json +337 -0
package/payloads/community/media/exif-injection.json +225 -0
package/payloads/community/media/metadata-poison.json +239 -0
package/payloads/community/protocol/http-smuggling.json +798 -0
package/payloads/community/protocol/http2-attacks.json +382 -0
package/payloads/community/protocol/websocket-abuse.json +375 -0
package/payloads/community/rate-limit/burst-simulation.json +286 -0
package/payloads/community/rate-limit/bypass-attempts.json +326 -0
package/payloads/community/rate-limit/zone-tests.json +332 -0
package/payloads/community/services/authentik.json +415 -0
package/payloads/community/services/immich.json +423 -0
package/payloads/community/services/n8n.json +366 -0
package/payloads/community/sqli-basic.json +182 -0
package/payloads/community/ssrf/cloud-metadata.json +999 -0
package/payloads/community/ssrf/dns-rebinding.json +503 -0
package/payloads/community/ssrf/internal-networks.json +627 -0
package/payloads/community/ssrf/protocol-smuggling.json +350 -0
package/payloads/community/ssti/multi-language-templates.json +191 -0
package/payloads/community/ssti/python-templates.json +200 -0
package/payloads/community/traversal/basic.json +675 -0
package/payloads/community/traversal/cloud-credentials.json +107 -0
package/payloads/community/traversal/config-files.json +193 -0
package/payloads/community/traversal/encoding.json +558 -0
package/payloads/community/traversal/null-byte.json +105 -0
package/payloads/community/traversal/symlink.json +93 -0
package/payloads/community/traversal/unicode.json +134 -0
package/payloads/community/traversal/unix-advanced.json +195 -0
package/payloads/community/traversal/windows-advanced.json +195 -0
package/payloads/community/waf-bypass/cloudflare-bypass.json +102 -0
package/payloads/community/waf-bypass/encoding-bypass.json +120 -0
package/payloads/community/waf-bypass/evasion-techniques.json +164 -0
package/payloads/community/waf-bypass/hpp-bypass.json +92 -0
package/payloads/community/waf-bypass/modsecurity-crs.json +220 -0
package/payloads/community/waf-bypass/protocol-attacks.json +101 -0
package/payloads/community/waf-bypass/sqlmap-tamper.json +252 -0
package/payloads/community/waf-bypass/unicode-charset.json +152 -0
package/payloads/community/waf-bypass/vendor-bypasses.json +72 -0
package/payloads/community/waf-validation/README.md +172 -0
package/payloads/community/waf-validation/bypass-techniques.json +272 -0
package/payloads/community/waf-validation/custom-rules.json +952 -0
package/payloads/community/waf-validation/evasion-techniques.json +272 -0
package/payloads/community/waf-validation/modsecurity-core.json +151 -0
package/payloads/community/waf-validation/owasp-top10.json +236 -0
package/payloads/community/waf-validation/regression-tests.json +227 -0
package/payloads/community/xss/csp-bypass.json +431 -0
package/payloads/community/xss/dom.json +389 -0
package/payloads/community/xss/filter-bypass.json +1242 -0
package/payloads/community/xss/mutation.json +263 -0
package/payloads/community/xss/polyglots.json +371 -0
package/payloads/community/xss/reflected.json +187 -0
package/payloads/community/xss/stored.json +330 -0
package/payloads/crlf-injection.json +182 -0
package/payloads/ids-map.json +155 -0
package/payloads/ldap-injection.json +182 -0
package/payloads/nosql-injection.json +227 -0
package/payloads/prototype-pollution.json +182 -0
package/payloads/request-smuggling.json +182 -0
package/payloads/version.json +28 -0
package/payloads/xss-advanced.json +227 -0
package/templates/README.md +221 -0
package/templates/nuclei/http/waf-bypass/crlf-bypass.yaml +146 -0
package/templates/nuclei/http/waf-bypass/lfi-bypass.yaml +152 -0
package/templates/nuclei/http/waf-bypass/nosqli-bypass.yaml +166 -0
package/templates/nuclei/http/waf-bypass/rce-bypass.yaml +171 -0
package/templates/nuclei/http/waf-bypass/sqli-basic.yaml +142 -0
package/templates/nuclei/http/waf-bypass/sqli-evasion.yaml +192 -0
package/templates/nuclei/http/waf-bypass/ssrf-bypass.yaml +130 -0
package/templates/nuclei/http/waf-bypass/ssti-bypass.yaml +147 -0
package/templates/nuclei/http/waf-bypass/xss-basic.yaml +163 -0
package/templates/nuclei/http/waf-bypass/xss-evasion.yaml +217 -0
package/templates/nuclei/http/waf-bypass/xxe-bypass.yaml +204 -0
package/templates/nuclei/http/waf-detection/akamai-detect.yaml +105 -0
package/templates/nuclei/http/waf-detection/aws-waf-detect.yaml +115 -0
package/templates/nuclei/http/waf-detection/azure-waf-detect.yaml +114 -0
package/templates/nuclei/http/waf-detection/cloudflare-detect.yaml +121 -0
package/templates/nuclei/http/waf-detection/modsecurity-detect.yaml +129 -0
package/templates/nuclei/workflows/waf-assessment-workflow.yaml +71 -0
package/templates/output/asff.tmpl +61 -0
package/templates/output/csv.tmpl +4 -0
package/templates/output/junit.tmpl +34 -0
package/templates/output/markdown-report.tmpl +92 -0
package/templates/output/slack-notification.tmpl +95 -0
package/templates/output/text-summary.tmpl +56 -0
package/templates/overrides/api-only.yaml +130 -0
package/templates/overrides/crs-tuning.yaml +204 -0
package/templates/overrides/false-positive-suppression.yaml +159 -0
package/templates/policies/owasp-top10.yaml +152 -0
package/templates/policies/pci-dss.yaml +124 -0
package/templates/policies/permissive.yaml +40 -0
package/templates/policies/standard.yaml +57 -0
package/templates/policies/strict.yaml +72 -0
package/templates/report-configs/compliance.yaml +173 -0
package/templates/report-configs/dark.yaml +136 -0
package/templates/report-configs/enterprise.yaml +175 -0
package/templates/report-configs/minimal.yaml +84 -0
package/templates/report-configs/print.yaml +139 -0
package/templates/workflows/api-scan.yaml +132 -0
package/templates/workflows/ci-gate.yaml +129 -0
package/templates/workflows/full-scan.yaml +133 -0
package/templates/workflows/quick-probe.yaml +80 -0
package/templates/workflows/waf-detection.yaml +89 -0

package/payloads/community/ssrf/dns-rebinding.json ADDED Viewed

@@ -0,0 +1,503 @@
+[
+  {
+      "id": "SSRF-DNS-001",
+      "payload": "http://127.0.0.1.nip.io/",
+      "tags": [
+        "dns-rebinding",
+        "nip.io",
+        "quick",
+        "critical"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "nip.io DNS rebinding to localhost",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-DNS-002",
+      "payload": "http://169.254.169.254.nip.io/latest/meta-data/",
+      "tags": [
+        "dns-rebinding",
+        "nip.io",
+        "aws-imds",
+        "quick"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "nip.io DNS rebinding to AWS IMDS",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-DNS-003",
+      "payload": "http://127.0.0.1.xip.io/",
+      "tags": [
+        "dns-rebinding",
+        "xip.io",
+        "quick"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "xip.io DNS rebinding to localhost",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-DNS-004",
+      "payload": "http://169.254.169.254.xip.io/latest/meta-data/",
+      "tags": [
+        "dns-rebinding",
+        "xip.io",
+        "aws-imds"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "xip.io DNS rebinding to AWS IMDS",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-DNS-005",
+      "payload": "http://localtest.me/",
+      "tags": [
+        "dns-rebinding",
+        "localtest",
+        "quick"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "localtest.me DNS rebinding (resolves to 127.0.0.1)",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-DNS-006",
+      "payload": "http://localhost.localdomain/",
+      "tags": [
+        "dns-rebinding",
+        "localhost-variant"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "localhost.localdomain variant",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-DNS-007",
+      "payload": "http://spoofed.burpcollaborator.net/",
+      "tags": [
+        "dns-rebinding",
+        "burp-collaborator"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Burp Collaborator DNS rebinding pattern",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-DNS-008",
+      "payload": "http://10.0.0.1.nip.io/",
+      "tags": [
+        "dns-rebinding",
+        "nip.io",
+        "private-network",
+        "quick"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "nip.io DNS rebinding to RFC1918 10.x network",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-DNS-009",
+      "payload": "http://192.168.1.1.nip.io/",
+      "tags": [
+        "dns-rebinding",
+        "nip.io",
+        "private-network"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "nip.io DNS rebinding to RFC1918 192.168.x network",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-DNS-010",
+      "payload": "http://172.16.0.1.nip.io/",
+      "tags": [
+        "dns-rebinding",
+        "nip.io",
+        "private-network"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "nip.io DNS rebinding to RFC1918 172.16.x network",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-DNS-011",
+      "payload": "http://0x7f000001/",
+      "tags": [
+        "ip-obfuscation",
+        "hex",
+        "quick"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Hexadecimal IP representation of 127.0.0.1",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-DNS-012",
+      "payload": "http://2130706433/",
+      "tags": [
+        "ip-obfuscation",
+        "decimal",
+        "quick"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Decimal IP representation of 127.0.0.1",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-DNS-013",
+      "payload": "http://0177.0000.0000.0001/",
+      "tags": [
+        "ip-obfuscation",
+        "octal"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Octal IP representation of 127.0.0.1",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-DNS-014",
+      "payload": "http://127.1/",
+      "tags": [
+        "ip-obfuscation",
+        "shorthand",
+        "quick"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Shorthand IP notation for 127.0.0.1",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-DNS-015",
+      "payload": "http://0/",
+      "tags": [
+        "ip-obfuscation",
+        "zero",
+        "quick"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "IP address 0 (can resolve to localhost)",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-DNS-016",
+      "payload": "http://[::1]/",
+      "tags": [
+        "ipv6",
+        "localhost",
+        "quick"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "IPv6 localhost address",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-DNS-017",
+      "payload": "http://[::ffff:127.0.0.1]/",
+      "tags": [
+        "ipv6",
+        "ipv4-mapped",
+        "quick"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "IPv4-mapped IPv6 address for 127.0.0.1",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-DNS-018",
+      "payload": "http://[0:0:0:0:0:ffff:169.254.169.254]/",
+      "tags": [
+        "ipv6",
+        "ipv4-mapped",
+        "aws-imds"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "IPv4-mapped IPv6 for AWS IMDS",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-DNS-019",
+      "payload": "http://[::ffff:a9fe:a9fe]/",
+      "tags": [
+        "ipv6",
+        "ipv4-mapped",
+        "aws-imds"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "IPv4-mapped IPv6 hex notation for AWS IMDS",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-DNS-020",
+      "payload": "http://make-127.0.0.1-rr.1u.ms/",
+      "tags": [
+        "dns-rebinding",
+        "custom-service"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Custom DNS rebinding service pattern",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-DNS-021",
+      "payload": "http://127.0.0.1.nip.io:8080/admin",
+      "tags": [
+        "dns-rebinding",
+        "nip.io",
+        "alt-port"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "nip.io DNS rebinding with alternative port",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-DNS-022",
+      "payload": "http://169.254.169.254.xip.io:80/metadata",
+      "tags": [
+        "dns-rebinding",
+        "xip.io",
+        "metadata"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "xip.io DNS rebinding to metadata endpoint",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-DNS-023",
+      "payload": "http://127.0.0.1.sslip.io/",
+      "tags": [
+        "dns-rebinding",
+        "sslip.io"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "sslip.io DNS rebinding to localhost",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-DNS-024",
+      "payload": "http://127.0.0.1.trafficpeak.stream/",
+      "tags": [
+        "dns-rebinding",
+        "custom-service"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Alternative DNS rebinding service",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-DNS-025",
+      "payload": "http://customer1.app.localhost.run/",
+      "tags": [
+        "dns-rebinding",
+        "subdomain-bypass"
+    ],
+      "expected_block": true,
+      "severity_hint": "Medium",
+      "notes": "Subdomain-based localhost bypass attempt",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-DNS-026",
+      "payload": "http://make-1.2.3.4-rebind-169.254-169.254-rr.1u.ms/",
+      "tags": ["dns-rebinding", "1u.ms", "rr"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "1u.ms DNS rebinding round-robin to AWS IMDS",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-DNS-027",
+      "payload": "http://make-127-0-0-1-rebind-169-254-169-254.1u.ms/",
+      "tags": ["dns-rebinding", "1u.ms", "localhost-rebind"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "1u.ms DNS rebinding localhost to metadata",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-DNS-028",
+      "payload": "http://0.0.0.0/",
+      "tags": ["dns-rebinding", "all-interfaces", "bypass"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "0.0.0.0 all-interfaces bypass",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-DNS-029",
+      "payload": "http://0.0.0.0:80/",
+      "tags": ["dns-rebinding", "all-interfaces", "port"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "0.0.0.0 with explicit port",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-DNS-030",
+      "payload": "http://0.0.0.0.nip.io/",
+      "tags": ["dns-rebinding", "nip.io", "all-interfaces"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "nip.io 0.0.0.0 all-interfaces bypass",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-DNS-031",
+      "payload": "http://a]@127.0.0.1/",
+      "tags": ["dns-rebinding", "url-parsing", "bracket"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "URL parser confusion with bracket",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-DNS-032",
+      "payload": "http://localhost#@evil.com/",
+      "tags": ["dns-rebinding", "url-parsing", "fragment"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "URL parser confusion with fragment and @",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-DNS-033",
+      "payload": "http://127.0.0.1%0d%0a.evil.com/",
+      "tags": ["dns-rebinding", "crlf", "injection"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "CRLF injection in hostname",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-DNS-034",
+      "payload": "http://127.0.0.1\\@evil.com/",
+      "tags": ["dns-rebinding", "backslash", "url-parsing"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Backslash URL parsing confusion",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-DNS-035",
+      "payload": "http://127.0.0.1%00.evil.com/",
+      "tags": ["dns-rebinding", "null-byte", "truncation"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Null byte hostname truncation",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-DNS-036",
+      "payload": "http://[::]",
+      "tags": ["dns-rebinding", "ipv6", "localhost"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "IPv6 localhost shorthand",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-DNS-037",
+      "payload": "http://[::1]",
+      "tags": ["dns-rebinding", "ipv6", "loopback"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "IPv6 loopback address",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-DNS-038",
+      "payload": "http://[0:0:0:0:0:0:0:1]/",
+      "tags": ["dns-rebinding", "ipv6", "full-loopback"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "IPv6 full loopback notation",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-DNS-039",
+      "payload": "http://[0:0:0:0:0:ffff:127.0.0.1]/",
+      "tags": ["dns-rebinding", "ipv6", "mapped-ipv4"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "IPv6 mapped IPv4 localhost",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-DNS-040",
+      "payload": "http://[::ffff:127.0.0.1]/",
+      "tags": ["dns-rebinding", "ipv6", "mapped-short"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "IPv6 mapped IPv4 localhost short form",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-DNS-041",
+      "payload": "http://[::ffff:169.254.169.254]/",
+      "tags": ["dns-rebinding", "ipv6", "mapped-imds"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "IPv6 mapped AWS IMDS",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-DNS-042",
+      "payload": "http://127.1/",
+      "tags": ["dns-rebinding", "shorthand", "localhost"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Shorthand localhost IP",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-DNS-043",
+      "payload": "http://127.0.1/",
+      "tags": ["dns-rebinding", "shorthand", "three-octet"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Three-octet localhost shorthand",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-DNS-044",
+      "payload": "http://127.127.127.127/",
+      "tags": ["dns-rebinding", "loopback-range"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Alternative loopback address",
+      "category": "SSRF"
+  },
+  {
+      "id": "SSRF-DNS-045",
+      "payload": "http://myservice.localhost/",
+      "tags": ["dns-rebinding", "localhost-subdomain"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Subdomain of localhost bypass",
+      "category": "SSRF"
+  }
+]