@waftester/cli 2.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (141) hide show
  1. package/LICENSE +80 -0
  2. package/LICENSE-COMMUNITY +28 -0
  3. package/README.md +121 -0
  4. package/bin/cli.js +152 -0
  5. package/package.json +52 -0
  6. package/payloads/community/README.md +45 -0
  7. package/payloads/community/ai/ml-poisoning.json +173 -0
  8. package/payloads/community/ai/prompt-injection.json +247 -0
  9. package/payloads/community/ai/workflow-abuse.json +222 -0
  10. package/payloads/community/auth/jwt.json +855 -0
  11. package/payloads/community/auth/login-bypass.json +623 -0
  12. package/payloads/community/auth/mfa.json +402 -0
  13. package/payloads/community/auth/oauth.json +421 -0
  14. package/payloads/community/auth/open-redirect.json +1028 -0
  15. package/payloads/community/auth/session.json +404 -0
  16. package/payloads/community/cache/deception.json +402 -0
  17. package/payloads/community/cache/poisoning.json +403 -0
  18. package/payloads/community/deserialization/gadget.json +375 -0
  19. package/payloads/community/deserialization/prototype.json +370 -0
  20. package/payloads/community/fuzz/content-type.json +397 -0
  21. package/payloads/community/fuzz/headers.json +401 -0
  22. package/payloads/community/fuzz/methods.json +397 -0
  23. package/payloads/community/fuzz/obfuscation.json +362 -0
  24. package/payloads/community/fuzz/special-chars.json +740 -0
  25. package/payloads/community/fuzz/waf-bypass.json +452 -0
  26. package/payloads/community/graphql/batching-abuse.json +271 -0
  27. package/payloads/community/graphql/depth-limit.json +271 -0
  28. package/payloads/community/graphql/introspection.json +267 -0
  29. package/payloads/community/injection/crlf.json +569 -0
  30. package/payloads/community/injection/ldap.json +357 -0
  31. package/payloads/community/injection/nosqli.json +529 -0
  32. package/payloads/community/injection/oscmd.json +662 -0
  33. package/payloads/community/injection/rce-polyglots.json +452 -0
  34. package/payloads/community/injection/sqli.json +681 -0
  35. package/payloads/community/injection/ssti.json +584 -0
  36. package/payloads/community/injection/upload-attacks.json +632 -0
  37. package/payloads/community/injection/xpath.json +357 -0
  38. package/payloads/community/injection/xxe.json +716 -0
  39. package/payloads/community/logic/forced-browsing.json +405 -0
  40. package/payloads/community/logic/idor.json +1026 -0
  41. package/payloads/community/logic/privilege.json +337 -0
  42. package/payloads/community/media/exif-injection.json +225 -0
  43. package/payloads/community/media/metadata-poison.json +239 -0
  44. package/payloads/community/protocol/http-smuggling.json +798 -0
  45. package/payloads/community/protocol/http2-attacks.json +382 -0
  46. package/payloads/community/protocol/websocket-abuse.json +375 -0
  47. package/payloads/community/rate-limit/burst-simulation.json +286 -0
  48. package/payloads/community/rate-limit/bypass-attempts.json +326 -0
  49. package/payloads/community/rate-limit/zone-tests.json +332 -0
  50. package/payloads/community/services/authentik.json +415 -0
  51. package/payloads/community/services/immich.json +423 -0
  52. package/payloads/community/services/n8n.json +366 -0
  53. package/payloads/community/sqli-basic.json +182 -0
  54. package/payloads/community/ssrf/cloud-metadata.json +999 -0
  55. package/payloads/community/ssrf/dns-rebinding.json +503 -0
  56. package/payloads/community/ssrf/internal-networks.json +627 -0
  57. package/payloads/community/ssrf/protocol-smuggling.json +350 -0
  58. package/payloads/community/ssti/multi-language-templates.json +191 -0
  59. package/payloads/community/ssti/python-templates.json +200 -0
  60. package/payloads/community/traversal/basic.json +675 -0
  61. package/payloads/community/traversal/cloud-credentials.json +107 -0
  62. package/payloads/community/traversal/config-files.json +193 -0
  63. package/payloads/community/traversal/encoding.json +558 -0
  64. package/payloads/community/traversal/null-byte.json +105 -0
  65. package/payloads/community/traversal/symlink.json +93 -0
  66. package/payloads/community/traversal/unicode.json +134 -0
  67. package/payloads/community/traversal/unix-advanced.json +195 -0
  68. package/payloads/community/traversal/windows-advanced.json +195 -0
  69. package/payloads/community/waf-bypass/cloudflare-bypass.json +102 -0
  70. package/payloads/community/waf-bypass/encoding-bypass.json +120 -0
  71. package/payloads/community/waf-bypass/evasion-techniques.json +164 -0
  72. package/payloads/community/waf-bypass/hpp-bypass.json +92 -0
  73. package/payloads/community/waf-bypass/modsecurity-crs.json +220 -0
  74. package/payloads/community/waf-bypass/protocol-attacks.json +101 -0
  75. package/payloads/community/waf-bypass/sqlmap-tamper.json +252 -0
  76. package/payloads/community/waf-bypass/unicode-charset.json +152 -0
  77. package/payloads/community/waf-bypass/vendor-bypasses.json +72 -0
  78. package/payloads/community/waf-validation/README.md +172 -0
  79. package/payloads/community/waf-validation/bypass-techniques.json +272 -0
  80. package/payloads/community/waf-validation/custom-rules.json +952 -0
  81. package/payloads/community/waf-validation/evasion-techniques.json +272 -0
  82. package/payloads/community/waf-validation/modsecurity-core.json +151 -0
  83. package/payloads/community/waf-validation/owasp-top10.json +236 -0
  84. package/payloads/community/waf-validation/regression-tests.json +227 -0
  85. package/payloads/community/xss/csp-bypass.json +431 -0
  86. package/payloads/community/xss/dom.json +389 -0
  87. package/payloads/community/xss/filter-bypass.json +1242 -0
  88. package/payloads/community/xss/mutation.json +263 -0
  89. package/payloads/community/xss/polyglots.json +371 -0
  90. package/payloads/community/xss/reflected.json +187 -0
  91. package/payloads/community/xss/stored.json +330 -0
  92. package/payloads/crlf-injection.json +182 -0
  93. package/payloads/ids-map.json +155 -0
  94. package/payloads/ldap-injection.json +182 -0
  95. package/payloads/nosql-injection.json +227 -0
  96. package/payloads/prototype-pollution.json +182 -0
  97. package/payloads/request-smuggling.json +182 -0
  98. package/payloads/version.json +28 -0
  99. package/payloads/xss-advanced.json +227 -0
  100. package/templates/README.md +221 -0
  101. package/templates/nuclei/http/waf-bypass/crlf-bypass.yaml +146 -0
  102. package/templates/nuclei/http/waf-bypass/lfi-bypass.yaml +152 -0
  103. package/templates/nuclei/http/waf-bypass/nosqli-bypass.yaml +166 -0
  104. package/templates/nuclei/http/waf-bypass/rce-bypass.yaml +171 -0
  105. package/templates/nuclei/http/waf-bypass/sqli-basic.yaml +142 -0
  106. package/templates/nuclei/http/waf-bypass/sqli-evasion.yaml +192 -0
  107. package/templates/nuclei/http/waf-bypass/ssrf-bypass.yaml +130 -0
  108. package/templates/nuclei/http/waf-bypass/ssti-bypass.yaml +147 -0
  109. package/templates/nuclei/http/waf-bypass/xss-basic.yaml +163 -0
  110. package/templates/nuclei/http/waf-bypass/xss-evasion.yaml +217 -0
  111. package/templates/nuclei/http/waf-bypass/xxe-bypass.yaml +204 -0
  112. package/templates/nuclei/http/waf-detection/akamai-detect.yaml +105 -0
  113. package/templates/nuclei/http/waf-detection/aws-waf-detect.yaml +115 -0
  114. package/templates/nuclei/http/waf-detection/azure-waf-detect.yaml +114 -0
  115. package/templates/nuclei/http/waf-detection/cloudflare-detect.yaml +121 -0
  116. package/templates/nuclei/http/waf-detection/modsecurity-detect.yaml +129 -0
  117. package/templates/nuclei/workflows/waf-assessment-workflow.yaml +71 -0
  118. package/templates/output/asff.tmpl +61 -0
  119. package/templates/output/csv.tmpl +4 -0
  120. package/templates/output/junit.tmpl +34 -0
  121. package/templates/output/markdown-report.tmpl +92 -0
  122. package/templates/output/slack-notification.tmpl +95 -0
  123. package/templates/output/text-summary.tmpl +56 -0
  124. package/templates/overrides/api-only.yaml +130 -0
  125. package/templates/overrides/crs-tuning.yaml +204 -0
  126. package/templates/overrides/false-positive-suppression.yaml +159 -0
  127. package/templates/policies/owasp-top10.yaml +152 -0
  128. package/templates/policies/pci-dss.yaml +124 -0
  129. package/templates/policies/permissive.yaml +40 -0
  130. package/templates/policies/standard.yaml +57 -0
  131. package/templates/policies/strict.yaml +72 -0
  132. package/templates/report-configs/compliance.yaml +173 -0
  133. package/templates/report-configs/dark.yaml +136 -0
  134. package/templates/report-configs/enterprise.yaml +175 -0
  135. package/templates/report-configs/minimal.yaml +84 -0
  136. package/templates/report-configs/print.yaml +139 -0
  137. package/templates/workflows/api-scan.yaml +132 -0
  138. package/templates/workflows/ci-gate.yaml +129 -0
  139. package/templates/workflows/full-scan.yaml +133 -0
  140. package/templates/workflows/quick-probe.yaml +80 -0
  141. package/templates/workflows/waf-detection.yaml +89 -0
package/payloads/community/traversal/symlink.json ADDED
@@ -0,0 +1,93 @@
1
+ [
2
+ {
3
+ "id": "TRV-SYM-001",
4
+ "payload": "../../../tmp/symlink-to-etc/passwd",
5
+ "tags": [
6
+ "symlink",
7
+ "unix"
8
+ ],
9
+ "expected_block": true,
10
+ "severity_hint": "Critical",
11
+ "notes": "Symlink traversal through /tmp",
12
+ "category": "Traversal"
13
+ },
14
+ {
15
+ "id": "TRV-SYM-002",
16
+ "payload": "../../../proc/self/root/etc/passwd",
17
+ "tags": [
18
+ "symlink",
19
+ "proc",
20
+ "unix",
21
+ "quick"
22
+ ],
23
+ "expected_block": true,
24
+ "severity_hint": "Critical",
25
+ "notes": "Symlink via /proc/self/root recursion",
26
+ "category": "Traversal"
27
+ },
28
+ {
29
+ "id": "TRV-SYM-003",
30
+ "payload": "../../../var/www/uploads/../../../etc/passwd",
31
+ "tags": [
32
+ "symlink",
33
+ "chain",
34
+ "unix"
35
+ ],
36
+ "expected_block": true,
37
+ "severity_hint": "Critical",
38
+ "notes": "Symlink chain through uploads directory",
39
+ "category": "Traversal"
40
+ },
41
+ {
42
+ "id": "TRV-SYM-004",
43
+ "payload": "C:\\Users\\Public\\Documents\\junction\\..\\..\\..\\Windows\\System32\\config\\sam",
44
+ "tags": [
45
+ "symlink",
46
+ "junction",
47
+ "windows"
48
+ ],
49
+ "expected_block": true,
50
+ "severity_hint": "Critical",
51
+ "notes": "Windows junction point traversal",
52
+ "category": "Traversal"
53
+ },
54
+ {
55
+ "id": "TRV-SYM-005",
56
+ "payload": "../../../proc/self/cwd/../../../etc/passwd",
57
+ "tags": [
58
+ "symlink",
59
+ "cwd",
60
+ "unix"
61
+ ],
62
+ "expected_block": true,
63
+ "severity_hint": "High",
64
+ "notes": "Current working directory symlink",
65
+ "category": "Traversal"
66
+ },
67
+ {
68
+ "id": "TRV-SYM-006",
69
+ "payload": "../../../proc/self/fd/3",
70
+ "tags": [
71
+ "symlink",
72
+ "fd",
73
+ "unix"
74
+ ],
75
+ "expected_block": true,
76
+ "severity_hint": "High",
77
+ "notes": "File descriptor symlink access",
78
+ "category": "Traversal"
79
+ },
80
+ {
81
+ "id": "TRV-SYM-007",
82
+ "payload": "../../../var/lib/docker/overlay2/symlink/../../etc/passwd",
83
+ "tags": [
84
+ "symlink",
85
+ "docker",
86
+ "unix"
87
+ ],
88
+ "expected_block": true,
89
+ "severity_hint": "Critical",
90
+ "notes": "Docker overlay filesystem symlink",
91
+ "category": "Traversal"
92
+ }
93
+ ]
package/payloads/community/traversal/unicode.json ADDED
@@ -0,0 +1,134 @@
1
+ [
2
+ {
3
+ "id": "TRV-UNI-001",
4
+ "payload": "..․/.․./.․./etc/passwd",
5
+ "tags": [
6
+ "unicode",
7
+ "dots",
8
+ "unix"
9
+ ],
10
+ "expected_block": true,
11
+ "severity_hint": "Critical",
12
+ "notes": "Unicode one dot leader (U+2024)",
13
+ "category": "Traversal"
14
+ },
15
+ {
16
+ "id": "TRV-UNI-002",
17
+ "payload": "..︒..︒..︒etc︒passwd",
18
+ "tags": [
19
+ "unicode",
20
+ "separator",
21
+ "unix"
22
+ ],
23
+ "expected_block": true,
24
+ "severity_hint": "Critical",
25
+ "notes": "Unicode presentation form for vertical two dot leader (U+FE52)",
26
+ "category": "Traversal"
27
+ },
28
+ {
29
+ "id": "TRV-UNI-003",
30
+ "payload": "../../../etc/passwd",
31
+ "tags": [
32
+ "unicode",
33
+ "fullwidth",
34
+ "unix",
35
+ "quick"
36
+ ],
37
+ "expected_block": true,
38
+ "severity_hint": "Critical",
39
+ "notes": "Full-width period and solidus (U+FF0E, U+FF0F)",
40
+ "category": "Traversal"
41
+ },
42
+ {
43
+ "id": "TRV-UNI-004",
44
+ "payload": "..\\u2216..\\u2216..\\u2216etc\\u2216passwd",
45
+ "tags": [
46
+ "unicode",
47
+ "escape",
48
+ "unix"
49
+ ],
50
+ "expected_block": true,
51
+ "severity_hint": "High",
52
+ "notes": "Unicode escape sequence for division slash",
53
+ "category": "Traversal"
54
+ },
55
+ {
56
+ "id": "TRV-UNI-005",
57
+ "payload": "‥‥⁄‥‥⁄‥‥⁄etc⁄passwd",
58
+ "tags": [
59
+ "unicode",
60
+ "dots",
61
+ "fraction",
62
+ "unix"
63
+ ],
64
+ "expected_block": true,
65
+ "severity_hint": "Critical",
66
+ "notes": "Two dot leader (U+2025) and fraction slash (U+2044)",
67
+ "category": "Traversal"
68
+ },
69
+ {
70
+ "id": "TRV-UNI-006",
71
+ "payload": "..⁄..⁄..⁄etc⁄passwd",
72
+ "tags": [
73
+ "unicode",
74
+ "fraction",
75
+ "unix"
76
+ ],
77
+ "expected_block": true,
78
+ "severity_hint": "High",
79
+ "notes": "Fraction slash character (U+2044)",
80
+ "category": "Traversal"
81
+ },
82
+ {
83
+ "id": "TRV-UNI-007",
84
+ "payload": "..%u2215..%u2215..%u2215etc%u2215passwd",
85
+ "tags": [
86
+ "unicode",
87
+ "division",
88
+ "unix"
89
+ ],
90
+ "expected_block": true,
91
+ "severity_hint": "High",
92
+ "notes": "Division slash (U+2215) with %u encoding",
93
+ "category": "Traversal"
94
+ },
95
+ {
96
+ "id": "TRV-UNI-008",
97
+ "payload": "..∕..∕..∕etc∕passwd",
98
+ "tags": [
99
+ "unicode",
100
+ "mixed",
101
+ "unix"
102
+ ],
103
+ "expected_block": true,
104
+ "severity_hint": "Critical",
105
+ "notes": "Mixed full-width periods and division slash",
106
+ "category": "Traversal"
107
+ },
108
+ {
109
+ "id": "TRV-UNI-009",
110
+ "payload": "../../../etc/passwd\u0000.jpg",
111
+ "tags": [
112
+ "unicode",
113
+ "null",
114
+ "unix"
115
+ ],
116
+ "expected_block": true,
117
+ "severity_hint": "Critical",
118
+ "notes": "Unicode null character (U+0000) for extension bypass",
119
+ "category": "Traversal"
120
+ },
121
+ {
122
+ "id": "TRV-UNI-010",
123
+ "payload": "..%c0%2e%c0%2e%c0%2fetc%c0%2fpasswd",
124
+ "tags": [
125
+ "unicode",
126
+ "overlong",
127
+ "mixed"
128
+ ],
129
+ "expected_block": true,
130
+ "severity_hint": "Medium",
131
+ "notes": "Mixed overlong and normal encoding",
132
+ "category": "Traversal"
133
+ }
134
+ ]
package/payloads/community/traversal/unix-advanced.json ADDED
@@ -0,0 +1,195 @@
1
+ [
2
+ {
3
+ "id": "TRV-UNIX-006",
4
+ "payload": "../../../etc/hosts",
5
+ "tags": [
6
+ "unix",
7
+ "network",
8
+ "quick"
9
+ ],
10
+ "expected_block": true,
11
+ "severity_hint": "High",
12
+ "notes": "Unix hosts file containing network mappings",
13
+ "category": "Traversal"
14
+ },
15
+ {
16
+ "id": "TRV-UNIX-007",
17
+ "payload": "../../../../../../../../proc/self/environ",
18
+ "tags": [
19
+ "unix",
20
+ "process",
21
+ "environment"
22
+ ],
23
+ "expected_block": true,
24
+ "severity_hint": "Critical",
25
+ "notes": "Current process environment variables (8-level deep)",
26
+ "category": "Traversal"
27
+ },
28
+ {
29
+ "id": "TRV-UNIX-008",
30
+ "payload": "../../../var/log/auth.log",
31
+ "tags": [
32
+ "unix",
33
+ "logs",
34
+ "quick"
35
+ ],
36
+ "expected_block": true,
37
+ "severity_hint": "High",
38
+ "notes": "Authentication log file",
39
+ "category": "Traversal"
40
+ },
41
+ {
42
+ "id": "TRV-UNIX-009",
43
+ "payload": "../../../var/www/html/.htaccess",
44
+ "tags": [
45
+ "unix",
46
+ "web",
47
+ "config"
48
+ ],
49
+ "expected_block": true,
50
+ "severity_hint": "High",
51
+ "notes": "Apache configuration file",
52
+ "category": "Traversal"
53
+ },
54
+ {
55
+ "id": "TRV-UNIX-033",
56
+ "payload": "../../../home/user/.bash_history",
57
+ "tags": [
58
+ "unix",
59
+ "history",
60
+ "quick"
61
+ ],
62
+ "expected_block": true,
63
+ "severity_hint": "Critical",
64
+ "notes": "User command history file",
65
+ "category": "Traversal"
66
+ },
67
+ {
68
+ "id": "TRV-UNIX-034",
69
+ "payload": "/proc/version",
70
+ "tags": [
71
+ "unix",
72
+ "absolute",
73
+ "system"
74
+ ],
75
+ "expected_block": true,
76
+ "severity_hint": "High",
77
+ "notes": "Kernel version information (absolute path)",
78
+ "category": "Traversal"
79
+ },
80
+ {
81
+ "id": "TRV-UNIX-035",
82
+ "payload": "../../../etc/crontab",
83
+ "tags": [
84
+ "unix",
85
+ "schedule",
86
+ "quick"
87
+ ],
88
+ "expected_block": true,
89
+ "severity_hint": "Critical",
90
+ "notes": "System-wide cron jobs",
91
+ "category": "Traversal"
92
+ },
93
+ {
94
+ "id": "TRV-UNIX-036",
95
+ "payload": "../../../var/log/nginx/access.log",
96
+ "tags": [
97
+ "unix",
98
+ "logs",
99
+ "nginx"
100
+ ],
101
+ "expected_block": true,
102
+ "severity_hint": "Medium",
103
+ "notes": "Nginx access log",
104
+ "category": "Traversal"
105
+ },
106
+ {
107
+ "id": "TRV-UNIX-037",
108
+ "payload": "../../../usr/local/etc/php/php.ini",
109
+ "tags": [
110
+ "unix",
111
+ "config",
112
+ "php"
113
+ ],
114
+ "expected_block": true,
115
+ "severity_hint": "High",
116
+ "notes": "PHP configuration file",
117
+ "category": "Traversal"
118
+ },
119
+ {
120
+ "id": "TRV-UNIX-038",
121
+ "payload": "../../../opt/app/.env.production",
122
+ "tags": [
123
+ "unix",
124
+ "env",
125
+ "production"
126
+ ],
127
+ "expected_block": true,
128
+ "severity_hint": "Critical",
129
+ "notes": "Production environment configuration",
130
+ "category": "Traversal"
131
+ },
132
+ {
133
+ "id": "TRV-UNIX-039",
134
+ "payload": "/etc/mysql/my.cnf",
135
+ "tags": [
136
+ "unix",
137
+ "database",
138
+ "absolute"
139
+ ],
140
+ "expected_block": true,
141
+ "severity_hint": "Critical",
142
+ "notes": "MySQL configuration file (absolute path)",
143
+ "category": "Traversal"
144
+ },
145
+ {
146
+ "id": "TRV-UNIX-040",
147
+ "payload": "../../../proc/self/cmdline",
148
+ "tags": [
149
+ "unix",
150
+ "process"
151
+ ],
152
+ "expected_block": true,
153
+ "severity_hint": "High",
154
+ "notes": "Current process command line",
155
+ "category": "Traversal"
156
+ },
157
+ {
158
+ "id": "TRV-UNIX-041",
159
+ "payload": "../../../../../../../../../../etc/passwd",
160
+ "tags": [
161
+ "unix",
162
+ "deep"
163
+ ],
164
+ "expected_block": true,
165
+ "severity_hint": "Critical",
166
+ "notes": "Extremely deep traversal (10 levels)",
167
+ "category": "Traversal"
168
+ },
169
+ {
170
+ "id": "TRV-UNIX-042",
171
+ "payload": "../../../root/.bashrc",
172
+ "tags": [
173
+ "unix",
174
+ "config",
175
+ "root"
176
+ ],
177
+ "expected_block": true,
178
+ "severity_hint": "Critical",
179
+ "notes": "Root user shell configuration",
180
+ "category": "Traversal"
181
+ },
182
+ {
183
+ "id": "TRV-UNIX-043",
184
+ "payload": "../etc/../etc/../etc/passwd",
185
+ "tags": [
186
+ "unix",
187
+ "redundant",
188
+ "obfuscation"
189
+ ],
190
+ "expected_block": true,
191
+ "severity_hint": "Medium",
192
+ "notes": "Redundant directory traversal",
193
+ "category": "Traversal"
194
+ }
195
+ ]
package/payloads/community/traversal/windows-advanced.json ADDED
@@ -0,0 +1,195 @@
1
+ [
2
+ {
3
+ "id": "TRV-WIN-003",
4
+ "payload": "..\\..\\..\\Windows\\win.ini",
5
+ "tags": [
6
+ "windows",
7
+ "config",
8
+ "quick"
9
+ ],
10
+ "expected_block": true,
11
+ "severity_hint": "High",
12
+ "notes": "Windows initialization file",
13
+ "category": "Traversal"
14
+ },
15
+ {
16
+ "id": "TRV-WIN-004",
17
+ "payload": "..\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\drivers\\etc\\hosts",
18
+ "tags": [
19
+ "windows",
20
+ "network",
21
+ "deep"
22
+ ],
23
+ "expected_block": true,
24
+ "severity_hint": "High",
25
+ "notes": "Windows hosts file (8-level deep)",
26
+ "category": "Traversal"
27
+ },
28
+ {
29
+ "id": "TRV-WIN-005",
30
+ "payload": "C:\\inetpub\\wwwroot\\web.config",
31
+ "tags": [
32
+ "windows",
33
+ "iis",
34
+ "absolute"
35
+ ],
36
+ "expected_block": true,
37
+ "severity_hint": "Critical",
38
+ "notes": "IIS web.config (absolute path)",
39
+ "category": "Traversal"
40
+ },
41
+ {
42
+ "id": "TRV-WIN-006",
43
+ "payload": "..\\..\\..\\Windows\\System32\\config\\system",
44
+ "tags": [
45
+ "windows",
46
+ "registry",
47
+ "quick"
48
+ ],
49
+ "expected_block": true,
50
+ "severity_hint": "Critical",
51
+ "notes": "Windows SYSTEM registry hive",
52
+ "category": "Traversal"
53
+ },
54
+ {
55
+ "id": "TRV-WIN-007",
56
+ "payload": "\\\\?\\C:\\Windows\\System32\\config\\sam",
57
+ "tags": [
58
+ "windows",
59
+ "unc",
60
+ "bypass"
61
+ ],
62
+ "expected_block": true,
63
+ "severity_hint": "Critical",
64
+ "notes": "UNC path prefix bypass",
65
+ "category": "Traversal"
66
+ },
67
+ {
68
+ "id": "TRV-WIN-008",
69
+ "payload": "..\\..\\..\\Program Files\\MyApp\\config.xml",
70
+ "tags": [
71
+ "windows",
72
+ "config"
73
+ ],
74
+ "expected_block": true,
75
+ "severity_hint": "High",
76
+ "notes": "Application configuration in Program Files",
77
+ "category": "Traversal"
78
+ },
79
+ {
80
+ "id": "TRV-WIN-009",
81
+ "payload": "..\\..\\..\\Users\\Administrator\\.ssh\\id_rsa",
82
+ "tags": [
83
+ "windows",
84
+ "ssh",
85
+ "quick"
86
+ ],
87
+ "expected_block": true,
88
+ "severity_hint": "Critical",
89
+ "notes": "Administrator SSH private key",
90
+ "category": "Traversal"
91
+ },
92
+ {
93
+ "id": "TRV-WIN-033",
94
+ "payload": "..\\..\\..\\Windows\\Panther\\unattend.xml",
95
+ "tags": [
96
+ "windows",
97
+ "install",
98
+ "credentials"
99
+ ],
100
+ "expected_block": true,
101
+ "severity_hint": "Critical",
102
+ "notes": "Windows unattended installation file (may contain passwords)",
103
+ "category": "Traversal"
104
+ },
105
+ {
106
+ "id": "TRV-WIN-034",
107
+ "payload": "file.txt::$DATA",
108
+ "tags": [
109
+ "windows",
110
+ "ads",
111
+ "alternate-stream"
112
+ ],
113
+ "expected_block": true,
114
+ "severity_hint": "High",
115
+ "notes": "Alternate Data Stream (ADS) access",
116
+ "category": "Traversal"
117
+ },
118
+ {
119
+ "id": "TRV-WIN-035",
120
+ "payload": "..\\..\\..\\PROGRA~1\\MyApp\\config.ini",
121
+ "tags": [
122
+ "windows",
123
+ "short-name",
124
+ "8.3"
125
+ ],
126
+ "expected_block": true,
127
+ "severity_hint": "High",
128
+ "notes": "8.3 short filename format",
129
+ "category": "Traversal"
130
+ },
131
+ {
132
+ "id": "TRV-WIN-036",
133
+ "payload": "C:\\$Recycle.Bin\\S-1-5-21\\deleted_file.docx",
134
+ "tags": [
135
+ "windows",
136
+ "recycle-bin",
137
+ "absolute"
138
+ ],
139
+ "expected_block": true,
140
+ "severity_hint": "Medium",
141
+ "notes": "Recycle Bin file access",
142
+ "category": "Traversal"
143
+ },
144
+ {
145
+ "id": "TRV-WIN-037",
146
+ "payload": "..\\..\\..\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\",
147
+ "tags": [
148
+ "windows",
149
+ "startup"
150
+ ],
151
+ "expected_block": true,
152
+ "severity_hint": "Critical",
153
+ "notes": "Windows startup folder",
154
+ "category": "Traversal"
155
+ },
156
+ {
157
+ "id": "TRV-WIN-038",
158
+ "payload": "..\\..\\..\\Windows\\Temp\\.env",
159
+ "tags": [
160
+ "windows",
161
+ "temp",
162
+ "env"
163
+ ],
164
+ "expected_block": true,
165
+ "severity_hint": "Critical",
166
+ "notes": "Environment file in Windows temp",
167
+ "category": "Traversal"
168
+ },
169
+ {
170
+ "id": "TRV-WIN-039",
171
+ "payload": "\\\\.\\C:\\Windows\\System32\\config\\sam",
172
+ "tags": [
173
+ "windows",
174
+ "device",
175
+ "unc"
176
+ ],
177
+ "expected_block": true,
178
+ "severity_hint": "Critical",
179
+ "notes": "Device namespace path",
180
+ "category": "Traversal"
181
+ },
182
+ {
183
+ "id": "TRV-WIN-040",
184
+ "payload": "..\\..\\..\\inetpub\\logs\\LogFiles\\W3SVC1\\u_ex*.log",
185
+ "tags": [
186
+ "windows",
187
+ "iis",
188
+ "logs"
189
+ ],
190
+ "expected_block": true,
191
+ "severity_hint": "Medium",
192
+ "notes": "IIS log files with wildcard",
193
+ "category": "Traversal"
194
+ }
195
+ ]