@waftester/cli 2.8.0

package/payloads/community/waf-bypass/cloudflare-bypass.json

@@ -0,0 +1,102 @@
+[
+  {
+    "id": "WAF-CF-001",
+    "payload": "<svg/onrandom=random onload=confirm(1)>",
+    "tags": ["cloudflare", "waf-bypass", "svg", "2021"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Cloudflare bypass - fake event handler with real onload (Jan 2021)",
+    "category": "WAF-Bypass",
+    "source": "PayloadsAllTheThings"
+  },
+  {
+    "id": "WAF-CF-002",
+    "payload": "<video onnull=null onmouseover=confirm(1)>",
+    "tags": ["cloudflare", "waf-bypass", "video", "2021"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Cloudflare bypass - video tag with fake event",
+    "category": "WAF-Bypass",
+    "source": "PayloadsAllTheThings"
+  },
+  {
+    "id": "WAF-CF-003",
+    "payload": "<svg/OnLoad=\"`${prompt``}`\">",
+    "tags": ["cloudflare", "waf-bypass", "template-literal", "2020"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Cloudflare bypass - template literal execution (Apr 2020)",
+    "category": "WAF-Bypass",
+    "source": "PayloadsAllTheThings"
+  },
+  {
+    "id": "WAF-CF-004",
+    "payload": "<svg/onload=%26nbsp;alert`1`+",
+    "tags": ["cloudflare", "waf-bypass", "entity", "2019"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Cloudflare bypass - HTML entity in event handler (Aug 2019)",
+    "category": "WAF-Bypass",
+    "source": "PayloadsAllTheThings"
+  },
+  {
+    "id": "WAF-CF-005",
+    "payload": "1'\"><img/src/onerror=.1|alert``>",
+    "tags": ["cloudflare", "waf-bypass", "img", "2019"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Cloudflare bypass - bitwise OR execution (Jun 2019)",
+    "category": "WAF-Bypass",
+    "source": "PayloadsAllTheThings"
+  },
+  {
+    "id": "WAF-CF-006",
+    "payload": "<svg onload=prompt%26%230000000040document.domain)>",
+    "tags": ["cloudflare", "waf-bypass", "unicode", "2019"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Cloudflare bypass - padded Unicode entities (Jun 2019)",
+    "category": "WAF-Bypass",
+    "source": "PayloadsAllTheThings"
+  },
+  {
+    "id": "WAF-CF-007",
+    "payload": "xss'\"><iframe srcdoc='%26lt;script>;prompt`${document.domain}`%26lt;/script>'>",
+    "tags": ["cloudflare", "waf-bypass", "srcdoc", "2019"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Cloudflare bypass - srcdoc with encoded script",
+    "category": "WAF-Bypass",
+    "source": "PayloadsAllTheThings"
+  },
+  {
+    "id": "WAF-CF-008",
+    "payload": "<svg/onload=&#97&#108&#101&#114&#00116&#40&#41&#x2f&#x2f",
+    "tags": ["cloudflare", "waf-bypass", "mixed-encoding", "2019"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Cloudflare bypass - mixed decimal/hex entities (Mar 2019)",
+    "category": "WAF-Bypass",
+    "source": "PayloadsAllTheThings"
+  },
+  {
+    "id": "WAF-CF-009",
+    "payload": "<a href=\"j&Tab;a&Tab;v&Tab;asc&NewLine;ri&Tab;pt&colon;&lpar;a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;(document.domain)&rpar;\">X</a>",
+    "tags": ["cloudflare", "waf-bypass", "whitespace", "2018"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Cloudflare bypass - whitespace entities in protocol (Feb 2018)",
+    "category": "WAF-Bypass",
+    "source": "PayloadsAllTheThings"
+  },
+  {
+    "id": "WAF-CF-010",
+    "payload": "</script><svg><script>alert(1)-%26apos%3B",
+    "tags": ["cloudflare", "waf-bypass", "script-break", "2018"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Chrome Auditor/Cloudflare bypass",
+    "category": "WAF-Bypass",
+    "source": "PayloadsAllTheThings"
+  }
+]

package/payloads/community/waf-bypass/encoding-bypass.json

@@ -0,0 +1,120 @@
+[
+  {
+    "id": "ENC-UTF7-001",
+    "payload": "+ADw-script+AD4-alert(1)+ADw-/script+AD4-",
+    "category": "WAF-Bypass",
+    "method": "GET",
+    "expected_block": true,
+    "severity_hint": "High",
+    "tags": ["utf7", "xss", "encoding"],
+    "notes": "UTF-7 encoded XSS - bypasses UTF-8 only filters"
+  },
+  {
+    "id": "ENC-UTF7-002",
+    "payload": "+ADw-img src=x onerror=alert(1)+AD4-",
+    "category": "WAF-Bypass",
+    "expected_block": true,
+    "severity_hint": "High",
+    "tags": ["utf7", "xss"],
+    "notes": "UTF-7 encoded img tag XSS - bypasses UTF-8 sanitization"
+  },
+  {
+    "id": "ENC-OVERLONG-001",
+    "payload": "%c0%bc%c1%b3%c1%b2%c0%b9%c1%b0%c1%b4",
+    "category": "WAF-Bypass",
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "tags": ["overlong-utf8", "xss"],
+    "notes": "Overlong UTF-8 encoded <script - critical bypass technique"
+  },
+  {
+    "id": "ENC-OVERLONG-002",
+    "payload": "%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%afetc/passwd",
+    "category": "WAF-Bypass",
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "tags": ["overlong-utf8", "traversal"],
+    "notes": "Overlong UTF-8 ../../ for path traversal"
+  },
+  {
+    "id": "ENC-WIDE-GBK-001",
+    "payload": "%bf%27 OR 1=1--",
+    "category": "WAF-Bypass",
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "tags": ["wide-byte", "gbk", "sqli"],
+    "notes": "GBK wide-byte injection - %bf eats the backslash escape"
+  },
+  {
+    "id": "ENC-WIDE-GBK-002",
+    "payload": "%bf%5c%27 UNION SELECT * FROM users--",
+    "category": "WAF-Bypass",
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "tags": ["wide-byte", "gbk", "sqli"],
+    "notes": "GBK wide-byte UNION injection - multi-byte char consumes escape"
+  },
+  {
+    "id": "ENC-WIDE-SJIS-001",
+    "payload": "%81%27 OR 1=1--",
+    "category": "WAF-Bypass",
+    "expected_block": true,
+    "severity_hint": "High",
+    "tags": ["wide-byte", "shift-jis", "sqli"],
+    "notes": "Shift-JIS wide-byte injection"
+  },
+  {
+    "id": "ENC-TRIPLE-URL-001",
+    "payload": "%252527%252520OR%2525201%25253D1",
+    "category": "WAF-Bypass",
+    "expected_block": true,
+    "severity_hint": "High",
+    "tags": ["triple-url", "sqli"],
+    "notes": "Triple URL encoded SQL injection"
+  },
+  {
+    "id": "ENC-TRIPLE-URL-002",
+    "payload": "%25253Cscript%25253Ealert(1)%25253C%25252Fscript%25253E",
+    "category": "WAF-Bypass",
+    "expected_block": true,
+    "severity_hint": "High",
+    "tags": ["triple-url", "xss"],
+    "notes": "Triple URL encoded XSS - requires 3 decode passes to reveal payload"
+  },
+  {
+    "id": "ENC-MIXED-001",
+    "payload": "%3Cscr%69pt%3Eale%72t(1)%3C/script%3E",
+    "category": "WAF-Bypass",
+    "expected_block": true,
+    "severity_hint": "High",
+    "tags": ["mixed", "partial-url", "xss"],
+    "notes": "Partial URL encoding - only some characters encoded"
+  },
+  {
+    "id": "ENC-MIXED-002",
+    "payload": "<scr%00ipt>alert(1)</script>",
+    "category": "WAF-Bypass",
+    "expected_block": true,
+    "severity_hint": "High",
+    "tags": ["null-byte", "xss"],
+    "notes": "Null byte in script tag breaks regex pattern matching"
+  },
+  {
+    "id": "ENC-FULLWIDTH-001",
+    "payload": "＜ｓｃｒｉｐｔ＞ａｌｅｒｔ（１）＜／ｓｃｒｉｐｔ＞",
+    "category": "WAF-Bypass",
+    "expected_block": true,
+    "severity_hint": "High",
+    "tags": ["unicode", "fullwidth", "xss"],
+    "notes": "Unicode fullwidth characters - normalizes to ASCII"
+  },
+  {
+    "id": "ENC-FULLWIDTH-002",
+    "payload": "＇ ＯＲ ＇１＇＝＇１",
+    "category": "WAF-Bypass",
+    "expected_block": true,
+    "severity_hint": "High",
+    "tags": ["unicode", "fullwidth", "sqli"],
+    "notes": "Fullwidth Unicode SQLi - bypasses ASCII-only pattern matching"
+  }
+]

package/payloads/community/waf-bypass/evasion-techniques.json

@@ -0,0 +1,164 @@
+[
+  {
+    "id": "EVASION-WHITESPACE-001",
+    "payload": "SELECT\t\t\t*\t\t\tFROM\t\t\tusers",
+    "category": "WAF-Bypass",
+    "expected_block": true,
+    "severity_hint": "High",
+    "tags": ["whitespace", "tab", "sqli"],
+    "notes": "Tab character substitution for spaces"
+  },
+  {
+    "id": "EVASION-WHITESPACE-002",
+    "payload": "SELECT%0a*%0aFROM%0ausers",
+    "category": "WAF-Bypass",
+    "expected_block": true,
+    "severity_hint": "High",
+    "tags": ["whitespace", "lf-encoded", "sqli"],
+    "notes": "Line feed (LF) encoded as space substitute in SQL"
+  },
+  {
+    "id": "EVASION-WHITESPACE-003",
+    "payload": "SELECT%a0*%a0FROM%a0users",
+    "category": "WAF-Bypass",
+    "expected_block": true,
+    "severity_hint": "High",
+    "tags": ["whitespace", "nbsp", "sqli"],
+    "notes": "Non-breaking space (0xa0)"
+  },
+  {
+    "id": "EVASION-COMMENT-001",
+    "payload": "SEL/**/ECT * FR/**/OM users",
+    "category": "WAF-Bypass",
+    "expected_block": true,
+    "severity_hint": "High",
+    "tags": ["comment", "sqli"],
+    "notes": "SQL inline comments to break keywords"
+  },
+  {
+    "id": "EVASION-COMMENT-002",
+    "payload": "/*!50000SELECT*/ * /*!50000FROM*/ users",
+    "category": "WAF-Bypass",
+    "expected_block": true,
+    "severity_hint": "High",
+    "tags": ["comment", "mysql-versioned", "sqli"],
+    "notes": "MySQL versioned comments"
+  },
+  {
+    "id": "EVASION-NULL-001",
+    "payload": "SEL%00ECT * FROM users",
+    "category": "WAF-Bypass",
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "tags": ["null-byte", "sqli"],
+    "notes": "Null byte in middle of keyword"
+  },
+  {
+    "id": "EVASION-NULL-002",
+    "payload": "<scr%00ipt>alert(1)</script>",
+    "category": "WAF-Bypass",
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "tags": ["null-byte", "xss"],
+    "notes": "Null byte splits XSS tag to evade pattern detection"
+  },
+  {
+    "id": "EVASION-NULL-003",
+    "payload": "../../../etc/passwd%00.jpg",
+    "category": "WAF-Bypass",
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "tags": ["null-byte", "traversal"],
+    "notes": "Null byte truncation to bypass extension checks"
+  },
+  {
+    "id": "EVASION-CASE-001",
+    "payload": "SeLeCt * FrOm UsErS",
+    "category": "WAF-Bypass",
+    "expected_block": true,
+    "severity_hint": "Medium",
+    "tags": ["case", "sqli"],
+    "notes": "Mixed case SQL keywords bypass case-sensitive regex"
+  },
+  {
+    "id": "EVASION-CASE-002",
+    "payload": "<ScRiPt>alert(1)</sCrIpT>",
+    "category": "WAF-Bypass",
+    "expected_block": true,
+    "severity_hint": "Medium",
+    "tags": ["case", "xss"],
+    "notes": "Mixed case HTML tags bypass case-sensitive XSS filters"
+  },
+  {
+    "id": "EVASION-CONCAT-001",
+    "payload": "SEL'+'ECT * FROM users",
+    "category": "WAF-Bypass",
+    "expected_block": true,
+    "severity_hint": "High",
+    "tags": ["concat", "sqli"],
+    "notes": "String concatenation to break keywords"
+  },
+  {
+    "id": "EVASION-CHAR-001",
+    "payload": "SELECT CHAR(83)+CHAR(69)+CHAR(76)+CHAR(69)+CHAR(67)+CHAR(84)",
+    "category": "WAF-Bypass",
+    "expected_block": true,
+    "severity_hint": "High",
+    "tags": ["char", "sqli"],
+    "notes": "CHAR() function to build strings"
+  },
+  {
+    "id": "EVASION-DOUBLE-WRITE-001",
+    "payload": "<scrscriptipt>alert(1)</scrscriptipt>",
+    "category": "WAF-Bypass",
+    "expected_block": true,
+    "severity_hint": "High",
+    "tags": ["double-write", "xss"],
+    "notes": "Double-write to survive single-pass filter"
+  },
+  {
+    "id": "EVASION-PARENTHESIS-001",
+    "payload": "SELECT(password)FROM(users)",
+    "category": "WAF-Bypass",
+    "expected_block": true,
+    "severity_hint": "High",
+    "tags": ["parenthesis", "sqli"],
+    "notes": "No spaces, parenthesis as delimiters"
+  },
+  {
+    "id": "EVASION-MULTILINE-001",
+    "payload": "<svg\nonload\n=\nalert(1)>",
+    "category": "WAF-Bypass",
+    "expected_block": true,
+    "severity_hint": "High",
+    "tags": ["multiline", "xss"],
+    "notes": "Newlines in SVG attributes bypass single-line regex patterns"
+  },
+  {
+    "id": "EVASION-ENTITY-001",
+    "payload": "<img src=x on&#x65;rror=alert(1)>",
+    "category": "WAF-Bypass",
+    "expected_block": true,
+    "severity_hint": "High",
+    "tags": ["entity", "partial-encoding", "xss"],
+    "notes": "HTML entity encoding in event handler name (&#x65; = 'e')"
+  },
+  {
+    "id": "EVASION-PROTO-001",
+    "payload": "javas\tcript:alert(1)",
+    "category": "WAF-Bypass",
+    "expected_block": true,
+    "severity_hint": "High",
+    "tags": ["protocol", "tab", "xss"],
+    "notes": "Tab character in javascript: protocol bypasses keyword detection"
+  },
+  {
+    "id": "EVASION-DATA-URI-001",
+    "payload": "data:text/html,<script>alert(1)</script>",
+    "category": "WAF-Bypass",
+    "expected_block": true,
+    "severity_hint": "High",
+    "tags": ["data-uri", "xss"],
+    "notes": "Data URI scheme to embed XSS payload inline"
+  }
+]

package/payloads/community/waf-bypass/hpp-bypass.json

@@ -0,0 +1,92 @@
+[
+  {
+    "id": "HPP-SQLI-001",
+    "payload": "id=1&id=' OR 1=1--",
+    "category": "WAF-Bypass",
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "tags": ["hpp", "sqli", "duplicate-param"],
+    "notes": "Duplicate parameter - some servers take first, WAF checks last"
+  },
+  {
+    "id": "HPP-SQLI-002",
+    "payload": "id=1/*&id=*/UNION/*&id=*/SELECT/*&id=*/password/*&id=*/FROM/*&id=*/users",
+    "category": "WAF-Bypass",
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "tags": ["hpp", "sqli", "fragmented"],
+    "notes": "Fragmented SQL across multiple parameters - server joins them"
+  },
+  {
+    "id": "HPP-XSS-001",
+    "payload": "q=test&q=<script>alert(1)</script>",
+    "category": "WAF-Bypass",
+    "expected_block": true,
+    "severity_hint": "High",
+    "tags": ["hpp", "xss"],
+    "notes": "HTTP Parameter Pollution with XSS in second parameter value"
+  },
+  {
+    "id": "HPP-TRAVERSAL-001",
+    "payload": "file=index.html&file=../../../etc/passwd",
+    "category": "WAF-Bypass",
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "tags": ["hpp", "traversal", "lfi"],
+    "notes": "HPP with path traversal - backend may use malicious second value"
+  },
+  {
+    "id": "HPP-ARRAY-001",
+    "payload": "id[]=1&id[]=2 OR 1=1--",
+    "category": "WAF-Bypass",
+    "expected_block": true,
+    "severity_hint": "High",
+    "tags": ["hpp", "array", "sqli"],
+    "notes": "Array notation HPP - common in PHP/Ruby"
+  },
+  {
+    "id": "HPP-JSON-001",
+    "payload": "{\"id\":1,\"id\":\"1' OR '1'='1\"}",
+    "category": "WAF-Bypass",
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "tags": ["hpp", "json", "duplicate-key", "sqli"],
+    "notes": "JSON duplicate key - parser behavior varies"
+  },
+  {
+    "id": "HPP-JSON-002",
+    "payload": "{\"role\":\"user\",\"role\":\"admin\"}",
+    "category": "WAF-Bypass",
+    "expected_block": true,
+    "severity_hint": "High",
+    "tags": ["hpp", "json", "duplicate-key", "privilege-escalation"],
+    "notes": "JSON duplicate key privilege escalation - last key wins in most parsers"
+  },
+  {
+    "id": "HPP-SEMICOLON-001",
+    "payload": "id=1;id=2 OR 1=1--",
+    "category": "WAF-Bypass",
+    "expected_block": true,
+    "severity_hint": "High",
+    "tags": ["hpp", "semicolon", "sqli"],
+    "notes": "Semicolon as parameter separator (IIS)"
+  },
+  {
+    "id": "HPP-NULL-001",
+    "payload": "id=1%00&id=2 OR 1=1--",
+    "category": "WAF-Bypass",
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "tags": ["hpp", "null-byte", "sqli"],
+    "notes": "Null byte between duplicate parameters"
+  },
+  {
+    "id": "HPP-ENCODED-001",
+    "payload": "id=1&%69%64=' OR 1=1--",
+    "category": "WAF-Bypass",
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "tags": ["hpp", "url-encoded", "sqli"],
+    "notes": "URL-encoded parameter name (id = %69%64)"
+  }
+]