@waftester/cli 2.8.0

package/payloads/ids-map.json

@@ -0,0 +1,155 @@
+{
+  "schema_version": "1.0.0",
+  "last_updated": "2025-01-22",
+  "taxonomy": {
+    "Injection": {
+      "prefix": "INJ",
+      "subcategories": {
+        "SQLi": { "range_start": 0, "range_end": 199, "next_available": 0 },
+        "NoSQLi": { "range_start": 200, "range_end": 249, "next_available": 200 },
+        "Command": { "range_start": 250, "range_end": 299, "next_available": 250 },
+        "LDAP": { "range_start": 300, "range_end": 319, "next_available": 300 },
+        "XPath": { "range_start": 320, "range_end": 339, "next_available": 320 },
+        "SSTI": { "range_start": 340, "range_end": 379, "next_available": 340 },
+        "XXE": { "range_start": 380, "range_end": 399, "next_available": 380 }
+      }
+    },
+    "XSS": {
+      "prefix": "XSS",
+      "subcategories": {
+        "Reflected": { "range_start": 0, "range_end": 49, "next_available": 0 },
+        "DOM": { "range_start": 50, "range_end": 79, "next_available": 50 },
+        "Stored": { "range_start": 80, "range_end": 99, "next_available": 80 },
+        "Mutation": { "range_start": 100, "range_end": 119, "next_available": 100 },
+        "CSP-Bypass": { "range_start": 120, "range_end": 139, "next_available": 120 },
+        "Polyglot": { "range_start": 140, "range_end": 159, "next_available": 140 }
+      }
+    },
+    "Traversal": {
+      "prefix": "TRV",
+      "subcategories": {
+        "Unix": { "range_start": 0, "range_end": 29, "next_available": 0 },
+        "Windows": { "range_start": 30, "range_end": 59, "next_available": 30 },
+        "DoubleEncoding": { "range_start": 60, "range_end": 79, "next_available": 60 },
+        "NullByte": { "range_start": 80, "range_end": 99, "next_available": 80 }
+      }
+    },
+    "SSRF": {
+      "prefix": "SSRF",
+      "subcategories": {
+        "Cloud": { "range_start": 0, "range_end": 99, "next_available": 34, "description": "Cloud metadata endpoints (AWS, GCP, Azure, etc.)" },
+        "Proto": { "range_start": 100, "range_end": 199, "next_available": 128, "description": "Protocol smuggling (gopher, dict, file, ldap, etc.)" },
+        "DNS": { "range_start": 200, "range_end": 299, "next_available": 225, "description": "DNS rebinding and IP obfuscation" },
+        "Net": { "range_start": 300, "range_end": 399, "next_available": 323, "description": "Internal network targeting (RFC1918, localhost)" }
+      }
+    },
+    "Auth": {
+      "prefix": "AUTH",
+      "subcategories": {
+        "JWT": { "range_start": 0, "range_end": 39, "next_available": 0 },
+        "OAuth": { "range_start": 40, "range_end": 79, "next_available": 40 },
+        "Session": { "range_start": 80, "range_end": 119, "next_available": 80 },
+        "CSRF": { "range_start": 120, "range_end": 139, "next_available": 120 }
+      }
+    },
+    "Protocol": {
+      "prefix": "PROTO",
+      "subcategories": {
+        "Smug": { "range_start": 0, "range_end": 99, "next_available": 36, "description": "HTTP request smuggling (CL.TE, TE.CL, TE.TE, chunk manipulation)" },
+        "HTTP2": { "range_start": 100, "range_end": 199, "next_available": 130, "description": "HTTP/2 attacks (pseudo-header abuse, forbidden headers, desync)" },
+        "WS": { "range_start": 200, "range_end": 299, "next_available": 230, "description": "WebSocket abuse (handshake manipulation, cross-protocol)" }
+      }
+    },
+    "GraphQL": {
+      "prefix": "GQL",
+      "subcategories": {
+        "Introspection": { "range_start": 0, "range_end": 29, "next_available": 20 },
+        "DepthLimit": { "range_start": 30, "range_end": 59, "next_available": 50 },
+        "Batching": { "range_start": 60, "range_end": 99, "next_available": 80 }
+      }
+    },
+    "Cache": {
+      "prefix": "CACHE",
+      "subcategories": {
+        "Poisoning": { "range_start": 0, "range_end": 29, "next_available": 30 },
+        "Deception": { "range_start": 30, "range_end": 59, "next_available": 60 }
+      }
+    },
+    "Logic": {
+      "prefix": "LOGIC",
+      "subcategories": {
+        "ForcedBrowsing": { "range_start": 0, "range_end": 29, "next_available": 30 },
+        "IDOR": { "range_start": 30, "range_end": 59, "next_available": 60 },
+        "Privilege": { "range_start": 60, "range_end": 89, "next_available": 85 }
+      }
+    },
+    "Deserialization": {
+      "prefix": "DESER",
+      "subcategories": {
+        "Prototype": { "range_start": 0, "range_end": 39, "next_available": 30 },
+        "Gadget": { "range_start": 40, "range_end": 79, "next_available": 70 }
+      }
+    },
+    "Fuzzing": {
+      "prefix": "FUZZ",
+      "subcategories": {
+        "Headers": { "range_start": 0, "range_end": 39, "next_available": 30 },
+        "Methods": { "range_start": 40, "range_end": 59, "next_available": 70 },
+        "ContentType": { "range_start": 60, "range_end": 89, "next_available": 90 }
+      }
+    },
+    "AI": {
+      "prefix": "AI",
+      "subcategories": {
+        "Prompt": { "range_start": 0, "range_end": 29, "next_available": 18, "description": "Prompt injection, system prompt extraction, jailbreaks" },
+        "Workflow": { "range_start": 30, "range_end": 59, "next_available": 46, "description": "n8n workflow manipulation, code injection, node abuse" },
+        "ML": { "range_start": 60, "range_end": 89, "next_available": 72, "description": "ML model poisoning, adversarial attacks on Immich" }
+      }
+    },
+    "Media": {
+      "prefix": "MEDIA",
+      "subcategories": {
+        "EXIF": { "range_start": 0, "range_end": 29, "next_available": 16, "description": "EXIF injection, XSS in metadata, path traversal in filenames" },
+        "ContentType": { "range_start": 30, "range_end": 49, "next_available": 41, "description": "MIME confusion, polyglot files, content-type attacks" },
+        "Metadata": { "range_start": 50, "range_end": 79, "next_available": 67, "description": "GPS spoofing, unicode attacks, oversized metadata" }
+      }
+    },
+    "RateLimit": {
+      "prefix": "RATE",
+      "subcategories": {
+        "Zone": { "range_start": 0, "range_end": 29, "next_available": 20, "description": "Zone-specific tests (auth_like, api, uploads, streaming, static, general)" },
+        "Burst": { "range_start": 30, "range_end": 59, "next_available": 45, "description": "Burst simulation, 200→429 transitions, traffic spikes" },
+        "Bypass": { "range_start": 60, "range_end": 89, "next_available": 76, "description": "X-Forwarded-For spoofing, header manipulation, evasion attempts" }
+      }
+    }
+  },
+  "cwe_mapping": {
+    "INJ-SQLI": "CWE-89",
+    "INJ-NOSQLI": "CWE-943",
+    "INJ-COMMAND": "CWE-78",
+    "INJ-LDAP": "CWE-90",
+    "INJ-XPATH": "CWE-643",
+    "INJ-SSTI": "CWE-94",
+    "INJ-XXE": "CWE-611",
+    "XSS-REFLECTED": "CWE-79",
+    "XSS-DOM": "CWE-79",
+    "XSS-STORED": "CWE-79",
+    "TRV": "CWE-22",
+    "SSRF": "CWE-918",
+    "AUTH-JWT": "CWE-347",
+    "AUTH-OAUTH": "CWE-601",
+    "AUTH-SESSION": "CWE-384",
+    "AUTH-CSRF": "CWE-352",
+    "AUTH-MFA": "CWE-287",
+    "PROTO-SMUGGLING": "CWE-444",
+    "DESER-PROTOTYPE": "CWE-1321",
+    "LOGIC-IDOR": "CWE-639",
+    "AI-PROMPT": "CWE-94",
+    "AI-WORKFLOW": "CWE-94",
+    "AI-ML": "CWE-20",
+    "MEDIA-EXIF": "CWE-79",
+    "MEDIA-CONTENTTYPE": "CWE-434",
+    "MEDIA-METADATA": "CWE-20",
+    "RATE": "CWE-770"
+  }
+}

package/payloads/ldap-injection.json

@@ -0,0 +1,182 @@
+[
+    {
+      "id": "ldap-001",
+      "payload": "*",
+      "tags": ["ldap", "wildcard"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "LDAP wildcard - matches all entries",
+      "category": "Injection"
+    },
+    {
+      "id": "ldap-002",
+      "payload": "*)(&",
+      "tags": ["ldap", "filter-injection"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "LDAP filter injection - break out of filter",
+      "category": "Injection"
+    },
+    {
+      "id": "ldap-003",
+      "payload": "*))%00",
+      "tags": ["ldap", "null-byte", "filter-injection"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "LDAP filter injection with null byte terminator",
+      "category": "Injection"
+    },
+    {
+      "id": "ldap-004",
+      "payload": ")(cn=))\u0000",
+      "tags": ["ldap", "null-byte", "cn-injection"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "LDAP cn attribute injection with null byte",
+      "category": "Injection"
+    },
+    {
+      "id": "ldap-005",
+      "payload": "*(|(mail=*))",
+      "tags": ["ldap", "wildcard", "mail-enum"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "LDAP wildcard with mail attribute OR",
+      "category": "Injection"
+    },
+    {
+      "id": "ldap-006",
+      "payload": "*(|(objectclass=*))",
+      "tags": ["ldap", "wildcard", "objectclass-enum"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "LDAP wildcard with objectclass enumeration",
+      "category": "Injection"
+    },
+    {
+      "id": "ldap-007",
+      "payload": "*)(uid=*))(|(uid=*",
+      "tags": ["ldap", "auth-bypass", "uid-injection"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "LDAP auth bypass via uid filter manipulation",
+      "category": "Injection"
+    },
+    {
+      "id": "ldap-008",
+      "payload": "admin*",
+      "tags": ["ldap", "wildcard", "username-enum"],
+      "expected_block": true,
+      "severity_hint": "medium",
+      "notes": "LDAP wildcard username enumeration",
+      "category": "Injection"
+    },
+    {
+      "id": "ldap-009",
+      "payload": "admin*)((|userpassword=*)",
+      "tags": ["ldap", "password-extraction", "filter-injection"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "LDAP password attribute extraction attempt",
+      "category": "Injection"
+    },
+    {
+      "id": "ldap-010",
+      "payload": "admin*)((|userPassword=*)",
+      "tags": ["ldap", "password-extraction", "filter-injection"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "LDAP password extraction (camelCase variant)",
+      "category": "Injection"
+    },
+    {
+      "id": "ldap-011",
+      "payload": "x' or name()='username' or 'x'='y",
+      "tags": ["ldap", "xpath-style", "injection"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "LDAP/XPATH style injection",
+      "category": "Injection"
+    },
+    {
+      "id": "ldap-012",
+      "payload": "*()|%26'",
+      "tags": ["ldap", "filter-injection", "encoded"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "LDAP filter with URL-encoded ampersand",
+      "category": "Injection"
+    },
+    {
+      "id": "ldap-013",
+      "payload": "*()|&'",
+      "tags": ["ldap", "filter-injection"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "LDAP filter injection with pipe and ampersand",
+      "category": "Injection"
+    },
+    {
+      "id": "ldap-014",
+      "payload": "*/*",
+      "tags": ["ldap", "path-injection"],
+      "expected_block": true,
+      "severity_hint": "medium",
+      "notes": "LDAP path/filter manipulation",
+      "category": "Injection"
+    },
+    {
+      "id": "ldap-015",
+      "payload": "*|",
+      "tags": ["ldap", "pipe-injection"],
+      "expected_block": true,
+      "severity_hint": "medium",
+      "notes": "LDAP pipe character injection",
+      "category": "Injection"
+    },
+    {
+      "id": "ldap-016",
+      "payload": "admin)(!(&(1=0",
+      "tags": ["ldap", "auth-bypass", "logic-injection"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "LDAP logic manipulation for auth bypass",
+      "category": "Injection"
+    },
+    {
+      "id": "ldap-017",
+      "payload": "%2A%28%7C%28mail%3D%2A%29%29",
+      "tags": ["ldap", "url-encoded", "filter-injection"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "URL-encoded LDAP filter *(|(mail=*))",
+      "category": "Injection"
+    },
+    {
+      "id": "ldap-018",
+      "payload": "%2A%28%7C%28objectclass%3D%2A%29%29",
+      "tags": ["ldap", "url-encoded", "filter-injection"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "URL-encoded LDAP filter *(|(objectclass=*))",
+      "category": "Injection"
+    },
+    {
+      "id": "ldap-019",
+      "payload": "userPassword:2.5.13.18:=\\00",
+      "tags": ["ldap", "password-extraction", "oid"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "LDAP OID-based password attribute extraction",
+      "category": "Injection"
+    },
+    {
+      "id": "ldap-020",
+      "payload": ")(&(objectClass=*)",
+      "tags": ["ldap", "filter-injection", "objectclass"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "LDAP filter breakout with objectClass wildcard",
+      "category": "Injection"
+    }
+]

package/payloads/nosql-injection.json

@@ -0,0 +1,227 @@
+[
+    {
+      "id": "nosql-001",
+      "payload": "username[$ne]=admin&password[$ne]=admin",
+      "tags": ["nosql", "mongodb", "auth-bypass"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "NoSQL auth bypass using $ne operator (not equal)",
+      "category": "Injection"
+    },
+    {
+      "id": "nosql-002",
+      "payload": "{\"username\": {\"$ne\": null}, \"password\": {\"$ne\": null}}",
+      "tags": ["nosql", "mongodb", "auth-bypass", "json"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "JSON NoSQL auth bypass - matches any user",
+      "category": "Injection"
+    },
+    {
+      "id": "nosql-003",
+      "payload": "{\"username\": {\"$gt\": \"\"}, \"password\": {\"$gt\": \"\"}}",
+      "tags": ["nosql", "mongodb", "auth-bypass", "json"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "JSON NoSQL auth bypass using $gt (greater than)",
+      "category": "Injection"
+    },
+    {
+      "id": "nosql-004",
+      "payload": "username[$regex]=.*&password[$regex]=.*",
+      "tags": ["nosql", "mongodb", "auth-bypass", "regex"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "NoSQL auth bypass using regex operator",
+      "category": "Injection"
+    },
+    {
+      "id": "nosql-005",
+      "payload": "{\"username\": {\"$regex\": \"^admin\"}, \"password\": {\"$regex\": \".*\"}}",
+      "tags": ["nosql", "mongodb", "auth-bypass", "regex", "json"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "Target specific user with regex",
+      "category": "Injection"
+    },
+    {
+      "id": "nosql-006",
+      "payload": "password[$regex]=^a",
+      "tags": ["nosql", "mongodb", "blind", "regex"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "Blind NoSQL password enumeration via regex",
+      "category": "Injection"
+    },
+    {
+      "id": "nosql-007",
+      "payload": "password[$regex]=.{6}",
+      "tags": ["nosql", "mongodb", "blind", "length"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "Blind NoSQL password length detection",
+      "category": "Injection"
+    },
+    {
+      "id": "nosql-008",
+      "payload": "username[$nin][]=admin&username[$nin][]=test&password[$ne]=",
+      "tags": ["nosql", "mongodb", "auth-bypass", "nin"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "NoSQL auth bypass using $nin (not in)",
+      "category": "Injection"
+    },
+    {
+      "id": "nosql-009",
+      "payload": "login[$gt]=admin&login[$lt]=test&pass[$ne]=1",
+      "tags": ["nosql", "mongodb", "auth-bypass", "range"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "NoSQL auth bypass using range operators",
+      "category": "Injection"
+    },
+    {
+      "id": "nosql-010",
+      "payload": "{\"$where\": \"1 == 1\"}",
+      "tags": ["nosql", "mongodb", "where-injection"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "MongoDB $where injection - always true",
+      "category": "Injection"
+    },
+    {
+      "id": "nosql-011",
+      "payload": "', $where: '1 == 1",
+      "tags": ["nosql", "mongodb", "where-injection"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "MongoDB $where string injection",
+      "category": "Injection"
+    },
+    {
+      "id": "nosql-012",
+      "payload": "true, $where: '1 == 1'",
+      "tags": ["nosql", "mongodb", "where-injection"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "MongoDB $where with true prefix",
+      "category": "Injection"
+    },
+    {
+      "id": "nosql-013",
+      "payload": "1, $where: '1 == 1'",
+      "tags": ["nosql", "mongodb", "where-injection"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "MongoDB $where with numeric prefix",
+      "category": "Injection"
+    },
+    {
+      "id": "nosql-014",
+      "payload": "' && this.password.match(/.*/)//+%00",
+      "tags": ["nosql", "mongodb", "regex", "null-byte"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "MongoDB JS injection with password match",
+      "category": "Injection"
+    },
+    {
+      "id": "nosql-015",
+      "payload": "';sleep(5000);'",
+      "tags": ["nosql", "mongodb", "time-based"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "MongoDB time-based blind injection",
+      "category": "Injection"
+    },
+    {
+      "id": "nosql-016",
+      "payload": "';sleep(5000);+'",
+      "tags": ["nosql", "mongodb", "time-based"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "MongoDB time-based with string concat",
+      "category": "Injection"
+    },
+    {
+      "id": "nosql-017",
+      "payload": "db.injection.insert({success:1});",
+      "tags": ["nosql", "mongodb", "data-manipulation"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "MongoDB data insertion attack",
+      "category": "Injection"
+    },
+    {
+      "id": "nosql-018",
+      "payload": "', $or: [ {}, { 'a':'a' } ], $comment:'successful MongoDB injection'",
+      "tags": ["nosql", "mongodb", "or-injection"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "MongoDB $or injection with comment",
+      "category": "Injection"
+    },
+    {
+      "id": "nosql-019",
+      "payload": "{\"username\":\"admin\", \"password\":{\"$gt\":\"\"}}",
+      "tags": ["nosql", "mongodb", "auth-bypass", "json"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "Target admin with $gt empty string",
+      "category": "Injection"
+    },
+    {
+      "id": "nosql-020",
+      "payload": "{\"username\":{\"$in\":[\"Admin\", \"admin\", \"root\", \"administrator\"]},\"password\":{\"$gt\":\"\"}}",
+      "tags": ["nosql", "mongodb", "auth-bypass", "in"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "NoSQL auth bypass targeting multiple admin accounts",
+      "category": "Injection"
+    },
+    {
+      "id": "nosql-021",
+      "payload": "[$ne]=1",
+      "tags": ["nosql", "mongodb", "operator"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "Simple $ne operator injection",
+      "category": "Injection"
+    },
+    {
+      "id": "nosql-022",
+      "payload": "{$gt: ''}",
+      "tags": ["nosql", "mongodb", "operator"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "Simple $gt operator injection",
+      "category": "Injection"
+    },
+    {
+      "id": "nosql-023",
+      "payload": "{ $ne: 1 }",
+      "tags": ["nosql", "mongodb", "operator"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "Simple $ne with spaces",
+      "category": "Injection"
+    },
+    {
+      "id": "nosql-024",
+      "payload": "\";return(true);var xyz='a",
+      "tags": ["nosql", "mongodb", "js-injection"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "MongoDB JavaScript injection - return true",
+      "category": "Injection"
+    },
+    {
+      "id": "nosql-025",
+      "payload": "0;return true",
+      "tags": ["nosql", "mongodb", "js-injection"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "MongoDB JavaScript - numeric prefix return true",
+      "category": "Injection"
+    }
+]