@waftester/cli 2.8.0

package/templates/nuclei/http/waf-detection/modsecurity-detect.yaml

@@ -0,0 +1,129 @@
+id: waf-detect-modsecurity
+info:
+  name: ModSecurity WAF Detection
+  author: waftester
+  severity: info
+  description: |
+    Detects ModSecurity WAF presence via response headers, Server header
+    patterns, error page signatures, and OWASP CRS indicators. Identifies
+    ModSecurity version, CRS paranoia level, and audit log patterns.
+    Supports both Apache and Nginx + ModSecurity configurations.
+  reference:
+    - https://www.modsecurity.org/
+    - https://coreruleset.org/
+    - https://github.com/0xInfection/Awesome-WAF
+  tags: waf,detection,modsecurity,crs,owasp,fingerprint,waftester
+  classification:
+    cwe-id:
+      - CWE-200
+  metadata:
+    verified: true
+    max-request: 2
+    shodan-query: "http.headers.server:mod_security"
+    fofa-query: "server=\"mod_security\""
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/"
+
+    stop-at-first-match: true
+    matchers-condition: or
+    matchers:
+      - type: word
+        part: header
+        words:
+          - "mod_security"
+          - "modsecurity"
+          - "NOYB"
+          - "Mod_Security"
+          - "OWASP_CRS"
+          - "mod_security/"
+        condition: or
+        case-insensitive: true
+
+      - type: regex
+        part: header
+        regex:
+          - "(?i)server:.*mod_security"
+          - "(?i)server:.*ModSecurity"
+          - "(?i)x-modsecurity-id:\\s*\\d+"
+          - "(?i)x-mod-sec-rule:\\s*\\d+"
+
+      - type: word
+        part: body
+        words:
+          - "ModSecurity"
+          - "mod_security"
+          - "This error was generated by Mod_Security"
+          - "rules of the mod_security module"
+          - "OWASP CRS"
+          - "OWASP ModSecurity Core Rule Set"
+          - "mod_security-message"
+          - "ModSecurity Action"
+          - "ModSecurity: Access denied"
+          - "Mod_Security - Block"
+          - "Apache/ModSecurity"
+          - "SecRule"
+        condition: or
+        case-insensitive: true
+
+      - type: dsl
+        dsl:
+          - "status_code == 403 && (contains(tolower(body), 'modsecurity') || contains(tolower(body), 'mod_security'))"
+
+    extractors:
+      - type: kval
+        kval:
+          - server
+
+      - type: regex
+        part: header
+        group: 1
+        regex:
+          - "(?i)mod_security/([0-9.]+)"
+          - "(?i)ModSecurity/([0-9.]+)"
+
+      - type: regex
+        part: body
+        group: 1
+        regex:
+          - "(?i)ModSecurity[/ ]+v?([0-9.]+)"
+
+  # Trigger WAF block with SQLi payload to confirm CRS rules
+  - method: GET
+    path:
+      - "{{BaseURL}}/?id=1' OR '1'='1"
+
+    matchers-condition: or
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "ModSecurity"
+          - "mod_security"
+          - "OWASP CRS"
+          - "Access denied"
+          - "This error was generated by"
+          - "SecRule"
+          - "Coraza"
+        condition: or
+        case-insensitive: true
+
+      - type: regex
+        part: body
+        regex:
+          - "(?i)id\\s*\"[0-9]+\""
+          - "(?i)rule\\s+[0-9]+"
+
+      - type: dsl
+        dsl:
+          - "status_code == 403"
+
+    extractors:
+      - type: regex
+        part: body
+        group: 1
+        regex:
+          - "(?i)id\\s*\"([0-9]+)\""
+          - "(?i)rule\\s+([0-9]+)"

package/templates/nuclei/workflows/waf-assessment-workflow.yaml

@@ -0,0 +1,71 @@
+id: waf-full-assessment-workflow
+info:
+  name: WAF Full Assessment Workflow
+  author: waftester
+  description: |
+    Complete WAF assessment workflow. First detects the WAF vendor (Cloudflare,
+    AWS, Akamai, Azure, ModSecurity), then runs all relevant bypass templates
+    matched by tags. Detection runs in parallel, bypass tests run conditionally
+    based on detected WAF vendor for vendor-specific evasion tuning.
+
+workflows:
+  - template: nuclei/http/waf-detection/cloudflare-detect.yaml
+    subtemplates:
+      - tags: waf,bypass,sqli
+      - tags: waf,bypass,xss
+      - tags: waf,bypass,rce
+      - tags: waf,bypass,ssrf
+      - tags: waf,bypass,lfi
+      - tags: waf,bypass,ssti
+      - tags: waf,bypass,xxe
+      - tags: waf,bypass,crlf
+      - tags: waf,bypass,nosqli
+
+  - template: nuclei/http/waf-detection/aws-waf-detect.yaml
+    subtemplates:
+      - tags: waf,bypass,sqli
+      - tags: waf,bypass,xss
+      - tags: waf,bypass,rce
+      - tags: waf,bypass,ssrf
+      - tags: waf,bypass,lfi
+      - tags: waf,bypass,ssti
+      - tags: waf,bypass,xxe
+      - tags: waf,bypass,crlf
+      - tags: waf,bypass,nosqli
+
+  - template: nuclei/http/waf-detection/modsecurity-detect.yaml
+    subtemplates:
+      - tags: waf,bypass,evasion
+      - tags: waf,bypass,sqli
+      - tags: waf,bypass,xss
+      - tags: waf,bypass,rce
+      - tags: waf,bypass,ssrf
+      - tags: waf,bypass,lfi
+      - tags: waf,bypass,ssti
+      - tags: waf,bypass,xxe
+      - tags: waf,bypass,crlf
+      - tags: waf,bypass,nosqli
+
+  - template: nuclei/http/waf-detection/akamai-detect.yaml
+    subtemplates:
+      - tags: waf,bypass,sqli
+      - tags: waf,bypass,xss
+      - tags: waf,bypass,rce
+      - tags: waf,bypass,ssrf
+      - tags: waf,bypass,lfi
+      - tags: waf,bypass,ssti
+      - tags: waf,bypass,xxe
+      - tags: waf,bypass,crlf
+      - tags: waf,bypass,nosqli
+
+  - template: nuclei/http/waf-detection/azure-waf-detect.yaml
+    subtemplates:
+      - tags: waf,bypass,sqli
+      - tags: waf,bypass,xss
+      - tags: waf,bypass,rce
+      - tags: waf,bypass,ssrf
+      - tags: waf,bypass,lfi
+      - tags: waf,bypass,ssti
+      - tags: waf,bypass,xxe
+      - tags: waf,bypass,crlf
+      - tags: waf,bypass,nosqli

package/templates/output/asff.tmpl

@@ -0,0 +1,61 @@
+{
+  "SchemaVersion": "2018-10-08",
+  "Id": "waftester-{{ default "scan" .ScanID }}-{{ .Timestamp }}",
+  "ProductArn": "arn:aws:securityhub:{{ default "us-east-1" .Region }}:{{ default "000000000000" .AWSAccountID }}:product/waftester/waftester",
+  "GeneratorId": "waftester",
+  "AwsAccountId": "{{ default "000000000000" .AWSAccountID }}",
+  "CreatedAt": "{{ .Timestamp }}",
+  "UpdatedAt": "{{ .Timestamp }}",
+  "Title": "WAF Security Assessment - {{ .Target }}",
+  "Description": "WAFtester scan of {{ .Target }}: {{ .TotalTests }} tests, {{ .BypassCount }} bypasses, {{ .Effectiveness }}% effectiveness (Grade: {{ .Grade }})",
+  "Severity": {
+    "Label": "{{ upper .HighestSeverity }}",
+    "Original": "{{ .HighestSeverity }}"
+  },
+  "Types": [
+    "Software and Configuration Checks/AWS Security Best Practices"
+  ],
+  "Resources": [
+    {
+      "Type": "Other",
+      "Id": "{{ .Target }}",
+      "Details": {
+        "Other": {
+          "TotalTests": "{{ toString .TotalTests }}",
+          "Blocked": "{{ toString .Blocked }}",
+          "Bypassed": "{{ toString .BypassCount }}",
+          "Effectiveness": "{{ .Effectiveness }}",
+          "Grade": "{{ .Grade }}"
+        }
+      }
+    }
+  ],
+  "Compliance": {
+    "Status": "{{ ternary "PASSED" "FAILED" (eq .BypassCount 0) }}"
+  },
+  "Findings": [
+    {{- range $idx, $bypass := .Bypasses }}
+    {{- if $idx }},{{ end }}
+    {
+      "Id": "{{ $bypass.Test.ID }}",
+      "Title": "{{ $bypass.Test.Name }}",
+      "Description": "WAF bypass via {{ $bypass.Test.Category }} at {{ $bypass.Target.URL }}",
+      "Severity": {
+        "Label": "{{ upper $bypass.Test.Severity }}"
+      },
+      "Types": ["Software and Configuration Checks"],
+      "Resources": [
+        {
+          "Type": "Other",
+          "Id": "{{ $bypass.Target.URL }}"
+        }
+      ],
+      "Remediation": {
+        "Recommendation": {
+          "Text": "Review WAF rules for {{ $bypass.Test.Category }} coverage. See {{ owaspLink $bypass.Test.Category }}"
+        }
+      }
+    }
+    {{- end }}
+  ]
+}

package/templates/output/csv.tmpl

@@ -0,0 +1,4 @@
+"Test ID","Category","Severity","Name","URL","Method","Status Code","Outcome","Latency (ms)","Payload","OWASP","CWE"
+{{- range $result := .Results }}
+{{ escapeCSV $result.Test.ID }},{{ escapeCSV $result.Test.Category }},{{ escapeCSV (upper $result.Test.Severity) }},{{ escapeCSV $result.Test.Name }},{{ escapeCSV $result.Target.URL }},{{ escapeCSV $result.Target.Method }},{{ escapeCSV (toString $result.Result.StatusCode) }},{{ escapeCSV $result.Result.Outcome }},{{ escapeCSV (toString $result.Result.LatencyMs) }},{{ escapeCSV $result.Payload }},{{ escapeCSV (owaspLink $result.Test.Category) }},{{ escapeCSV (cweLink $result.Test.Category) }}
+{{- end }}

package/templates/output/junit.tmpl

@@ -0,0 +1,34 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<testsuites name="WAFtester Security Assessment" tests="{{ .TotalTests }}" failures="{{ .BypassCount }}" errors="{{ .Errors }}" time="{{ .Duration }}">
+  <testsuite name="WAF Bypass Tests" tests="{{ .TotalTests }}" failures="{{ .BypassCount }}" errors="{{ .Errors }}" timestamp="{{ .Timestamp }}">
+    <properties>
+      <property name="target" value="{{ escapeXML .Target }}"/>
+      <property name="effectiveness" value="{{ .Effectiveness }}"/>
+      <property name="grade" value="{{ .Grade }}"/>
+      <property name="scan_id" value="{{ default "N/A" .ScanID }}"/>
+      <property name="highest_severity" value="{{ .HighestSeverity }}"/>
+    </properties>
+    {{- range $result := .Results }}
+    <testcase name="{{ escapeXML $result.Test.Name }}" classname="{{ $result.Test.Category }}.{{ $result.Test.ID }}" time="{{ $result.Result.LatencyMs }}">
+      {{- if eq $result.Result.Outcome "bypass" }}
+      <failure message="WAF bypass detected" type="{{ upper $result.Test.Severity }}">
+Category: {{ $result.Test.Category }}
+Severity: {{ upper $result.Test.Severity }}
+URL: {{ $result.Target.URL }}
+Method: {{ $result.Target.Method }}
+Status Code: {{ $result.Result.StatusCode }}
+Payload: {{ escapeXML $result.Payload }}
+OWASP: {{ owaspLink $result.Test.Category }}
+CWE: {{ cweLink $result.Test.Category }}
+      </failure>
+      {{- end }}
+      {{- if eq $result.Result.Outcome "error" }}
+      <error message="Test execution error" type="Error">
+URL: {{ $result.Target.URL }}
+Status Code: {{ $result.Result.StatusCode }}
+      </error>
+      {{- end }}
+    </testcase>
+    {{- end }}
+  </testsuite>
+</testsuites>

package/templates/output/markdown-report.tmpl

@@ -0,0 +1,92 @@
+# WAF Security Assessment Report
+{{- $target := .Target }}
+{{- $ts := .Timestamp }}
+
+## Target: {{ $target }}
+**Generated:** {{ $ts }}
+**Duration:** {{ .Duration }}
+**Scan ID:** {{ default "N/A" .ScanID }}
+
+---
+
+## Executive Summary
+
+| Metric | Value |
+|--------|-------|
+| Total Tests | {{ .TotalTests }} |
+| Blocked | {{ .Blocked }} |
+| Bypassed | {{ .BypassCount }} |
+| Errors | {{ .Errors }} |
+| Timeouts | {{ .Timeouts }} |
+| **Effectiveness** | **{{ .Effectiveness }}%** |
+| **Grade** | **{{ .Grade }}** |
+| Highest Severity | {{ severityIcon .HighestSeverity }} {{ .HighestSeverity }} |
+
+---
+
+## Severity Distribution
+
+| Severity | Count | Icon |
+|----------|-------|------|
+{{- range $sev, $count := .SeverityCounts }}
+| {{ upper $sev }} | {{ $count }} | {{ severityIcon $sev }} |
+{{- end }}
+
+---
+
+## Category Breakdown
+
+| Category | Tests | Status |
+|----------|-------|--------|
+{{- range $cat, $count := .CategoryCounts }}
+| {{ title $cat }} | {{ $count }} | {{ ternary "PASS" "REVIEW" (gt $count 0) }} |
+{{- end }}
+
+---
+
+## Bypasses Found
+
+{{- if .Bypasses }}
+
+> **WARNING:** {{ len .Bypasses }} bypass(es) detected. Immediate remediation recommended.
+
+{{- range $idx, $bypass := .Bypasses }}
+
+### {{ add $idx 1 }}. {{ $bypass.Test.Name }}
+
+| Field | Detail |
+|-------|--------|
+| **ID** | {{ $bypass.Test.ID }} |
+| **Category** | {{ $bypass.Test.Category }} |
+| **Severity** | {{ severityIcon $bypass.Test.Severity }} {{ upper $bypass.Test.Severity }} |
+| **URL** | {{ $bypass.Target.URL }} |
+| **Method** | {{ $bypass.Target.Method }} |
+| **Status Code** | {{ $bypass.Result.StatusCode }} |
+| **Outcome** | {{ $bypass.Result.Outcome }} |
+| **Latency** | {{ $bypass.Result.LatencyMs }}ms |
+| **OWASP** | {{ owaspLink $bypass.Test.Category }} |
+
+**Payload:**
+```
+{{ $bypass.Payload }}
+```
+
+---
+{{- end }}
+{{- else }}
+
+No bypasses detected. WAF is blocking all tested attack vectors.
+
+{{- end }}
+
+---
+
+## Detailed Results
+
+{{- range $idx, $result := .Results }}
+| {{ add $idx 1 }} | {{ $result.Test.ID }} | {{ $result.Test.Category }} | {{ severityIcon $result.Test.Severity }} | {{ $result.Result.StatusCode }} | {{ $result.Result.Outcome }} | {{ $result.Result.LatencyMs }}ms |
+{{- end }}
+
+---
+
+*Report generated by [WAFtester](https://github.com/waftester/waftester)*

package/templates/output/slack-notification.tmpl

@@ -0,0 +1,95 @@
+{{- $target := .Target -}}
+{{- $effectiveness := .Effectiveness -}}
+{{- $grade := .Grade -}}
+{{- $bypasses := .BypassCount -}}
+{
+  "blocks": [
+    {
+      "type": "header",
+      "text": {
+        "type": "plain_text",
+        "text": "WAF Security Assessment Report"
+      }
+    },
+    {
+      "type": "section",
+      "fields": [
+        {
+          "type": "mrkdwn",
+          "text": "*Target:*\n{{ $target }}"
+        },
+        {
+          "type": "mrkdwn",
+          "text": "*Grade:*\n{{ $grade }}"
+        },
+        {
+          "type": "mrkdwn",
+          "text": "*Effectiveness:*\n{{ $effectiveness }}%"
+        },
+        {
+          "type": "mrkdwn",
+          "text": "*Duration:*\n{{ .Duration }}"
+        }
+      ]
+    },
+    {
+      "type": "section",
+      "fields": [
+        {
+          "type": "mrkdwn",
+          "text": "*Total Tests:* {{ .TotalTests }}"
+        },
+        {
+          "type": "mrkdwn",
+          "text": "*Blocked:* {{ .Blocked }}"
+        },
+        {
+          "type": "mrkdwn",
+          "text": "*Bypassed:* {{ $bypasses }}"
+        },
+        {
+          "type": "mrkdwn",
+          "text": "*Errors:* {{ .Errors }}"
+        }
+      ]
+    },
+    {
+      "type": "divider"
+    }
+    {{- if .Bypasses -}}
+    ,{
+      "type": "section",
+      "text": {
+        "type": "mrkdwn",
+        "text": ":warning: *{{ len .Bypasses }} Bypass(es) Detected*"
+      }
+    }
+    {{- range $idx, $bypass := .Bypasses -}}
+    ,{
+      "type": "section",
+      "text": {
+        "type": "mrkdwn",
+        "text": "{{ severityIcon $bypass.Test.Severity }} *{{ $bypass.Test.Name }}*\nCategory: {{ $bypass.Test.Category }} | Severity: {{ upper $bypass.Test.Severity }}\nStatus: {{ $bypass.Result.StatusCode }} | Latency: {{ $bypass.Result.LatencyMs }}ms"
+      }
+    }
+    {{- end -}}
+    {{- else -}}
+    ,{
+      "type": "section",
+      "text": {
+        "type": "mrkdwn",
+        "text": ":white_check_mark: All attack vectors blocked. No bypasses detected."
+      }
+    }
+    {{- end }}
+    ,{
+      "type": "context",
+      "elements": [
+        {
+          "type": "mrkdwn",
+          "text": "Generated by WAFtester | {{ .Timestamp }}"
+        }
+      ]
+    }
+  ]
+}

package/templates/output/text-summary.tmpl

@@ -0,0 +1,56 @@
+WAF Security Assessment — Text Summary
+========================================
+Target:        {{ .Target }}
+Timestamp:     {{ .Timestamp }}
+Duration:      {{ .Duration }}
+Scan ID:       {{ default "N/A" .ScanID }}
+========================================
+
+RESULTS OVERVIEW
+----------------
+Total Tests:   {{ .TotalTests }}
+Blocked:       {{ .Blocked }}
+Bypassed:      {{ .BypassCount }}
+Errors:        {{ .Errors }}
+Timeouts:      {{ .Timeouts }}
+
+EFFECTIVENESS: {{ .Effectiveness }}%
+GRADE:         {{ .Grade }}
+HIGHEST SEV:   {{ upper .HighestSeverity }}
+
+SEVERITY DISTRIBUTION
+---------------------
+{{- range $sev, $count := .SeverityCounts }}
+  {{ upper $sev }}: {{ $count }}
+{{- end }}
+
+CATEGORY BREAKDOWN
+------------------
+{{- range $cat, $count := .CategoryCounts }}
+  {{ title $cat }}: {{ $count }}
+{{- end }}
+
+{{- if .Bypasses }}
+
+BYPASSES FOUND ({{ len .Bypasses }})
+====================
+{{- range $idx, $bypass := .Bypasses }}
+
+[{{ add $idx 1 }}] {{ $bypass.Test.Name }}
+    ID:        {{ $bypass.Test.ID }}
+    Category:  {{ $bypass.Test.Category }}
+    Severity:  {{ upper $bypass.Test.Severity }}
+    URL:       {{ $bypass.Target.URL }}
+    Method:    {{ $bypass.Target.Method }}
+    Status:    {{ $bypass.Result.StatusCode }}
+    Outcome:   {{ $bypass.Result.Outcome }}
+    Latency:   {{ $bypass.Result.LatencyMs }}ms
+    Payload:   {{ trunc 120 $bypass.Payload }}
+{{- end }}
+{{- else }}
+
+NO BYPASSES — All attack vectors blocked by WAF.
+{{- end }}
+
+========================================
+Generated by WAFtester

package/templates/overrides/api-only.yaml

@@ -0,0 +1,130 @@
+# WAFtester API-Only Override Configuration
+# Tailors scanning behavior for API endpoints (no browser-based attacks)
+# Focuses on JSON/XML payloads and API-specific vulnerabilities
+
+overrides:
+  - id: api-content-type
+    description: "Force JSON Content-Type for all API requests"
+    match:
+      path: ".*"
+    action:
+      set_headers:
+        Content-Type: "application/json"
+        Accept: "application/json"
+    enabled: true
+    priority: 100
+
+  - id: disable-browser-xss
+    description: "Disable browser-specific XSS payloads (no DOM, no HTML context)"
+    match:
+      category: "xss"
+      tags:
+        - "dom"
+        - "browser"
+        - "html-context"
+        - "document-write"
+    action:
+      skip: true
+    enabled: true
+    priority: 90
+
+  - id: disable-clickjacking
+    description: "Skip clickjacking tests — not applicable to APIs"
+    match:
+      category: "clickjacking"
+    action:
+      skip: true
+    enabled: true
+    priority: 90
+
+  - id: disable-csrf
+    description: "Skip CSRF tests — APIs use token-based auth"
+    match:
+      category: "csrf"
+    action:
+      skip: true
+    enabled: true
+    priority: 90
+
+  - id: disable-cookie-attacks
+    description: "Skip cookie-based session attacks for token-auth APIs"
+    match:
+      category: "session-fixation"
+      tags:
+        - "cookie"
+        - "session-cookie"
+    action:
+      skip: true
+    enabled: true
+    priority: 80
+
+  - id: enable-json-injection
+    description: "Enable all JSON-specific injection tests"
+    match:
+      tags:
+        - "json-injection"
+        - "json-body"
+        - "api-injection"
+    action:
+      skip: false
+      priority_boost: 10
+    enabled: true
+    priority: 70
+
+  - id: enable-graphql
+    description: "Enable GraphQL-specific attack vectors"
+    match:
+      category: "graphql"
+    action:
+      skip: false
+      priority_boost: 10
+    enabled: true
+    priority: 70
+
+  - id: enable-mass-assignment
+    description: "Enable mass assignment and BOLA/BFLA tests"
+    match:
+      category:
+        - "mass-assignment"
+        - "idor"
+        - "bola"
+        - "bfla"
+    action:
+      skip: false
+      priority_boost: 15
+    enabled: true
+    priority: 70
+
+  - id: api-rate-limit
+    description: "Enforce conservative rate limiting for API scanning"
+    match:
+      path: ".*"
+    action:
+      rate_limit: 20
+      delay_ms: 100
+    enabled: true
+    priority: 50
+
+  - id: json-body-sqli
+    description: "Use JSON body format for SQLi payloads"
+    match:
+      category: "sqli"
+    action:
+      body_format: "json"
+      inject_in:
+        - "json-value"
+        - "json-key"
+    enabled: true
+    priority: 60
+
+  - id: remove-html-payloads
+    description: "Skip payloads that rely on HTML rendering"
+    match:
+      tags:
+        - "html-render"
+        - "browser-render"
+        - "document-context"
+    action:
+      skip: true
+    enabled: true
+    priority: 85