@waftester/cli 2.9.30 → 2.9.31

package/README.md

@@ -96,6 +96,23 @@ $ waf-tester assess -u https://target.com -fp -o assessment.json
 
 Includes benign traffic corpus testing (Leipzig integration) for false positive measurement.
 
+### Service Presets
+
+Use service presets for platform-specific testing. Presets add known endpoints and attack surface hints to improve discovery coverage.
+
+```bash
+# Test an Authentik identity provider
+waf-tester auto -u https://sso.example.com -service authentik
+
+# Test an n8n automation instance
+waf-tester discover -u https://automation.example.com -service n8n
+
+# Custom presets — drop JSON files in presets/ directory
+WAF_TESTER_PRESET_DIR=./my-presets waf-tester auto -u https://target.com -service myapp
+```
+
+Built-in presets: `authentik`, `n8n`, `immich`, `webapp`, `intranet`. Create custom presets by adding JSON files — see the [Examples Guide](https://github.com/waftester/waftester/blob/main/docs/EXAMPLES.md#service-presets).
+
 ### Targeted Scanning
 
 ```bash
@@ -280,6 +297,7 @@ ARM64 platforms with x64 emulation (Rosetta 2, Windows WoW) are supported as fal
 |---|---|
 | `WAF_TESTER_BINARY_PATH` | Override binary path (skip platform resolution) |
 | `WAF_TESTER_PAYLOAD_DIR` | Override bundled payload directory |
+| `WAF_TESTER_PRESET_DIR` | Override bundled service preset directory |
 | `WAF_TESTER_TEMPLATE_DIR` | Override bundled template directory |
 
 ## License

package/bin/cli.js

@@ -116,6 +116,9 @@ const cliDir = path.resolve(__dirname, "..");
 if (!process.env.WAF_TESTER_PAYLOAD_DIR) {
   process.env.WAF_TESTER_PAYLOAD_DIR = path.join(cliDir, "payloads");
 }
+if (!process.env.WAF_TESTER_PRESET_DIR) {
+  process.env.WAF_TESTER_PRESET_DIR = path.join(cliDir, "presets");
+}
 if (!process.env.WAF_TESTER_TEMPLATE_DIR) {
   process.env.WAF_TESTER_TEMPLATE_DIR = path.join(
     cliDir,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@waftester/cli",
-  "version": "2.9.30",
+  "version": "2.9.31",
   "description": "WAFtester — the most comprehensive WAF testing CLI & MCP server",
   "license": "BUSL-1.1",
   "repository": {
@@ -35,6 +35,7 @@
   "files": [
     "bin/",
     "payloads/",
+    "presets/",
     "templates/",
     "LICENSE",
     "LICENSE-COMMUNITY"
@@ -43,11 +44,11 @@
     "node": ">=16"
   },
   "optionalDependencies": {
-    "@waftester/darwin-x64": "2.9.30",
-    "@waftester/darwin-arm64": "2.9.30",
-    "@waftester/linux-x64": "2.9.30",
-    "@waftester/linux-arm64": "2.9.30",
-    "@waftester/win32-x64": "2.9.30",
-    "@waftester/win32-arm64": "2.9.30"
+    "@waftester/darwin-x64": "2.9.31",
+    "@waftester/darwin-arm64": "2.9.31",
+    "@waftester/linux-x64": "2.9.31",
+    "@waftester/linux-arm64": "2.9.31",
+    "@waftester/win32-x64": "2.9.31",
+    "@waftester/win32-arm64": "2.9.31"
   }
 }

package/payloads/community/waf-validation/README.md

@@ -74,7 +74,7 @@ Legitimate traffic validation (should NOT be blocked):
 - HTML content in JSON
 - Email addresses
 - Code/formula content
-- Service-specific endpoints (n8n, Immich, Authentik, AgreementPulse)
+- Service-specific endpoints (n8n, Immich, Authentik)
 
 ## Usage
 

package/payloads/community/waf-validation/regression-tests.json

@@ -205,23 +205,5 @@
     "severity_hint": "Low",
     "notes": "Authentik authentication flow - MUST NOT be blocked",
     "category": "Regression"
-  },
-  {
-    "id": "LEGIT-AGREEMENTPULSE-001",
-    "payload": "GET /api/health",
-    "tags": ["regression", "agreementpulse", "health", "quick"],
-    "expected_block": false,
-    "severity_hint": "Low",
-    "notes": "AgreementPulse health check - MUST NOT be blocked",
-    "category": "Regression"
-  },
-  {
-    "id": "LEGIT-AGREEMENTPULSE-002",
-    "payload": "POST /api/contracts HTTP/1.1\r\nContent-Type: application/json\r\n\r\n{\"title\":\"Service Agreement\",\"parties\":[\"Company A\",\"Company B\"]}",
-    "tags": ["regression", "agreementpulse", "contract", "quick"],
-    "expected_block": false,
-    "severity_hint": "Low",
-    "notes": "AgreementPulse contract creation - MUST NOT be blocked",
-    "category": "Regression"
   }
 ]

package/presets/authentik.json

@@ -0,0 +1,28 @@
+{
+  "name": "authentik",
+  "description": "Authentik identity provider — OAuth2, SAML, LDAP authentication platform",
+  "endpoints": [
+    "/-/health/ready/",
+    "/-/health/live/",
+    "/api/v3/core/applications/",
+    "/api/v3/core/groups/",
+    "/api/v3/core/users/",
+    "/api/v3/core/tokens/",
+    "/api/v3/flows/executor/",
+    "/api/v3/policies/",
+    "/application/o/authorize/",
+    "/application/o/token/",
+    "/application/o/userinfo/",
+    "/source/saml/",
+    "/source/oauth/",
+    "/if/flow/default-authentication-flow/",
+    "/if/admin/",
+    "/if/user/",
+    "/ws/"
+  ],
+  "attack_surface": {
+    "has_auth_endpoints": true,
+    "has_oauth": true,
+    "has_saml": true
+  }
+}

package/presets/embed.go

@@ -0,0 +1,19 @@
+// Package presets embeds all bundled service preset files for distribution.
+//
+// This ensures presets are available regardless of installation method
+// (Homebrew, Scoop, npm, Docker, or manual download). The discovery engine
+// falls back to these embedded presets when no on-disk presets directory exists.
+//
+// Usage:
+//
+//	fs := presets.FS
+//	data, _ := fs.ReadFile("authentik.json")
+package presets
+
+import "embed"
+
+// FS contains all bundled service preset JSON files. Each file defines
+// service-specific endpoints and attack surface characteristics.
+//
+//go:embed *.json
+var FS embed.FS

package/presets/immich.json

@@ -0,0 +1,21 @@
+{
+  "name": "immich",
+  "description": "Immich self-hosted photo/video management — asset upload, face recognition, search",
+  "endpoints": [
+    "/api/server/ping",
+    "/api/server-info/",
+    "/api/auth/login",
+    "/api/auth/signup",
+    "/api/users/",
+    "/api/albums/",
+    "/api/assets/",
+    "/api/assets/upload",
+    "/api/search/",
+    "/api/faces/",
+    "/api/people/"
+  ],
+  "attack_surface": {
+    "has_file_upload": true,
+    "has_api_endpoints": true
+  }
+}

package/presets/intranet.json

@@ -0,0 +1,30 @@
+{
+  "name": "intranet",
+  "description": "Internal/intranet application — admin panels, internal APIs, SSO",
+  "endpoints": [
+    "/api/",
+    "/api/v1/",
+    "/api/v2/",
+    "/login",
+    "/logout",
+    "/register",
+    "/signup",
+    "/admin/",
+    "/dashboard/",
+    "/settings/",
+    "/profile/",
+    "/users/",
+    "/search",
+    "/upload",
+    "/download",
+    "/graphql",
+    "/swagger.json",
+    "/openapi.json",
+    "/.env",
+    "/config"
+  ],
+  "attack_surface": {
+    "has_api_endpoints": true,
+    "has_auth_endpoints": true
+  }
+}

package/presets/n8n.json

@@ -0,0 +1,21 @@
+{
+  "name": "n8n",
+  "description": "n8n workflow automation platform — REST API, webhooks, WebSocket push",
+  "endpoints": [
+    "/healthz",
+    "/rest/workflows",
+    "/rest/credentials",
+    "/rest/executions",
+    "/rest/settings",
+    "/rest/users",
+    "/rest/oauth2-credential/",
+    "/webhook/",
+    "/webhook-test/",
+    "/api/v1/",
+    "/push"
+  ],
+  "attack_surface": {
+    "has_api_endpoints": true,
+    "has_websockets": true
+  }
+}

package/presets/webapp.json

@@ -0,0 +1,30 @@
+{
+  "name": "webapp",
+  "description": "Generic web application — login, API, admin, file upload, search",
+  "endpoints": [
+    "/api/",
+    "/api/v1/",
+    "/api/v2/",
+    "/login",
+    "/logout",
+    "/register",
+    "/signup",
+    "/admin/",
+    "/dashboard/",
+    "/settings/",
+    "/profile/",
+    "/users/",
+    "/search",
+    "/upload",
+    "/download",
+    "/graphql",
+    "/swagger.json",
+    "/openapi.json",
+    "/.env",
+    "/config"
+  ],
+  "attack_surface": {
+    "has_api_endpoints": true,
+    "has_auth_endpoints": true
+  }
+}