diff --git a/.gitignore b/.gitignore index 610534f..3b4ad02 100644 --- a/.gitignore +++ b/.gitignore @@ -16,3 +16,5 @@ sqli_payload.txt xxe_payload.xml dns_blacklist.txt ip_blacklist.txt +waf_test_results_alt.log +waf_test_results_extended.log diff --git a/rules.json b/rules.json index 0a8b562..18b3188 100644 --- a/rules.json +++ b/rules.json @@ -1,4 +1,28 @@ [ + { + "id": "allow-legit-browsers", + "phase": 1, + "pattern": "(?i)(Mozilla|Chrome|Safari|Edge|Firefox|Opera|AppleWebKit|Gecko|Trident|MSIE|Googlebot|Bingbot|Slurp|DuckDuckBot|Baiduspider|YandexBot|Sogou|Exabot|facebot|facebookexternalhit|Twitterbot|Slackbot|LinkedInBot|TelegramBot)", + "targets": [ + "HEADERS:User-Agent" + ], + "severity": "LOW", + "action": "log", + "score": 1, + "description": "Allow and log traffic from legitimate browsers, search engine crawlers, and social media bots." + }, + { + "id": "auth-login-form-missing", + "phase": 2, + "pattern": "^$", + "targets": [ + "BODY" + ], + "severity": "LOW", + "action": "log", + "score": 3, + "description": "Log login requests that do not contain login form fields" + }, { "id": "block-scanners", "phase": 1, @@ -12,54 +36,28 @@ "description": "Block traffic from known vulnerability scanners and penetration testing tools. Includes more scanners." }, { - "id": "sensitive-files-expanded", + "id": "crlf-injection-headers", "phase": 1, - "pattern": "(?i)(?:/\\.git/(?:HEAD|index|config|refs|objects)|/\\.env(?:\\.local|\\.dev|\\.prod)?$|/\\.htaccess$|/\\.htpasswd$|/\\.svn/|/\\.DS_Store$|\\/WEB-INF\\/|\\/WEB-INF\\/web.xml|\\/META-INF\\/|\\.git/\\s*(?:H\\.E\\.A\\.D|HEAD)|\\.dockerenv|server-status)", + "pattern": "(?i)(%0d|\\r)%0a|%0a(%0d|$)|\\n|%0d%0a|%0a%0d|\\r\\n", "targets": [ - "URI" + "HEADERS" ], - "severity": "HIGH", - "action": "block", - "score": 9, - "description": "Expanded rule to block access to more sensitive files and account for obfuscation." + "severity": "MEDIUM", + "action": "log", + "score": 5, + "description": "Log requests with potential CRLF injection characters in headers. Improved pattern matching." }, { - "id": "sensitive-files", - "phase": 1, - "pattern": "(?i)(?:/\\.git/(?:HEAD|index|config|refs|objects)|/\\.env(?:\\.local|\\.dev|\\.prod)?$|/\\.htaccess$|/\\.htpasswd$|/\\.svn/|/\\.DS_Store$|\\/WEB-INF\\/|\\/WEB-INF\\/web\\.xml|\\/META-INF\\/|\\.git/\\s*(?:H\\.E\\.A\\.D|HEAD)|\\.dockerenv|server-status|\\b(?:config|database|credentials|secrets|private|local|development|staging|production|backup|default)\\b(?:[\\-_\\.]?)(?:[a-z0-9]+)?\\.(?:json|yaml|yml|ini|properties|txt|conf|toml|lock|log|bak|swp|orig|dist|sample|example|template|env|sql))", + "id": "csrf-missing-token-post", + "phase": 2, + "pattern": "^$", "targets": [ - "URI" - ], - "severity": "HIGH", - "action": "block", - "score": 9, - "description": "Block access to sensitive files and directories (Target: URI). Expanded rule to include more config and backup file names." - }, - { - "id": "http-request-smuggling", - "phase": 1, - "pattern": "(?i)(?:Transfer-Encoding.*?(?:chunked|identity)|Content-Length:\\s*0|(?:Content-Length:\\s*\\d+)(?:\\n.*){2,}|(?:Content-Length:\\s*\\d+)(?:\\n\\w+:\\s*.*?\\n+)|(?:TE:\\s*chunked)(?:\\n.*){2,}|(?:TE:\\s*identity)(?:\\n.*){2,})", - "targets": [ - "HEADERS", "BODY" ], "severity": "HIGH", - "action": "block", - "score": 9, - "description": "Detects HTTP request smuggling patterns. Targets Transfer-Encoding and Content-Length headers." - }, - { - "id": "path-traversal", - "phase": 1, - "pattern": "(?:\\.\\.[/\\\\]|\\.\\./|\\.\\.\\\\/|%2e%2e[/\\\\]|%2e%2e/|%2e%2e%5c|%252e%252e|\\b(?:etc(?:\\/|%2F)(?:passwd|shadow|hosts)|(?:proc|sys)(?:\\/|%2F)(?:self(?:\\/|%2F)environ|cmdline)|boot(?:\\/|%2F)grub(?:\\/|%2F)grub\\.cfg|\\/\\.\\.(?:\\/|%2F)|(?:\\/|%5c)(\\.\\.){2,}(?:\\/|%5c)|(?:\\.\\.){2,}(?:\\/|%5c)|(?:\\.\\.){2,}|(?:%2e%2e){2,}(?:%2f|%5c)|(?:%2e%2e%2f|%2e%2e%5c){2,}|(?:\\.\\.%2f|\\.\\.%5c){2,}|(?:%252e%252e%2f|%252e%252e%5c){2,}|%252e%252e|%252f%2e%2e|%255c%2e%2e|\\/\\.(?:\\/|%2F)|\\%2e(?:%2f|%5c))\\b)", - "targets": [ - "URI", - "HEADERS" - ], - "severity": "HIGH", - "action": "block", - "score": 9, - "description": "Block path traversal attempts and direct access to sensitive files (Target: URI and Headers). Improved and more aggressive pattern matching, including more obfuscation techniques." + "action": "log", + "score": 6, + "description": "Log POST requests to write operation endpoints that are missing a CSRF token in the body (use this with a condition to ensure that a write operation was done)." }, { "id": "header-attacks-consolidated", @@ -86,256 +84,17 @@ "description": "Block requests with potentially internal IPs in X-Forwarded-For. Added more internal IP ranges." }, { - "id": "crlf-injection-headers", + "id": "http-request-smuggling", "phase": 1, - "pattern": "(?i)(%0d|\\r)%0a|%0a(%0d|$)|\\n|%0d%0a|%0a%0d|\\r\\n", + "pattern": "(?i)(?:Transfer-Encoding.*?(?:chunked|identity)|Content-Length:\\s*0|(?:Content-Length:\\s*\\d+)(?:\\n.*){2,}|(?:Content-Length:\\s*\\d+)(?:\\n\\w+:\\s*.*?\\n+)|(?:TE:\\s*chunked)(?:\\n.*){2,}|(?:TE:\\s*identity)(?:\\n.*){2,})", "targets": [ - "HEADERS" - ], - "severity": "MEDIUM", - "action": "log", - "score": 5, - "description": "Log requests with potential CRLF injection characters in headers. Improved pattern matching." - }, - { - "id": "unusual-paths", - "phase": 1, - "pattern": "(?i)(?:/wp-admin|/phpmyadmin|/admin|/login|/cgi-bin|/shell|/backdoor|/cmd|/exec|/bin/(?:sh|bash|zsh)|/console|/setup|/test|\\.php$|\\.asp$|\\.aspx$|\\.jsp$|\\.do$|\\.action$|\\.pl$|\\.py$|\\.cgi$|\\.cfm$|\\.rb$|\\.php[0-9]?$|\\.phtml$|\\.htaccess$|\\.htpasswd$|\\.ini$|\\.config$|\\.lock$|\\.log$|\\.bak$|\\.swp$|\\.orig$|\\.dist$|\\.sample$|\\.example$|\\.template$|\\.env$)", - "targets": [ - "URI" - ], - "severity": "MEDIUM", - "action": "block", - "score": 7, - "description": "Block requests to unusual or suspicious paths and common scripting extensions (Target: URI). Expanded rule for more file types and endpoints." - }, - { - "id": "exposed-admin-panels-no-referer", - "phase": 1, - "pattern": "(?i)^(?:/wp-admin|/phpmyadmin|/admin|/login|/cpanel|/administrator|/webmin|/siteadmin|/config)", - "targets": [ - "URI" - ], - "severity": "LOW", - "action": "log", - "score": 3, - "description": "Log requests to common admin panel paths." - }, - { - "id": "allow-legit-browsers", - "phase": 1, - "pattern": "(?i)(Mozilla|Chrome|Safari|Edge|Firefox|Opera|AppleWebKit|Gecko|Trident|MSIE|Googlebot|Bingbot|Slurp|DuckDuckBot|Baiduspider|YandexBot|Sogou|Exabot|facebot|facebookexternalhit|Twitterbot|Slackbot|LinkedInBot|TelegramBot)", - "targets": [ - "HEADERS:User-Agent" - ], - "severity": "LOW", - "action": "log", - "score": 1, - "description": "Allow and log traffic from legitimate browsers, search engine crawlers, and social media bots." - }, - { - "id": "insecure-deserialization-java", - "phase": 2, - "pattern": "(?:rO0AB|aced0005|\\xac\\xed\\x00\\x05)", - "targets": [ - "BODY", "HEADERS", - "COOKIES" - ], - "severity": "CRITICAL", - "action": "block", - "score": 9, - "description": "Block requests containing potential Java serialized objects, including magic bytes for serialized objects." - }, - { - "id": "xss-attacks", - "phase": 2, - "pattern": "(?i)(?:]*>|]*\\s+onerror=|javascript:|data:|vbscript:|]*\\s+onload=|alert\\(|document\\.(?:cookie|location)|eval\\(|base64_(?:encode|decode)|expression\\(|\\b(?:on(?:mouse(?:over|out|down|up|move)|focus|blur|click|key(?:press|down|up)|load|error|submit|reset|change))\\s*=|\\bstyle\\s*=|(?:&#[xX]?[0-9a-fA-F]+;)+|%[0-9a-fA-F]{2,}|\\biframe[^>]*srcdoc\\s*=|\\bevent\\b\\s*=\\s*['\"](?:javascript:).*?['\"]|url\\s*\\([\\s\\n]*?(?:javascript:).*?\\)|\\b(?:\\b(?:src|href|action|data|code)\\s*=\\s*['\"]?(?:javascript:|data:)|\\b(?:formaction|background|poster|xlink:href)\\s*=\\s*['\"]?(?:javascript:|data:))|\\b(?:svg|math|marquee|audio|video|embed|object|plaintext|isindex)\\b)", - "targets": [ - "BODY", - "HEADERS", - "COOKIES" - ], - "severity": "HIGH", - "action": "block", - "score": 9, - "description": "Block XSS attempts using HTML tags, event handlers, javascript: protocol, encoded characters, iframe srcdoc, event attributes, url functions, and other vectors in request body, headers and cookies. Improved pattern matching, including more attack vectors." - }, - { - "id": "nosql-injection-attacks", - "phase": 2, - "pattern": "(?i)(?:\\$(?:gt|gte|lt|lte|ne|eq|regex|where|or|and|in|nin|exists|type|jsonSchema|not|mod|elemMatch|all|size|nor|comment|slice|expr|meta|text|search|near|nearSphere|geoWithin|geoIntersects|geoNear)\\b|\\b(?:db|collection|aggregate|mapReduce|count|group|distinct|findOne|find|remove|update|insert)\\b)", - "targets": [ - "BODY", - "HEADERS", - "COOKIES" - ], - "severity": "HIGH", - "action": "block", - "score": 9, - "description": "Block NoSQL injection attempts in request body, headers, and cookies. Targets MongoDB operators and keywords." - }, - { - "id": "xml-injection-attacks", - "phase": 2, - "pattern": "(?i)(?:<\\?xml||<\\s*[\\w\\-\\.:]+(?:\\s+[\\w\\-\\.:]+(?:\\s*=\\s*(?:['\"][^'\"]*['\"]|[^>\\s]+))?)?\\s*(?:\\/\\s*>|>)|\\]>)", - "targets": [ - "BODY", - "HEADERS", - "COOKIES" - ], - "severity": "HIGH", - "action": "block", - "score": 9, - "description": "Block XML injection attempts in request body, headers, and cookies. Targets common XML declarations, entities, elements, and comments." - }, - { - "id": "ssti-attacks", - "phase": 2, - "pattern": "(?i)(?:\\{\\{.*?\\}\\}|\\{\\%.*?\\%\\}|\\$\\{.*?\\}|\\#\\{.*?\\}|\\$\\(.*?\\)|\\{\\*.*?\\*\\}|\\#\\*.*?\\*\\#|<%[=]?.*?%>|@\\{.*?\\}|\\b(?:Runtime|Process|exec|System|getClass|ClassLoader|loadLibrary|forName|newInstance|getMethod|invoke|getConstructor|getDeclaredMethod|getDeclaredField|setAccessible|getDeclaredConstructor|getInputStream|getOutputStream|get|put|setAttribute|getProperty|setProperty|setSecurityManager|load|defineClass|new|clone|readObject|writeObject|call|apply|bind|super)\\b\\s*\\(|\\b(?:T|Math|Object|String|Boolean|Number|BigInteger|BigDecimal|Date|List|Map|Set|Queue|Array|Tuple|Pattern|Locale|Class|ClassLoader|Proxy|SecurityManager|Thread|ThreadGroup)\\b)", - "targets": [ - "BODY", - "HEADERS", - "COOKIES" - ], - "severity": "HIGH", - "action": "block", - "score": 9, - "description": "Block Server-Side Template Injection (SSTI) attacks in request body, headers, and cookies. Targets common template syntax and dangerous keywords for various frameworks." - }, - { - "id": "ssrf-attacks", - "phase": 2, - "pattern": "(?i)(?:(?:https?|ftp|gopher|dict|ldap|tftp|file)://(?:[^/]+@)?(?:(?:127\\.0\\.0\\.\\d{1,3}|10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|172\\.(?:1[6-9]|2\\d|3[01])\\.\\d{1,3}\\.\\d{1,3}|192\\.168\\.\\d{1,3}\\.\\d{1,3}|169\\.254\\.\\d{1,3}\\.\\d{1,3}|(?:(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4})|localhost|0\\.0\\.0\\.0|::1|\\d{1,10})|[^/]+\\.(?:internal|local|intranet|test))(?:\\:\\d{1,5})?(?:/[^\\s]*)?|\\b(?:metadata|aws|digitalocean|google|azure)\\b|\\b(?:169\\.254\\.\\d{1,3}\\.\\d{1,3})\\b(?:/[^\\s]*)?)", - "targets": [ - "BODY", - "HEADERS", - "COOKIES" - ], - "severity": "HIGH", - "action": "block", - "score": 9, - "description": "Block Server-Side Request Forgery (SSRF) attempts, including internal IP ranges and cloud metadata endpoints, in body, headers and cookies. Improved pattern matching, more aggressive and includes Azure metadata service." - }, - { - "id": "rce-command-injection-body", - "phase": 2, - "pattern": "(?i)(?:\\b(?:system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\\s*\\([^\\)]*\\)|`[^`]+`|;|\\|\\||&&|\\n|%0a|%0d|\\$(?:\\[|\\()\\s*[a-zA-Z0-9_]+\\s*(?:\\]|\\))|\\{\\s*[a-zA-Z0-9_]+\\s*\\}|\\b(?:curl|wget)\\b\\s*[^\\s]+)", - "targets": [ "BODY" ], "severity": "HIGH", "action": "block", - "score": 8, - "description": "Block potential RCE attempts via command injection in request body. Improved pattern matching for common shell injection techniques." - }, - { - "id": "jwt-tampering", - "phase": 1, - "pattern": "(?i)(?:eyJ[A-Za-z0-9-_=]+\\.[A-Za-z0-9-_=]+\\.?[A-Za-z0-9-_.+/=]*)", - "targets": [ - "HEADERS:Authorization", - "COOKIES" - ], - "severity": "HIGH", - "action": "block", - "score": 8, - "description": "Block potential JWT tampering attempts in Authorization headers or cookies." - }, - { - "id": "sql-injection-improved-basic", - "phase": 2, - "pattern": "(?i)(?:'\\s*(?:and|or)\\s*\\d+\\s*[=<>!]+\\s*\\d+|['\"]\\s*\\d+\\s*[=<>!]+\\s*['\"]|'\\s*\\+\\s*'|--\\s*-|-{2,}|\")", - "targets": [ - "ARGS", - "BODY", - "HEADERS", - "COOKIES" - ], - "severity": "HIGH", - "action": "block", - "score": 8, - "description": "Improved rule to catch basic SQL injection including quotes and boolean logic." - }, - { - "id": "xss-improved-encoding", - "phase": 2, - "pattern": "(?i)(?:]*>|]*\\s+onerror=|javascript:|data:|vbscript:|]*\\s+onload=|alert\\(|document\\.(?:cookie|location)|eval\\(|base64_(?:encode|decode)|expression\\(|\\b(?:on(?:mouse(?:over|out|down|up|move)|focus|blur|click|key(?:press|down|up)|load|error|submit|reset|change))\\s*=|\\bstyle\\s*=|(?:&#[xX]?[0-9a-fA-F]+;)+|%[0-9a-fA-F]{2,}|\\biframe[^>]*srcdoc\\s*=)", - "targets": [ - "ARGS", - "BODY", - "HEADERS" - ], - "severity": "HIGH", - "action": "block", - "score": 8, - "description": "Improved XSS rule to catch encoded payloads and iframe srcdoc." - }, - { - "id": "sql-injection", - "phase": 2, - "pattern": "(?i)(?:\\b(?:select|insert|update|delete|drop|alter|truncate|create|grant|revoke)\\b(?:\\s|\\/\\*.*?\\*\\/|--.*?)?(?:from|into|where|table|index|user|procedure|function|database)\\b|\\bunion\\b(?:\\s|\\/\\*.*?\\*\\/|--.*?)?(?:all|distinct)?(?:\\s|\\/\\*.*?\\*\\/|--.*?)?\\bselect\\b|'\\s*(?:and|or)\\s*['\\d]+\\s*(?:=|[<>]=?|!=)\\s*['\\d]+|\\)\\s*(?:and|or)\\s*\\([\\d]+\\s*(?:=|[<>]=?|!=)\\s*[\\d]+\\)|\\b(?:sleep|benchmark|waitfor\\s+delay)\\s*\\(|(?:\\bexec\\b|xp_cmdshell))", - "targets": [ - "ARGS", - "BODY", - "HEADERS" - ], - "severity": "HIGH", - "action": "block", - "score": 7, - "description": "Block SQL injection attempts in request arguments, body, and headers." - }, - { - "id": "rce-commands-expanded", - "phase": 2, - "pattern": "(?i)(?:\\b(?:cat|base64|whoami|echo|curl|wget|bash|sh|python|perl|ls|id|ping|nslookup|ipconfig|ifconfig|powershell)\\b)", - "targets": [ - "ARGS", - "HEADERS" - ], - "severity": "HIGH", - "action": "block", - "score": 5, - "description": "Expanded rule to block more RCE related commands and utilities." - }, - { - "id": "xss", - "phase": 2, - "pattern": "(?i)(?:]*>|]*\\s+onerror=|javascript:|data:|vbscript:|]*\\s+onload=|alert\\(|document\\.(?:cookie|location)|eval\\(|base64_(?:encode|decode)|expression\\(|\\b(?:on(?:mouse(?:over|out|down|up|move)|focus|blur|click|key(?:press|down|up)|load|error|submit|reset|change))\\s*=|\\bstyle\\s*=)", - "targets": [ - "ARGS", - "BODY", - "HEADERS" - ], - "severity": "HIGH", - "action": "block", - "score": 6, - "description": "Block XSS attempts using HTML tags, event handlers, javascript: protocol." - }, - { - "id": "rce-command-injection-args", - "phase": 2, - "pattern": "(?i)(?:\\b(?:system|exec|shell_exec|passthru|popen|proc_open|pcntl_exec)\\s*\\([^\\)]*\\)|`[^`]+`|;|\\|\\||&&|\\n|%0a|%0d)", - "targets": [ - "ARGS" - ], - "severity": "HIGH", - "action": "block", - "score": 8, - "description": "Block potential RCE attempts via command injection in request arguments." - }, - { - "id": "open-redirect-attempt", - "phase": 2, - "pattern": "(?i)(?:https?://(?:[^/]+@)?[^/]+\\.[^/]+/|\\b(?:redirect|url|next|return|r|u)\\b\\s*=\\s*(?:https?://|//))", - "targets": [ - "HEADERS", - "BODY" - ], - "severity": "MEDIUM", - "action": "block", - "score": 6, - "description": "Block potential open redirect attempts in request body and headers." + "score": 9, + "description": "Detects HTTP request smuggling patterns. Targets Transfer-Encoding and Content-Length headers." }, { "id": "idor-attacks", @@ -353,29 +112,245 @@ "description": "Detects Insecure Direct Object Reference (IDOR) attempts by identifying common ID patterns in URIs, body, headers and cookies." }, { - "id": "sql-injection-comment-bypass-args", + "id": "insecure-deserialization-java", "phase": 2, - "pattern": "(?i)/\\*.*?\\*/|--\\s*\\r?\\n?$", + "pattern": "(?:rO0AB|aced0005|\\xac\\xed\\x00\\x05)", "targets": [ - "ARGS" + "BODY", + "HEADERS", + "COOKIES" ], - "severity": "MEDIUM", - "action": "log", - "score": 4, - "description": "Log potential SQL injection comment bypass attempts in arguments." + "severity": "CRITICAL", + "action": "block", + "score": 9, + "description": "Block requests containing potential Java serialized objects, including magic bytes for serialized objects." }, { - "id": "http-response-splitting", - "phase": 3, - "pattern": "(?i)(%0d|\\r)%0a|%0a(%0d|$)|\\n|%0d%0a|%0a%0d|\\r\\n|\\b(?:Set-Cookie:|Location:|HTTP/)\\b.*?(?:%0d|\\r)%0a", + "id": "jwt-tampering", + "phase": 1, + "pattern": "(?i)(?:eyJ[A-Za-z0-9-_=]+\\.[A-Za-z0-9-_=]+\\.?[A-Za-z0-9-_.+/=]*)", "targets": [ + "HEADERS:Authorization", + "COOKIES" + ], + "severity": "HIGH", + "action": "block", + "score": 8, + "description": "Block potential JWT tampering attempts in Authorization headers or cookies." + }, + { + "id": "nosql-injection-attacks", + "phase": 2, + "pattern": "(?i)(?:\\$(?:gt|gte|lt|lte|ne|eq|regex|where|or|and|in|nin|exists|type|jsonSchema|not|mod|elemMatch|all|size|nor|comment|slice|expr|meta|text|search|near|nearSphere|geoWithin|geoIntersects|geoNear)\\b|\\b(?:db|collection|aggregate|mapReduce|count|group|distinct|findOne|find|remove|update|insert)\\b)", + "targets": [ + "BODY", "HEADERS", "COOKIES" ], "severity": "HIGH", "action": "block", "score": 9, - "description": "Detects HTTP response splitting attempts, mainly CRLF injection. Targets headers and cookies." + "description": "Block NoSQL injection attempts in request body, headers, and cookies. Targets MongoDB operators and keywords." + }, + { + "id": "open-redirect-attempt", + "phase": 2, + "pattern": "(?i)(?:https?://(?:[^/]+@)?[^/]+\\.[^/]+/|\\b(?:redirect|url|next|return|r|u)\\b\\s*=\\s*(?:https?://|//))", + "targets": [ + "HEADERS", + "BODY" + ], + "severity": "MEDIUM", + "action": "block", + "score": 6, + "description": "Block potential open redirect attempts in request body and headers." + }, + { + "id": "path-traversal", + "phase": 1, + "pattern": "(?:\\.\\.[/\\\\]|\\.\\./|\\.\\.\\\\/|%2e%2e[/\\\\]|%2e%2e/|%2e%2e%5c|%252e%252e|\\b(?:etc(?:\\/|%2F)(?:passwd|shadow|hosts)|(?:proc|sys)(?:\\/|%2F)(?:self(?:\\/|%2F)environ|cmdline)|boot(?:\\/|%2F)grub(?:\\/|%2F)grub\\.cfg|\\/\\.\\.(?:\\/|%2F)|(?:\\/|%5c)(\\.\\.){2,}(?:\\/|%5c)|(?:\\.\\.){2,}(?:\\/|%5c)|(?:\\.\\.){2,}|(?:%2e%2e){2,}(?:%2f|%5c)|(?:%2e%2e%2f|%2e%2e%5c){2,}|(?:\\.\\.%2f|\\.\\.%5c){2,}|(?:%252e%252e%2f|%252e%252e%5c){2,}|%252e%252e|%252f%2e%2e|%255c%2e%2e|\\/\\.(?:\\/|%2F)|\\%2e(?:%2f|%5c))\\b)", + "targets": [ + "URI", + "HEADERS" + ], + "severity": "HIGH", + "action": "block", + "score": 9, + "description": "Block path traversal attempts and direct access to sensitive files (Target: URI and Headers). Improved and more aggressive pattern matching, including more obfuscation techniques." + }, + { + "id": "rce-commands-expanded", + "phase": 2, + "pattern": "(?i)(?:\\b(?:cat|base64|whoami|echo|curl|wget|bash|sh|python|perl|ls|id|ping|nslookup|ipconfig|ifconfig|powershell)\\b)", + "targets": [ + "ARGS", + "HEADERS" + ], + "severity": "HIGH", + "action": "block", + "score": 5, + "description": "Expanded rule to block more RCE related commands and utilities." + }, + { + "id": "rfi-http-url", + "phase": 2, + "pattern": "(?i)https?:\\/\\/[^\\s]+", + "targets": [ + "URI", + "ARGS", + "HEADERS" + ], + "severity": "HIGH", + "action": "block", + "score": 8, + "description": "Block direct use of HTTP or HTTPS URLs for inclusion." + }, + { + "id": "sensitive-files", + "phase": 1, + "pattern": "(?i)(?:/\\.git/(?:HEAD|index|config|refs|objects)|/\\.env(?:\\.local|\\.dev|\\.prod)?$|/\\.htaccess$|/\\.htpasswd$|/\\.svn/|/\\.DS_Store$|\\/WEB-INF\\/|\\/WEB-INF\\/web\\.xml|\\/META-INF\\/|\\.git/\\s*(?:H\\.E\\.A\\.D|HEAD)|\\.dockerenv|server-status|\\b(?:config|database|credentials|secrets|private|local|development|staging|production|backup|default)\\b(?:[\\-_\\.]?)(?:[a-z0-9]+)?\\.(?:json|yaml|yml|ini|properties|txt|conf|toml|lock|log|bak|swp|orig|dist|sample|example|template|env|sql))", + "targets": [ + "URI" + ], + "severity": "HIGH", + "action": "block", + "score": 9, + "description": "Block access to sensitive files and directories (Target: URI). Expanded rule to include more config and backup file names." + }, + { + "id": "sensitive-files-expanded", + "phase": 1, + "pattern": "(?i)(?:/\\.git/(?:HEAD|index|config|refs|objects)|/\\.env(?:\\.local|\\.dev|\\.prod)?$|/\\.htaccess$|/\\.htpasswd$|/\\.svn/|/\\.DS_Store$|\\/WEB-INF\\/|\\/WEB-INF\\/web.xml|\\/META-INF\\/|\\.git/\\s*(?:H\\.E\\.A\\.D|HEAD)|\\.dockerenv|server-status)", + "targets": [ + "URI" + ], + "severity": "HIGH", + "action": "block", + "score": 9, + "description": "Expanded rule to block access to more sensitive files and account for obfuscation." + }, + { + "id": "sql-injection", + "phase": 2, + "pattern": "(?i)(?:\\b(?:select|insert|update|delete|drop|alter|truncate|create|grant|revoke)\\b(?:\\s|\\/\\*.*?\\*\\/|--.*?)?(?:from|into|where|table|index|user|procedure|function|database)\\b|\\bunion\\b(?:\\s|\\/\\*.*?\\*\\/|--.*?)?(?:all|distinct)?(?:\\s|\\/\\*.*?\\*\\/|--.*?)?\\bselect\\b|'\\s*(?:and|or)\\s*['\\d]+\\s*(?:=|[<>]=?|!=)\\s*['\\d]+|\\)\\s*(?:and|or)\\s*\\([\\d]+\\s*(?:=|[<>]=?|!=)\\s*[\\d]+\\)|\\b(?:sleep|benchmark|waitfor\\s+delay)\\s*\\(|(?:\\bexec\\b|xp_cmdshell))", + "targets": [ + "ARGS", + "BODY", + "HEADERS" + ], + "severity": "HIGH", + "action": "block", + "score": 7, + "description": "Block SQL injection attempts in request arguments, body, and headers." + }, + { + "id": "sql-injection-improved-basic", + "phase": 2, + "pattern": "(?i)(?:'\\s*(?:and|or)\\s*\\d+\\s*[=<>!]+\\s*\\d+|['\"]\\s*\\d+\\s*[=<>!]+\\s*['\"]|'\\s*\\+\\s*'|--\\s*-|-{2,}|\")", + "targets": [ + "ARGS", + "BODY", + "HEADERS", + "COOKIES" + ], + "severity": "HIGH", + "action": "block", + "score": 8, + "description": "Improved rule to catch basic SQL injection including quotes and boolean logic." + }, + { + "id": "ssrf-attacks", + "phase": 2, + "pattern": "(?i)(?:(?:https?|ftp|gopher|dict|ldap|tftp|file)://(?:[^/]+@)?(?:(?:127\\.0\\.0\\.\\d{1,3}|10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|172\\.(?:1[6-9]|2\\d|3[01])\\.\\d{1,3}\\.\\d{1,3}|192\\.168\\.\\d{1,3}\\.\\d{1,3}|169\\.254\\.\\d{1,3}\\.\\d{1,3}|(?:(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4})|localhost|0\\.0\\.0\\.0|::1|\\d{1,10})|[^/]+\\.(?:internal|local|intranet|test))(?:\\:\\d{1,5})?(?:/[^\\s]*)?|\\b(?:metadata|aws|digitalocean|google|azure)\\b|\\b(?:169\\.254\\.\\d{1,3}\\.\\d{1,3})\\b(?:/[^\\s]*)?)", + "targets": [ + "BODY", + "HEADERS", + "COOKIES" + ], + "severity": "HIGH", + "action": "block", + "score": 9, + "description": "Block Server-Side Request Forgery (SSRF) attempts, including internal IP ranges and cloud metadata endpoints, in body, headers and cookies. Improved pattern matching, more aggressive and includes Azure metadata service." + }, + { + "id": "ssrf-internal-ip", + "phase": 2, + "pattern": "(?:127\\.0\\.0\\.1|10\\.|172\\.(?:1[6-9]|2\\d|3[01])\\.|192\\.168\\.)", + "targets": [ + "URI", + "ARGS" + ], + "severity": "HIGH", + "action": "block", + "score": 7, + "description": "Block SSRF to Internal IPs." + }, + { + "id": "ssrf-reserved-ip", + "phase": 2, + "pattern": "(?:0\\.|169\\.254\\.|224\\.|240\\.|255\\.)", + "targets": [ + "URI", + "ARGS" + ], + "severity": "MEDIUM", + "action": "block", + "score": 5, + "description": "Block SSRF to Reserved/Multicast IPs." + }, + { + "id": "ssti-attacks", + "phase": 2, + "pattern": "(?i)(?:\\{\\{.*?\\}\\}|\\{\\%.*?\\%\\}|\\$\\{.*?\\}|\\#\\{.*?\\}|\\$\\(.*?\\)|\\{\\*.*?\\*\\}|\\#\\*.*?\\*\\#|<%[=]?.*?%>|@\\{.*?\\}|\\b(?:Runtime|Process|exec|System|getClass|ClassLoader|loadLibrary|forName|newInstance|getMethod|invoke|getConstructor|getDeclaredMethod|getDeclaredField|setAccessible|getDeclaredConstructor|getInputStream|getOutputStream|get|put|setAttribute|getProperty|setProperty|setSecurityManager|load|defineClass|new|clone|readObject|writeObject|call|apply|bind|super)\\b\\s*\\(|\\b(?:T|Math|Object|String|Boolean|Number|BigInteger|BigDecimal|Date|List|Map|Set|Queue|Array|Tuple|Pattern|Locale|Class|ClassLoader|Proxy|SecurityManager|Thread|ThreadGroup)\\b)", + "targets": [ + "BODY", + "HEADERS", + "COOKIES" + ], + "severity": "HIGH", + "action": "block", + "score": 9, + "description": "Block Server-Side Template Injection (SSTI) attacks in request body, headers, and cookies. Targets common template syntax and dangerous keywords for various frameworks." + }, + { + "id": "unusual-paths", + "phase": 1, + "pattern": "(?i)(?:/wp-admin|/phpmyadmin|/admin|/login|/cgi-bin|/shell|/backdoor|/cmd|/exec|/bin/(?:sh|bash|zsh)|/console|/setup|/test|\\.php$|\\.asp$|\\.aspx$|\\.jsp$|\\.do$|\\.action$|\\.pl$|\\.py$|\\.cgi$|\\.cfm$|\\.rb$|\\.php[0-9]?$|\\.phtml$|\\.htaccess$|\\.htpasswd$|\\.ini$|\\.config$|\\.lock$|\\.log$|\\.bak$|\\.swp$|\\.orig$|\\.dist$|\\.sample$|\\.example$|\\.template$|\\.env$)", + "targets": [ + "URI" + ], + "severity": "MEDIUM", + "action": "block", + "score": 7, + "description": "Block requests to unusual or suspicious paths and common scripting extensions (Target: URI). Expanded rule for more file types and endpoints." + }, + { + "id": "xss-attacks", + "phase": 2, + "pattern": "(?i)(?:]*>|]*\\s+onerror=|javascript:|data:|vbscript:|]*\\s+onload=|alert\\(|document\\.(?:cookie|location)|eval\\(|base64_(?:encode|decode)|expression\\(|\\b(?:on(?:mouse(?:over|out|down|up|move)|focus|blur|click|key(?:press|down|up)|load|error|submit|reset|change))\\s*=|\\bstyle\\s*=|(?:&#[xX]?[0-9a-fA-F]+;)+|%[0-9a-fA-F]{2,}|\\biframe[^>]*srcdoc\\s*=|\\bevent\\b\\s*=\\s*['\"](?:javascript:).*?['\"]|url\\s*\\([\\s\\n]*?(?:javascript:).*?\\)|\\b(?:\\b(?:src|href|action|data|code)\\s*=\\s*['\"]?(?:javascript:|data:)|\\b(?:formaction|background|poster|xlink:href)\\s*=\\s*['\"]?(?:javascript:|data:))|\\b(?:svg|math|marquee|audio|video|embed|object|plaintext|isindex)\\b)", + "targets": [ + "BODY", + "HEADERS", + "COOKIES" + ], + "severity": "HIGH", + "action": "block", + "score": 9, + "description": "Block XSS attempts using HTML tags, event handlers, javascript: protocol, encoded characters, iframe srcdoc, event attributes, url functions, and other vectors in request body, headers and cookies. Improved pattern matching, including more attack vectors." + }, + { + "id": "xss-improved-encoding", + "phase": 2, + "pattern": "(?i)(?:]*>|]*\\s+onerror=|javascript:|data:|vbscript:|]*\\s+onload=|alert\\(|document\\.(?:cookie|location)|eval\\(|base64_(?:encode|decode)|expression\\(|\\b(?:on(?:mouse(?:over|out|down|up|move)|focus|blur|click|key(?:press|down|up)|load|error|submit|reset|change))\\s*=|\\bstyle\\s*=|(?:&#[xX]?[0-9a-fA-F]+;)+|%[0-9a-fA-F]{2,}|\\biframe[^>]*srcdoc\\s*=)", + "targets": [ + "ARGS", + "BODY", + "HEADERS" + ], + "severity": "HIGH", + "action": "block", + "score": 8, + "description": "Improved XSS rule to catch encoded payloads and iframe srcdoc." }, { "id": "browser-integrity-sec-fetch-dest-missing-block", diff --git a/test.py b/test.py index 96784d8..793aea5 100644 --- a/test.py +++ b/test.py @@ -706,8 +706,104 @@ test_cases = [ ("GraphQL", f"{TARGET_URL}/graphql", "GraphQL (Level 9) - Input Object Injection", 403, {"Content-Type": "application/json"}, '{"query":"mutation { updateUser(id:1, data: { username: \\"test\\", email: \\"test@example.com\\"}) { id } }"}'), ("GraphQL", f"{TARGET_URL}/graphql", "GraphQL (Level 10) - Directive Injection", 403, {"Content-Type": "application/json"}, '{"query":"query getUser { user(id:1) @include(if: true) { username } }"}'), + ## Some missing test.. + # HTTP Verb Tampering Tests (Extended) + ("Verb Tampering", f"{TARGET_URL}/api/items", "Verb Tampering (Level 11) - POST with PUT override param", 405, None, "X-HTTP-Method-Override=PUT&data=test"), # or 400 if body parsing fails before override + ("Verb Tampering", f"{TARGET_URL}/api/delete_user", "Verb Tampering (Level 12) - POST instead of DELETE (admin)", 405, {"X-HTTP-Method-Override": "POST"}, None), + ("Verb Tampering", f"{TARGET_URL}/report", "Verb Tampering (Level 13) - HEAD to download report", 405, {"X-HTTP-Method-Override": "HEAD"}, None), # HEAD on download endpoint + ("Verb Tampering", f"{TARGET_URL}/update_settings", "Verb Tampering (Level 14) - GET to update settings (instead of POST)", 405, {"X-HTTP-Method-Override": "GET"}, "setting1=newvalue&setting2=othervalue"), + ("Verb Tampering", f"{TARGET_URL}/view_config", "Verb Tampering (Level 15) - PATCH to view config", 405, {"X-HTTP-Method-Override": "PATCH"}, None), # Patch for read action + ("Verb Tampering", f"{TARGET_URL}/admin/action", "Verb Tampering (Level 16) - TRACE to admin action", 405, {"X-HTTP-Method-Override": "TRACE"}, None), + ("Verb Tampering", f"{TARGET_URL}/api/search_data", "Verb Tampering (Level 17) - DELETE for search", 405, {"X-HTTP-Method-Override": "DELETE"}, "query=searchTerm"), + ("Verb Tampering", f"{TARGET_URL}/login", "Verb Tampering (Level 18) - OPTIONS to login", 405, {"X-HTTP-Method-Override": "OPTIONS"}, "username=test&password=pass"), + ("Verb Tampering", f"{TARGET_URL}/admin/backup", "Verb Tampering (Level 19) - PUT to admin backup trigger", 405, {"X-HTTP-Method-Override": "PUT"}, None), # Put instead of GET for backup trigger + ("Verb Tampering", f"{TARGET_URL}/submit_feedback", "Verb Tampering (Level 20) - HEAD instead of POST feedback", 405, {"X-HTTP-Method-Override": "HEAD"}, "feedback=test feedback"), + + # Business Logic Attacks (Extended) + ("Business Logic", f"{TARGET_URL}/signup", "Business Logic (Level 11) - Reusing existing username", 403, None, "username=testuser&password=newpassword"), # Assuming 'testuser' was used before + ("Business Logic", f"{TARGET_URL}/signup", "Business Logic (Level 12) - Weak password 'password'", 403, None, "username=weakuser&password=password"), + ("Business Logic", f"{TARGET_URL}/signup", "Business Logic (Level 13) - Username similar to admin (admin1)", 403, None, "username=admin1&password=password123"), + ("Business Logic", f"{TARGET_URL}/login", "Business Logic (Level 14) - Login with default credentials (test:test)", 403, None, "username=test&password=test"), + ("Business Logic", f"{TARGET_URL}/login", "Business Logic (Level 15) - Login with common password '123456'", 403, None, "username=testuser&password=123456"), + ("Business Logic", f"{TARGET_URL}/reset_password", "Business Logic (Level 16) - Multiple password reset for same account", 403, None, "new_password=newpass_v2"), # Repeat reset after level 6 attempt + ("Business Logic", f"{TARGET_URL}/transfer_funds", "Business Logic (Level 17) - Transfer amount exceeds limit", 403, None, "amount=1000000&to=victim"), # Large amount + ("Business Logic", f"{TARGET_URL}/apply_discount", "Business Logic (Level 18) - Expired Discount Code", 403, None, "discount_code=EXPIRED2023"), # Assume 'EXPIRED2023' is known expired code + ("Business Logic", f"{TARGET_URL}/change_email", "Business Logic (Level 19) - Change Email to Disposable Domain (tempmail.org)", 403, None, "new_email=test@tempmail.org"), # Disposable email domain + ("Business Logic", f"{TARGET_URL}/create_post", "Business Logic (Level 20) - Post with too many tags", 403, None, "title=Test Post&content=content&tags=" + ",".join(["tag"]*50)), # Many tags + + # CSP Bypass (Extended - Still basic curl tests) + ("CSP Bypass", f"{TARGET_URL}/", "CSP Bypass (Level 11) - Data URI script (Blocked in strict CSP)", 403, None, ""), # Expect block if strict CSP, otherwise may pass with 200 if no CSP + ("CSP Bypass", f"{TARGET_URL}/", "CSP Bypass (Level 12) - Unsafe-eval attempt (Blocked in strict CSP)", 403, None, ""), # Expect block if strict CSP blocks unsafe-eval + ("CSP Bypass", f"{TARGET_URL}/", "CSP Bypass (Level 13) - WASM in object (object-src check)", 403, None, ""), # Wasm object might be controlled by object-src + ("CSP Bypass", f"{TARGET_URL}/", "CSP Bypass (Level 14) - Form action to data URI (form-action policy)", 403, None, "
"), # Form to data URI + ("CSP Bypass", f"{TARGET_URL}/", "CSP Bypass (Level 15) - Sandboxed iframe escape attempt (If sandbox attr used, try breaking)", 403, None, ""), # Attempt to break sandbox with top.location. Expect block still by WAF if payload is recognized. Full sandbox bypass requires browser context usually for effective testing. + ("CSP Bypass", f"{TARGET_URL}/", "CSP Bypass (Level 16) - Plugin type (plugin-types policy, e.g. application/x-shockwave-flash)", 403, None, ""), # Flash embed might be restricted via plugin-types policy. + ("CSP Bypass", f"{TARGET_URL}/", "CSP Bypass (Level 17) - Frame-ancestors 'none' bypass (Try framing even if 'none')", 403, None, ""), # Even if frame-ancestors is 'none', still try to frame - might be misconfigured. Expect block, or 403 from clickjacking protection ideally, rather than CSP purely blocking framing - CSP blocks resource load usually inside the iframe. Clickjacking is about preventing framing in first place. + ("CSP Bypass", f"{TARGET_URL}/", "CSP Bypass (Level 18) - Connect-src to evil.com (check logs if connect blocked)", 200, {"Content-Security-Policy": "default-src 'self'; connect-src http://evil.com; report-uri /csp_report"}, None), # If connect-src is set to specific domain, and we try to fetch from others, should report or ideally block (more likely report-only for initial setup). Check logs of target for violations. + ("CSP Bypass", f"{TARGET_URL}/", "CSP Bypass (Level 19) - Default-src 'self', inline script event handler (onerror etc.)", 403, None, ""), # Default-src self should block inline event handlers unless 'unsafe-inline' or nonce/hash present for script-src. + ("CSP Bypass", f"{TARGET_URL}/", "CSP Bypass (Level 20) - Trusted types policy violation (If CSP with trusted-types)", 403, {"Content-Security-Policy": "require-trusted-types-for 'script'"}, ""), # If trusted types enforced, direct DOM manipulation with innerHTML from inline script may be blocked. This one is very dependent on target CSP policy. WAF detection based on header, or payload likely. + + # Open Redirect Tests (Extended) + ("Open Redirect", f"{TARGET_URL}/redirect?url=http://evil.com..", "Open Redirect (Level 11) - Double Dot Pathing", 302, None, None), # Double dot in domain name + ("Open Redirect", f"{TARGET_URL}/redirect?url=http://evil.com%20", "Open Redirect (Level 12) - Whitespace in URL", 302, None, None), # Whitespace after domain + ("Open Redirect", f"{TARGET_URL}/redirect?url=http://evil.com/", "Open Redirect (Level 13) - Unicode domain bypass (punycode if applicable, depends on curl handling)", 302, None, None), # unicode domain representation if curl supports punycode + ("Open Redirect", f"{TARGET_URL}/redirect?url=http://0evil.com", "Open Redirect (Level 14) - Leading Zero", 302, None, None), # Leading zero before domain + ("Open Redirect", f"{TARGET_URL}/redirect?url=http://evil.com\\", "Open Redirect (Level 15) - Trailing Backslash", 302, None, None), # Trailing backslash + ("Open Redirect", f"{TARGET_URL}/redirect?url=http://evil.com\t", "Open Redirect (Level 16) - Tab character", 302, None, None), # Tab char after domain + ("Open Redirect", f"{TARGET_URL}/redirect?url=http://evil.com%00", "Open Redirect (Level 17) - Null byte injection", 302, None, None), # Null byte after domain, may truncate + ("Open Redirect", f"{TARGET_URL}/redirect?url=http://@evil.com", "Open Redirect (Level 18) - Authority component bypass", 302, None, None), # Authority component bypass (@) + ("Open Redirect", f"{TARGET_URL}/redirect?url=http://user:pass@evil.com", "Open Redirect (Level 19) - Credential in URL", 302, None, None), # Credential in URL, another version, more explicit + ("Open Redirect", f"{TARGET_URL}/redirect?url=http://[::ffff:192.168.1.1]", "Open Redirect (Level 20) - IPv6 Mapped IPv4 Address", 302, None, None), # IPv6 Mapped IPv4 Address + + # Information Disclosure - Files (Extended) + ("Info Disclosure", f"{TARGET_URL}/.DS_Store", "Info Disclosure (Level 11) - .DS_Store macOS files", 403, None, None), # macOS metadata file + ("Info Disclosure", f"{TARGET_URL}/WEB-INF/jboss-web.xml", "Info Disclosure (Level 12) - JBoss web config", 403, None, None), # JBoss config file + ("Info Disclosure", f"{TARGET_URL}/Tomcat/conf/server.xml", "Info Disclosure (Level 13) - Tomcat server config", 403, None, None), # Tomcat config + ("Info Disclosure", f"{TARGET_URL}/dump.rdb", "Info Disclosure (Level 14) - Redis DB dump", 403, None, None), # Redis dump file + ("Info Disclosure", f"{TARGET_URL}/.bash_history", "Info Disclosure (Level 15) - Bash History", 403, None, None), # Shell history + ("Info Disclosure", f"{TARGET_URL}/htdocs/WEB-INF/web.xml", "Info Disclosure (Level 16) - Alternate WEB-INF path", 403, None, None), # Alternative WEB-INF + ("Info Disclosure", f"{TARGET_URL}/wp-config.php", "Info Disclosure (Level 17) - WordPress config", 403, None, None), # WP config file + ("Info Disclosure", f"{TARGET_URL}/sites/default/settings.php", "Info Disclosure (Level 18) - Drupal settings", 403, None, None), # Drupal config + ("Info Disclosure", f"{TARGET_URL}/configuration.php", "Info Disclosure (Level 19) - Joomla config", 403, None, None), # Joomla config + ("Info Disclosure", f"{TARGET_URL}/BACKUP_config.php", "Info Disclosure (Level 20) - Backup config file name", 403, None, None), # Backup config filename + + # Client-Side/HTML Injection (Basic, server response focused still) + ("HTML Injection", f"{TARGET_URL}/?param=test", "HTML Injection (Level 1) - Bold Tag", 403, None, None), # Basic HTML tag in parameter + ("HTML Injection", f"{TARGET_URL}/?param=

Paragraph

", "HTML Injection (Level 2) - Paragraph Tag", 403, None, None), # Paragraph + ("HTML Injection", f"{TARGET_URL}/?param=

Header

", "HTML Injection (Level 3) - Header Tag", 403, None, None), # Header + ("HTML Injection", f"{TARGET_URL}/?param=
", "HTML Injection (Level 4) - Horizontal Rule", 403, None, None), # HR + ("HTML Injection", f"{TARGET_URL}/?param=
", "HTML Injection (Level 5) - Line Break", 403, None, None), # BR + ("HTML Injection", f"{TARGET_URL}/?param=
  • Item
", "HTML Injection (Level 6) - Unordered List", 403, None, None), # UL/LI list + ("HTML Injection", f"{TARGET_URL}/?param=
  1. Item
", "HTML Injection (Level 7) - Ordered List", 403, None, None), # OL/LI list + ("HTML Injection", f"{TARGET_URL}/?param=
Cell
", "HTML Injection (Level 8) - Table", 403, None, None), # Table + ("HTML Injection", f"{TARGET_URL}/?param=
Span
", "HTML Injection (Level 10) - Div and Span", 403, None, None), # Div/Span + + # Parameter Pollution Tests + ("Parameter Pollution", f"{TARGET_URL}/search?q=value1&q=value2", "Param Pollution (Level 1) - Duplicate Parameter", 403, None, None), # Simple dup param + ("Parameter Pollution", f"{TARGET_URL}/search?q=value1;value2", "Param Pollution (Level 2) - Separator Pollution (;)", 403, None, None), # Separator-based + ("Parameter Pollution", f"{TARGET_URL}/search?q=value1,value2", "Param Pollution (Level 3) - Separator Pollution (,)", 403, None, None), # comma separator + ("Parameter Pollution", f"{TARGET_URL}/search?q[]=value1&q[]=value2", "Param Pollution (Level 4) - Array Notation", 403, None, None), # Array [] notation + ("Parameter Pollution", f"{TARGET_URL}/search?q[0]=value1&q[1]=value2", "Param Pollution (Level 5) - Indexed Array", 403, None, None), # Indexed array notation + ("Parameter Pollution", f"{TARGET_URL}/search?param1=val1¶m1=sqli'--", "Param Pollution (Level 6) - Polluted with SQLi", 403, None, None), # SQLi in polluted param + ("Parameter Pollution", f"{TARGET_URL}/search?param2=val2¶m2=", "Param Pollution (Level 7) - Polluted with XSS", 403, None, None), # XSS + ("Parameter Pollution", f"{TARGET_URL}/api/process", "Param Pollution (Level 8) - POST body pollution - same key twice", 403, None, "data=value1&data=value2"), # POST body pollution + ("Parameter Pollution", f"{TARGET_URL}/api/config", "Param Pollution (Level 9) - Header param pollution (custom header)", 403, {"X-Custom-Param": "value1,value2"}, None), # Header pollution via custom header + ("Parameter Pollution", f"{TARGET_URL}/filter", "Param Pollution (Level 10) - URL encoded dup param", 403, None, "q=test1&q%3Dtest2"), # URL encoded dup param in URL + + # File Upload (Extended Extensions/Types) + ("File Upload", f"{TARGET_URL}/upload.php", "File Upload (Level 16) - .pht double extension", 403, None, "FAKE_PHP_CONTENT"), # pht double extension variant + ("File Upload", f"{TARGET_URL}/upload.php", "File Upload (Level 17) - PHp7 extension", 403, None, "FAKE_PHP_CONTENT"), # PHP7 extension + ("File Upload", f"{TARGET_URL}/upload.php", "File Upload (Level 18) - .phar PHP archive", 403, None, "FAKE_PHAR_CONTENT"), # PHAR archive, if processed as PHP in some configs + ("File Upload", f"{TARGET_URL}/upload.php", "File Upload (Level 19) - .inc include file for PHP", 403, None, "FAKE_PHP_CONTENT"), # .inc include file + ("File Upload", f"{TARGET_URL}/upload.php", "File Upload (Level 20) - Text file with MIME type application/x-php", 403, {"Content-Type": "application/x-php"}, "FAKE_TEXT_CONTENT"), # MIME type override attempt + ("File Upload", f"{TARGET_URL}/upload.php", "File Upload (Level 21) - Image file with MIME type text/html", 403, {"Content-Type": "text/html"}, "FAKE_IMAGE_CONTENT"), # MIME type text/html for image - content type spoofing for HTML/script injection. + ("File Upload", f"{TARGET_URL}/upload.php", "File Upload (Level 22) - .config file type", 403, None, "FAKE_CONFIG_CONTENT"), # Generic config type, if target tries to parse configs directly from uploads, potential info leak/DoS + ("File Upload", f"{TARGET_URL}/upload.php", "File Upload (Level 23) - Large file upload (DoS test - expect block or timeout)", 403, None, "LARGE_FILE_CONTENT"), # Placeholder for large content for DoS - will require creating large file content if real DoS test needed. Expect 403 or timeout if WAF blocks based on size, otherwise could pass if server crashes from size. WAF might block large uploads at network level too. + ("File Upload", f"{TARGET_URL}/upload.php", "File Upload (Level 24) - Zip bomb (Denial of Service via decompression)", 403, None, "ZIP_BOMB_CONTENT"), # Placeholder for zip bomb - again, needs generating actual zip bomb for real test. WAF may detect zip bombs based on compression ratios/characteristics, expect block or timeout. + ("File Upload", f"{TARGET_URL}/upload.php", "File Upload (Level 25) - .jspx - JSP XML file type", 403, None, "FAKE_JSPX_CONTENT"), # .jspx variant for JSP + # Valid Requests - ("Valid", f"{TARGET_URL}/", "Valid (Level 1) - Homepage", 200, None, None), + ("Valid", f"{TARGET_URL}/", "Valid (Level 1) - Homepage", 200, None, None) ]