Skip to content

Latest commit

 

History

History
53 lines (37 loc) · 5.01 KB

README.md

File metadata and controls

53 lines (37 loc) · 5.01 KB

WAF Payload Collection

This project was created to help provide rigorous tests for Web Application Firewalls (WAFs) rules.
You can use these payloads to ensure the expected response is received from a sent payload or to check the efficacy of a WAF solution.
Some false positives are included to test if an acceptable payload is incorrectly identified as malicious.

The payloads were divided into their respective categories, duplicates, comments, blank lines, etc. were removed. Data has been cleaned as good as possible to contain as much real/working payloads as possible.
To check for bypasses, most XSS payloads exist three times - with alert(), prompt() and confirm() - since WAFs may block only alert().

Sources

Payloads from the following Github repositories and web pages are included:

The last day of access on them was October 07, 2022.

How to use

Payloads can be found in nuclei/payloads/[category]/true-positives.txt
You can use any tool of your choice for testing, because they are just simple text files with one payload per line.
However, this repository was created for use with WAF Efficacy Framework in mind.

WAF Efficacy Framework

WAF Efficacy Framework was chosen because it is free, open source, modular and allows easy integration of new test scenarios/payloads. It is user-friendly, actively developed and standardized. Last but not least all requests are recorded and logged in JSON format and include request/response pairs and additional metadata.

  • nuclei/config.yaml
    Config file for Nuclei

  • nuclei/templates
    Contains YAML template files for Nuclei

  • nuclei/payloads
    Contains payloads (true/false positives) in text files

Just clone the repository and overwrite the contents of the nuclei folder with the one in this repository. Then run the tool as usual.

Disclaimer

We do not claim any copyright. This is just a collection of payloads from different sources. Most of them are MIT licensed and you have to comply to the rules of the licenses used.