InformatiQ-Toolkit/config/payloads.conf

# Known attack payload regex patterns
# One pattern per line, these are checked against request parameters and user input
# Lines starting with # are comments

# XSS attack patterns
# Pattern for alert/prompt/confirm execution
/(?:<|%3C|&lt;)(?:script|iframe|svg|img|a).*?(?:alert|prompt|confirm|eval)\s*\(.*?\)/i
# Pattern for script injection
/(?:<|%3C|&lt;)script.*?(?:>|%3E|&gt;)/i
# Pattern for event handlers like onerror, onload, etc.
/\bon(?:error|load|click|mouseover|focus|blur)\s*=\s*["']?(?:alert|prompt|confirm|eval)/i
# Pattern for javascript: protocol
/javascript\s*:\s*(?:alert|prompt|confirm|eval)/i
# Pattern for data URI scheme with script
/data\s*:\s*(?:text|application)\/(?:javascript|html).*?base64/i

# SQL Injection patterns
# Pattern for basic SQL injection attempts
/(?:'\s*OR\s*'[\w\d]+'?\s*=\s*'[\w\d]+)|(?:"\s*OR\s*"[\w\d]+"?\s*=\s*"[\w\d]+")/i
# Pattern for SQL comments
/(?:--|#|\/\*)[^\w\d]*(?:union|select|insert|update|delete|drop|alter)/i
# Pattern for UNION SELECT attempts
/union\s+(?:all\s+)?select/i
# Pattern for SQL batch commands
/;\s*(?:drop|alter|create|truncate|rename|insert|update|delete)/i

# Remote file inclusion patterns
# Pattern for external URL inclusion
/(?:https?|ftp|php|data|file):\/\/[^\s\n"')>]+/i
# Pattern for directory traversal
/(?:\.\.\/|\.\.\\|\.\.\%2f|\.\.\%5c)[^\s\n"')>]+/i
# Pattern for PHP wrapper usage
/php:\/\/(?:filter|input|memory|output|temp)/i

# Command injection patterns
# Pattern for shell command execution
/[;&|`]\s*(?:ls|cat|cd|pwd|echo|rm|cp|mv|sudo|chmod|chown|wget|curl)/i
# Pattern for command substitution
/\$\([^\)]*\)|`[^`]*`/i
# Pattern for direct system command injection
/system\s*\(|exec\s*\(|shell_exec\s*\(|passthru\s*\(|eval\s*\(/i

# Local file inclusion patterns
# Pattern for path traversal
/(?:\/|\\|\.\.|%2f|%5c)(?:etc|bin|usr|home|var|root|windows|system32)/i
# Pattern for sensitive file access
/(?:\/|\\|\.\.|%2f|%5c)(?:passwd|shadow|hosts|config|wp-config|web\.config)/i

# XML/XXE injection patterns
/<!(?:DOCTYPE|ENTITY)[\s\S]*?(?:SYSTEM|PUBLIC)[\s\S]*?["']/i

# CSRF token extraction
/(?:csrf|xsrf|token|auth)["']?\s*[:=]\s*["']?[a-zA-Z0-9_-]+/i

# Serialization attacks
/[ORCo]:[0-9]+:/i

# General suspicious patterns
# Pattern for base64 encoded payloads
/(?:[A-Za-z0-9+\/]{20,}={0,2})/
# Pattern for hex encoded payloads
/(?:0x[A-Fa-f0-9]{10,})/
# Pattern for URL encoded characters sequence
/(?:%[0-9A-Fa-f]{2}){8,}/
# Pattern for large number of special characters
/[!@#$%^&*()_+\-=\[\]{}|;':",./<>?]{10,}/