Docs / Detector Reference
Detector Reference
One page per detector. Each follows the same five-section template: what it catches, sample payload (before / after), configuration knobs, how to disable, references to OWASP/CWE/MITRE. Use this as a quick scan when investigating a blocked request.
Injection
| Detector | What it catches | Reference |
|---|
| XSS | Script tags, event handlers, javascript:, SVG onload | OWASP XSS |
| SQL Injection | Keywords, boolean logic, time-based blind | OWASP SQLi |
| NoSQL Injection | 35 MongoDB operators ($gt, $where, ...) | CWE-943 |
| Command Injection | Shell metacharacters, subshells, ${IFS} bypass | CWE-78 |
| Path Traversal | ../, encoded variants, NFKC fullwidth bypass | CWE-22 |
| Prototype Pollution | __proto__, constructor, 7 dangerous keys | CWE-1321 |
Template + XML injection
| Detector | What it catches | Reference |
|---|
| SSTI | Jinja2 {{, Twig, ERB, Pug, Python dunder chains | CWE-1336 |
| XXE | DOCTYPE, ENTITY, SYSTEM / PUBLIC, parameter entities | CWE-611 |
| LDAP Injection | Filter syntax injection, escape sequences | CWE-90 |
| XPath Injection | XPath predicate manipulation | CWE-643 |
Auth, request shape, output
| Detector | What it catches | Reference |
|---|
| CSRF | Missing or invalid double-submit + HMAC token | CWE-352 |
| SSRF | Private IPs, cloud metadata, IP encoding tricks, DNS TOCTOU | CWE-918 |
| Open Redirect | External hosts, javascript:, protocol-relative URLs | CWE-601 |
| Header Injection | CRLF in header values, response splitting, null bytes | CWE-113 |
| HPP (Parameter Pollution) | Duplicate query/body keys | CWE-235 |
AI-era detectors (v1.6)
Page template
Every detector page below carries the same five sections:
- What it catches — one-paragraph description of the threat class
- Sample payload — before / after string transformation, or block decision
- Configuration — options object, defaults, JSON shape
- Disable / dry-run — explicit
{ block: false } / onSanitize example
- References — OWASP, CWE, MITRE ATT&CK, relevant CVEs
Every detector runs on top of NFKC normalization + a multi-decode chain (v1.6). Fullwidth and encoded variants of payloads reach the detector as their canonical ASCII form. See Bypass resistance for the engine details.