#!/bin/bash
# Header injection / smuggling / spoofing tests
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
source "$SCRIPT_DIR/../config.sh"
OUT="$OUT/headers"
mkdir -p "$OUT"

echo '=== HEADER INJECTION & SPOOFING TESTS ===' | tee "$OUT/summary.txt"

# IP spoofing via forwarding headers (WAF should ignore/distrust these)
echo '--- IP Spoofing Headers ---' | tee -a "$OUT/summary.txt"
SPOOF_HEADERS=(
  'X-Forwarded-For: 127.0.0.1'
  'X-Forwarded-For: 10.0.0.1'
  'X-Real-IP: 127.0.0.1'
  'X-Originating-IP: 127.0.0.1'
  'X-Remote-IP: 127.0.0.1'
  'X-Client-IP: 127.0.0.1'
  'True-Client-IP: 127.0.0.1'
  'CF-Connecting-IP: 127.0.0.1'
  'X-Forwarded-For: ::1'
)
for h in "${SPOOF_HEADERS[@]}"; do
  resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 10 -H "$h" "$TARGET/")
  echo "[$resp] $h" | tee -a "$OUT/summary.txt"
done

# HTTP method override
echo '' | tee -a "$OUT/summary.txt"
echo '--- Method Override ---' | tee -a "$OUT/summary.txt"
for meth in 'DELETE' 'TRACE' 'OPTIONS' 'CONNECT' 'PATCH'; do
  resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 10 -X "$meth" "$TARGET/")
  echo "[$resp] Method: $meth" | tee -a "$OUT/summary.txt"
done

# Method override via headers
echo '' | tee -a "$OUT/summary.txt"
echo '--- Method Override via Headers ---' | tee -a "$OUT/summary.txt"
resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 10 -X POST   -H 'X-HTTP-Method-Override: DELETE' "$TARGET/")
echo "[$resp] POST + X-HTTP-Method-Override: DELETE" | tee -a "$OUT/summary.txt"

# Host header injection
echo '' | tee -a "$OUT/summary.txt"
echo '--- Host Header Injection ---' | tee -a "$OUT/summary.txt"
HOSTS=('evil.com' 'localhost' '127.0.0.1' 'pqcrypta.com.evil.com' 'pqcrypta.com@evil.com')
for h in "${HOSTS[@]}"; do
  resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 10 -H "Host: $h" "$TARGET/")
  echo "[$resp] Host: $h" | tee -a "$OUT/summary.txt"
done

# Content-Type confusion
echo '' | tee -a "$OUT/summary.txt"
echo '--- Content-Type Confusion ---' | tee -a "$OUT/summary.txt"
resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 10 -X POST   -H 'Content-Type: application/x-www-form-urlencoded'   -d 'data=<script>alert(1)</script>' "$TARGET/")
echo "[$resp] POST form with XSS payload" | tee -a "$OUT/summary.txt"

resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 10 -X POST   -H 'Content-Type: application/json'   -d '{"query":"\u003cscript\u003ealert(1)\u003c/script\u003e"}' "$TARGET/")
echo "[$resp] POST JSON with unicode-escaped XSS" | tee -a "$OUT/summary.txt"

cat "$OUT/summary.txt"

# ── IPv6 Variants ──────────────────────────────────────────────────────────────
echo "--- IPv6 Header / SSRF Variants ---" | tee -a "$OUT/header_inject/summary.txt" 2>/dev/null || true
OUT_FILE="$OUT/03_header_injection.txt"
[ -f "$OUT_FILE" ] || OUT_FILE="$OUT/header_inject/summary.txt"

IPV6_LOOPBACK_VARIANTS=(
  "[::1]"
  "::1"
  "0:0:0:0:0:0:0:1"
  "::ffff:127.0.0.1"
  "[::ffff:127.0.0.1]"
  "0000:0000:0000:0000:0000:0000:0000:0001"
)
for IPV6 in "${IPV6_LOOPBACK_VARIANTS[@]}"; do
  CODE=$(curl -sk --http2 -o /dev/null -w '%{http_code}' --max-time 8 \
    -A "$BROWSER_UA" \
    -H "X-Forwarded-For: $IPV6" \
    "$TARGET/")
  printf '[%s] IPv6 XFF spoof: X-Forwarded-For: %s\n' "$CODE" "$IPV6" | tee -a "$OUT_FILE"
done

# IPv6 in Host header
for IPV6 in "[::1]" "[::ffff:127.0.0.1]"; do
  CODE=$(curl -sk --http2 -o /dev/null -w '%{http_code}' --max-time 8 \
    -A "$BROWSER_UA" -H "Host: $IPV6" "$TARGET/")
  printf '[%s] IPv6 Host header: %s\n' "$CODE" "$IPV6" | tee -a "$OUT_FILE"
done

# IPv6 SSRF probe variants
for IPV6 in "http://[::1]:${INTERNAL_API_PORT}/status" "http://[::ffff:127.0.0.1]/admin/" "http://[::]:80/"; do
  ENC=$(python3 -c "import urllib.parse,sys; print(urllib.parse.quote(sys.argv[1]))" "$IPV6")
  CODE=$(curl -sk --http2 -o /dev/null -w '%{http_code}' --max-time 8 \
    -A "$BROWSER_UA" "$TARGET/?url=$ENC")
  printf '[%s] IPv6 SSRF probe: %s\n' "$CODE" "$IPV6" | tee -a "$OUT_FILE"
done
echo ""