diff --git a/lib/attack-patterns.sh b/lib/attack-patterns.sh index f89f741..8e8911a 100644 --- a/lib/attack-patterns.sh +++ b/lib/attack-patterns.sh @@ -11,7 +11,7 @@ # Returns: 0 (true) if SQL injection detected, 1 (false) if not detect_sql_injection() { local url="$1" - local url_lower=$(echo "$url" | tr '[:upper:]' '[:lower:]') + local url_lower="${url,,}" # Enhanced SQL injection patterns if [[ "$url_lower" =~ (union.*select|concat\(|benchmark\(|sleep\(|waitfor|cast\(|exec\() ]] || @@ -26,7 +26,7 @@ detect_sql_injection() { # XSS (Cross-Site Scripting) Detection detect_xss() { local url="$1" - local url_lower=$(echo "$url" | tr '[:upper:]' '[:lower:]') + local url_lower="${url,,}" if [[ "$url_lower" =~ () ]] || @@ -208,7 +208,7 @@ detect_encoding_bypass() { # Suspicious User-Agent Detection detect_suspicious_ua() { local user_agent="$1" - local ua_lower=$(echo "$user_agent" | tr '[:upper:]' '[:lower:]') + local ua_lower="${user_agent,,}" # Empty or missing UA (common in automated attacks) if [ -z "$user_agent" ] || [ "$user_agent" = "-" ]; then @@ -267,7 +267,7 @@ detect_anonymizer() { # Advanced Bot Fingerprinting (behavior-based) detect_bot_fingerprint() { local user_agent="$1" - local ua_lower=$(echo "$user_agent" | tr '[:upper:]' '[:lower:]') + local ua_lower="${user_agent,,}" # Headless browser detection if [[ "$ua_lower" =~ (headless|phantom|selenium|puppeteer|playwright|chromium.*headless) ]] || @@ -294,7 +294,7 @@ detect_bot_fingerprint() { detect_credential_stuffing() { local url="$1" local method="${2:-GET}" - local url_lower=$(echo "$url" | tr '[:upper:]' '[:lower:]') + local url_lower="${url,,}" # Must be POST to login endpoints if [ "$method" != "POST" ]; then @@ -316,7 +316,7 @@ detect_credential_stuffing() { detect_api_abuse() { local url="$1" local method="${2:-GET}" - local url_lower=$(echo "$url" | tr '[:upper:]' '[:lower:]') + local url_lower="${url,,}" # API endpoint patterns if [[ "$url_lower" =~ (/api/|/v[0-9]+/|/rest/|/graphql|/webhook) ]] || @@ -342,7 +342,7 @@ detect_api_abuse() { # Content Management System (CMS) Vulnerability Probing detect_cms_exploit() { local url="$1" - local url_lower=$(echo "$url" | tr '[:upper:]' '[:lower:]') + local url_lower="${url,,}" # WordPress vulnerabilities if [[ "$url_lower" =~ (wp-content/plugins/.*\.\.|wp-content/themes/.*\.\.) ]] || @@ -375,7 +375,7 @@ detect_cms_exploit() { # E-commerce Platform Exploitation detect_ecommerce_exploit() { local url="$1" - local url_lower=$(echo "$url" | tr '[:upper:]' '[:lower:]') + local url_lower="${url,,}" # Shopping cart manipulation if [[ "$url_lower" =~ (price=0|price=-|quantity=-|discount=100) ]] || @@ -402,7 +402,7 @@ detect_ecommerce_exploit() { detect_http_smuggling() { local url="$1" local headers="${2:-}" - local url_lower=$(echo "$url" | tr '[:upper:]' '[:lower:]') + local url_lower="${url,,}" # Content-Length and Transfer-Encoding manipulation if [[ "$headers" =~ content-length.*transfer-encoding ]] || @@ -431,7 +431,7 @@ detect_http_smuggling() { # Resource Exhaustion / DoS Detection detect_resource_exhaustion() { local url="$1" - local url_lower=$(echo "$url" | tr '[:upper:]' '[:lower:]') + local url_lower="${url,,}" # Billion laughs / XML bomb patterns if [[ "$url_lower" =~ (|<|~|%2a|%28|%29|%26|%7c|%21) ]]; then @@ -520,7 +520,7 @@ detect_ldap_injection() { detect_file_upload_exploit() { local url="$1" local method="${2:-GET}" - local url_lower=$(echo "$url" | tr '[:upper:]' '[:lower:]') + local url_lower="${url,,}" # Must be POST or PUT (upload operations) if [[ "$method" != "POST" ]] && [[ "$method" != "PUT" ]]; then @@ -558,7 +558,7 @@ detect_file_upload_exploit() { detect_graphql_abuse() { local url="$1" local method="${2:-GET}" - local url_lower=$(echo "$url" | tr '[:upper:]' '[:lower:]') + local url_lower="${url,,}" # GraphQL endpoint if [[ "$url_lower" =~ (/graphql|/api/graphql|/query|/api/query) ]]; then