diff --git a/lib/attack-patterns.sh b/lib/attack-patterns.sh
index 04a326c..f89f741 100644
--- a/lib/attack-patterns.sh
+++ b/lib/attack-patterns.sh
@@ -398,6 +398,194 @@ detect_ecommerce_exploit() {
     return 1
 }
 
+# HTTP Request Smuggling Detection
+detect_http_smuggling() {
+    local url="$1"
+    local headers="${2:-}"
+    local url_lower=$(echo "$url" | tr '[:upper:]' '[:lower:]')
+
+    # Content-Length and Transfer-Encoding manipulation
+    if [[ "$headers" =~ content-length.*transfer-encoding ]] ||
+       [[ "$headers" =~ transfer-encoding.*chunked.*content-length ]]; then
+        return 0
+    fi
+
+    # Double Content-Length headers
+    if [[ "$headers" =~ content-length.*content-length ]]; then
+        return 0
+    fi
+
+    # Suspicious chunked encoding patterns
+    if [[ "$url_lower" =~ (\r\n|\n|%0d%0a|%0a|\\r\\n|\\n) ]]; then
+        return 0
+    fi
+
+    # CRLF injection attempts
+    if [[ "$url" =~ (%0d%0a|%0a%0d|%0d|%0a|\r\n|\n\r) ]]; then
+        return 0
+    fi
+
+    return 1
+}
+
+# Resource Exhaustion / DoS Detection
+detect_resource_exhaustion() {
+    local url="$1"
+    local url_lower=$(echo "$url" | tr '[:upper:]' '[:lower:]')
+
+    # Billion laughs / XML bomb patterns
+    if [[ "$url_lower" =~ (<!entity.*<!entity|&[a-z0-9]+;){5,} ]] ||
+       [[ "$url_lower" =~ lol[0-9]+|entity[0-9]{2,} ]]; then
+        return 0
+    fi
+
+    # ReDoS (Regular Expression Denial of Service) patterns
+    if [[ "$url_lower" =~ ((\(.*){5,}|(.*\*){5,}|(.*\+){5,}) ]] ||
+       [[ "$url_lower" =~ (a+){10,}|(a\*){10,} ]]; then
+        return 0
+    fi
+
+    # Large parameter values (potential buffer overflow or memory exhaustion)
+    if [[ "$url" =~ [=]([A]{500,}|[0-9]{500,}|[%][0-9a-fA-F]{500,}) ]]; then
+        return 0
+    fi
+
+    # Zip bomb indicators
+    if [[ "$url_lower" =~ (\.zip|\.tar\.gz|\.tgz|\.rar).*bomb ]] ||
+       [[ "$url_lower" =~ (upload.*\.zip|compress.*\.zip) ]]; then
+        return 0
+    fi
+
+    # Slowloris patterns (slow request indicators)
+    if [[ "$url" =~ (sleep=[0-9]{3,}|delay=[0-9]{3,}|timeout=[0-9]{4,}) ]]; then
+        return 0
+    fi
+
+    return 1
+}
+
+# Open Redirect Detection
+detect_open_redirect() {
+    local url="$1"
+    local url_lower=$(echo "$url" | tr '[:upper:]' '[:lower:]')
+
+    # Redirect parameter patterns with external URLs
+    if [[ "$url_lower" =~ (redirect=http|return=http|url=http|next=http|goto=http) ]] ||
+       [[ "$url_lower" =~ (returnto=http|redir=http|target=http|destination=http) ]] ||
+       [[ "$url_lower" =~ (continue=http|view=http|return_to=http|redirect_uri=http) ]]; then
+
+        # Exclude same-domain redirects (basic check)
+        if [[ ! "$url_lower" =~ (redirect=https?://(www\.)?$(hostname)|localhost) ]]; then
+            return 0
+        fi
+    fi
+
+    # URL-encoded redirect patterns
+    if [[ "$url" =~ (redirect=%68%74%74%70|url=%68%74%74%70) ]] ||
+       [[ "$url" =~ (%2F%2F|//) ]]; then
+        return 0
+    fi
+
+    # JavaScript protocol redirects
+    if [[ "$url_lower" =~ (redirect=javascript:|url=javascript:|goto=javascript:) ]]; then
+        return 0
+    fi
+
+    return 1
+}
+
+# LDAP Injection Detection
+detect_ldap_injection() {
+    local url="$1"
+    local url_lower=$(echo "$url" | tr '[:upper:]' '[:lower:]')
+
+    # LDAP special characters and operators
+    if [[ "$url" =~ (\*|\(|\)|&|\||!|=|>|<|~|%2a|%28|%29|%26|%7c|%21) ]]; then
+        # LDAP filter patterns
+        if [[ "$url_lower" =~ (cn=|uid=|ou=|dc=|objectclass=) ]] ||
+           [[ "$url_lower" =~ (\(\*|\*\)|&\(|\|\() ]]; then
+            return 0
+        fi
+
+        # LDAP injection patterns
+        if [[ "$url" =~ (\)\(\||admin\)\(|\*\)\(|pwd=\*) ]]; then
+            return 0
+        fi
+    fi
+
+    return 1
+}
+
+# File Upload Vulnerability Detection
+detect_file_upload_exploit() {
+    local url="$1"
+    local method="${2:-GET}"
+    local url_lower=$(echo "$url" | tr '[:upper:]' '[:lower:]')
+
+    # Must be POST or PUT (upload operations)
+    if [[ "$method" != "POST" ]] && [[ "$method" != "PUT" ]]; then
+        return 1
+    fi
+
+    # Suspicious file upload endpoints
+    if [[ "$url_lower" =~ (/upload|/file|/attachment|/media|/document) ]]; then
+        # Double extension attempts
+        if [[ "$url_lower" =~ \.(php|jsp|asp|aspx|cgi|pl)\.(jpg|jpeg|png|gif|txt|pdf) ]] ||
+           [[ "$url_lower" =~ \.(jpg|jpeg|png|gif)\.php ]]; then
+            return 0
+        fi
+
+        # Null byte injection
+        if [[ "$url" =~ (%00|\\x00|\x00) ]]; then
+            return 0
+        fi
+
+        # Path traversal in filename
+        if [[ "$url_lower" =~ (filename=.*\.\.|name=.*\.\.) ]]; then
+            return 0
+        fi
+
+        # Executable file uploads
+        if [[ "$url_lower" =~ \.(php|php3|php4|php5|phtml|phar|jsp|jspx|asp|aspx|asa|cer|cdx|shtm|shtml|swf|war) ]]; then
+            return 0
+        fi
+    fi
+
+    return 1
+}
+
+# GraphQL Introspection / Query Complexity
+detect_graphql_abuse() {
+    local url="$1"
+    local method="${2:-GET}"
+    local url_lower=$(echo "$url" | tr '[:upper:]' '[:lower:]')
+
+    # GraphQL endpoint
+    if [[ "$url_lower" =~ (/graphql|/api/graphql|/query|/api/query) ]]; then
+        # Introspection query patterns
+        if [[ "$url_lower" =~ (__schema|__type|introspectionquery) ]]; then
+            return 0
+        fi
+
+        # Deeply nested queries (query complexity attack)
+        if [[ "$url" =~ (\{.*\{.*\{.*\{.*\{) ]]; then
+            return 0
+        fi
+
+        # Batch query abuse
+        if [[ "$url" =~ (\[.*\{.*\}.*,.*\{.*\}.*,.*\{.*\}.*\]) ]]; then
+            return 0
+        fi
+
+        # Recursive fragment patterns
+        if [[ "$url_lower" =~ (fragment.*on.*fragment) ]]; then
+            return 0
+        fi
+    fi
+
+    return 1
+}
+
 # Detect all attack vectors for a URL
 # Returns: attack_type1,attack_type2,... or empty if none
 # Parameters: url method user_agent ip
@@ -428,6 +616,14 @@ detect_all_attacks() {
     detect_cms_exploit "$url" && attacks+=("CMS_EXPLOIT")
     detect_ecommerce_exploit "$url" && attacks+=("ECOMMERCE_EXPLOIT")
 
+    # Advanced protocol attacks
+    detect_http_smuggling "$url" && attacks+=("HTTP_SMUGGLING")
+    detect_resource_exhaustion "$url" && attacks+=("RESOURCE_EXHAUSTION")
+    detect_open_redirect "$url" && attacks+=("OPEN_REDIRECT")
+    detect_ldap_injection "$url" && attacks+=("LDAP_INJECTION")
+    detect_file_upload_exploit "$url" "$method" && attacks+=("FILE_UPLOAD_EXPLOIT")
+    detect_graphql_abuse "$url" "$method" && attacks+=("GRAPHQL_ABUSE")
+
     # User-Agent based detection
     if [ -n "$user_agent" ]; then
         detect_suspicious_ua "$user_agent" && attacks+=("SUSPICIOUS_UA")
@@ -474,6 +670,12 @@ calculate_attack_score() {
     [[ "$attacks" =~ (^|,)API_ABUSE(,|$) ]] && score=$((score + 12))
     [[ "$attacks" =~ (^|,)CMS_EXPLOIT(,|$) ]] && score=$((score + 16))
     [[ "$attacks" =~ (^|,)ECOMMERCE_EXPLOIT(,|$) ]] && score=$((score + 20))
+    [[ "$attacks" =~ (^|,)HTTP_SMUGGLING(,|$) ]] && score=$((score + 22))
+    [[ "$attacks" =~ (^|,)RESOURCE_EXHAUSTION(,|$) ]] && score=$((score + 14))
+    [[ "$attacks" =~ (^|,)OPEN_REDIRECT(,|$) ]] && score=$((score + 10))
+    [[ "$attacks" =~ (^|,)LDAP_INJECTION(,|$) ]] && score=$((score + 17))
+    [[ "$attacks" =~ (^|,)FILE_UPLOAD_EXPLOIT(,|$) ]] && score=$((score + 19))
+    [[ "$attacks" =~ (^|,)GRAPHQL_ABUSE(,|$) ]] && score=$((score + 13))
 
     echo "$score"
 }
@@ -503,6 +705,12 @@ get_attack_icon() {
         API_ABUSE) echo "⚡" ;;
         CMS_EXPLOIT) echo "🎯" ;;
         ECOMMERCE_EXPLOIT) echo "💳" ;;
+        HTTP_SMUGGLING) echo "📦" ;;
+        RESOURCE_EXHAUSTION) echo "⏱️ " ;;
+        OPEN_REDIRECT) echo "↩️ " ;;
+        LDAP_INJECTION) echo "🗂️ " ;;
+        FILE_UPLOAD_EXPLOIT) echo "📤" ;;
+        GRAPHQL_ABUSE) echo "🔗" ;;
         BOT) echo "🤖" ;;
         SCANNER) echo "🔎" ;;
         *) echo "❓" ;;
@@ -514,9 +722,9 @@ get_attack_color() {
     local attack_type="$1"
 
     case "$attack_type" in
-        SQL_INJECTION|RCE|TEMPLATE_INJECTION|ECOMMERCE_EXPLOIT) echo '\033[1;41;97m' ;;  # White on Red (CRITICAL)
-        XSS|PATH_TRAVERSAL|BRUTEFORCE|XXE|SSRF|NOSQL_INJECTION|ANONYMIZER|CREDENTIAL_STUFFING|CMS_EXPLOIT) echo '\033[1;31m' ;;  # Bold Red (HIGH)
-        INFO_DISCLOSURE|ADMIN_PROBE|ENCODING_BYPASS|SUSPICIOUS_UA|BOT_FINGERPRINT|API_ABUSE) echo '\033[1;33m' ;;  # Bold Yellow (MEDIUM)
+        SQL_INJECTION|RCE|TEMPLATE_INJECTION|ECOMMERCE_EXPLOIT|HTTP_SMUGGLING) echo '\033[1;41;97m' ;;  # White on Red (CRITICAL)
+        XSS|PATH_TRAVERSAL|BRUTEFORCE|XXE|SSRF|NOSQL_INJECTION|ANONYMIZER|CREDENTIAL_STUFFING|CMS_EXPLOIT|LDAP_INJECTION|FILE_UPLOAD_EXPLOIT) echo '\033[1;31m' ;;  # Bold Red (HIGH)
+        INFO_DISCLOSURE|ADMIN_PROBE|ENCODING_BYPASS|SUSPICIOUS_UA|BOT_FINGERPRINT|API_ABUSE|RESOURCE_EXHAUSTION|GRAPHQL_ABUSE|OPEN_REDIRECT) echo '\033[1;33m' ;;  # Bold Yellow (MEDIUM)
         *) echo '\033[0;36m' ;;  # Cyan (LOW)
     esac
 }
@@ -540,6 +748,12 @@ export -f detect_credential_stuffing
 export -f detect_api_abuse
 export -f detect_cms_exploit
 export -f detect_ecommerce_exploit
+export -f detect_http_smuggling
+export -f detect_resource_exhaustion
+export -f detect_open_redirect
+export -f detect_ldap_injection
+export -f detect_file_upload_exploit
+export -f detect_graphql_abuse
 export -f detect_all_attacks
 export -f calculate_attack_score
 export -f get_attack_icon