diff --git a/lib/attack-patterns.sh b/lib/attack-patterns.sh
index c755664..04a326c 100644
--- a/lib/attack-patterns.sh
+++ b/lib/attack-patterns.sh
@@ -290,6 +290,114 @@ detect_bot_fingerprint() {
     return 1
 }
 
+# Credential Stuffing / Password Spraying Detection
+detect_credential_stuffing() {
+    local url="$1"
+    local method="${2:-GET}"
+    local url_lower=$(echo "$url" | tr '[:upper:]' '[:lower:]')
+
+    # Must be POST to login endpoints
+    if [ "$method" != "POST" ]; then
+        return 1
+    fi
+
+    # Common credential stuffing targets
+    if [[ "$url_lower" =~ (wp-login\.php|xmlrpc\.php) ]] ||
+       [[ "$url_lower" =~ (/login|/signin|/auth|/authenticate|/session) ]] ||
+       [[ "$url_lower" =~ (/api/login|/api/auth|/api/token|/oauth/token) ]] ||
+       [[ "$url_lower" =~ (/user/login|/account/login|/customer/login) ]]; then
+        return 0
+    fi
+
+    return 1
+}
+
+# API Abuse Detection
+detect_api_abuse() {
+    local url="$1"
+    local method="${2:-GET}"
+    local url_lower=$(echo "$url" | tr '[:upper:]' '[:lower:]')
+
+    # API endpoint patterns
+    if [[ "$url_lower" =~ (/api/|/v[0-9]+/|/rest/|/graphql|/webhook) ]] ||
+       [[ "$url_lower" =~ \.json(\?|$)|\.xml(\?|$) ]]; then
+
+        # Suspicious API patterns
+        if [[ "$url_lower" =~ (/api/.*admin|/api/.*debug|/api/.*test|/api/.*internal) ]] ||
+           [[ "$url_lower" =~ (/api/users/all|/api/.*dump|/api/.*export|/api/backup) ]] ||
+           [[ "$url_lower" =~ (/api/.*delete|/api/.*drop|/api/.*truncate) ]]; then
+            return 0
+        fi
+
+        # Mass data extraction attempts
+        if [[ "$url_lower" =~ (limit=[0-9]{4,}|limit=999|per_page=[0-9]{3,}) ]] ||
+           [[ "$url_lower" =~ (offset=[0-9]{5,}|page=[0-9]{3,}) ]]; then
+            return 0
+        fi
+    fi
+
+    return 1
+}
+
+# Content Management System (CMS) Vulnerability Probing
+detect_cms_exploit() {
+    local url="$1"
+    local url_lower=$(echo "$url" | tr '[:upper:]' '[:lower:]')
+
+    # WordPress vulnerabilities
+    if [[ "$url_lower" =~ (wp-content/plugins/.*\.\.|wp-content/themes/.*\.\.) ]] ||
+       [[ "$url_lower" =~ (wp-json/wp/v2/users|wp-json/.*users) ]] ||
+       [[ "$url_lower" =~ (wp-config\.php|wp-admin/install\.php|wp-admin/setup-config\.php) ]]; then
+        return 0
+    fi
+
+    # Drupal vulnerabilities
+    if [[ "$url_lower" =~ (/user/register|/user/password|/?q=node/add) ]] ||
+       [[ "$url_lower" =~ (drupalgeddon|sites/default/files/\.\./) ]]; then
+        return 0
+    fi
+
+    # Joomla vulnerabilities
+    if [[ "$url_lower" =~ (index\.php\?option=com_|/configuration\.php) ]] ||
+       [[ "$url_lower" =~ (com_foxcontact|com_fabrik|com_user) ]]; then
+        return 0
+    fi
+
+    # Generic CMS probing
+    if [[ "$url_lower" =~ (readme\.html|license\.txt|changelog\.txt) ]] ||
+       [[ "$url_lower" =~ (/install/|/setup/|/upgrade/|/migration/) ]]; then
+        return 0
+    fi
+
+    return 1
+}
+
+# E-commerce Platform Exploitation
+detect_ecommerce_exploit() {
+    local url="$1"
+    local url_lower=$(echo "$url" | tr '[:upper:]' '[:lower:]')
+
+    # Shopping cart manipulation
+    if [[ "$url_lower" =~ (price=0|price=-|quantity=-|discount=100) ]] ||
+       [[ "$url_lower" =~ (total=0|amount=0\.0|cost=0) ]]; then
+        return 0
+    fi
+
+    # Payment bypass attempts
+    if [[ "$url_lower" =~ (payment.*bypass|order.*complete|checkout.*skip) ]] ||
+       [[ "$url_lower" =~ (invoice.*paid|transaction.*success) ]]; then
+        return 0
+    fi
+
+    # Common e-commerce platforms
+    if [[ "$url_lower" =~ (magento.*admin|shopify.*admin|woocommerce.*admin) ]] ||
+       [[ "$url_lower" =~ (/admin/sales/|/admin/order/|/admin/customer/) ]]; then
+        return 0
+    fi
+
+    return 1
+}
+
 # Detect all attack vectors for a URL
 # Returns: attack_type1,attack_type2,... or empty if none
 # Parameters: url method user_agent ip
@@ -300,7 +408,7 @@ detect_all_attacks() {
     local ip="${4:-}"
     local attacks=()
 
-    # URL-based detection
+    # URL-based detection (OWASP Top 10 + Modern Vectors)
     detect_sql_injection "$url" && attacks+=("SQL_INJECTION")
     detect_xss "$url" && attacks+=("XSS")
     detect_path_traversal "$url" && attacks+=("PATH_TRAVERSAL")
@@ -314,6 +422,12 @@ detect_all_attacks() {
     detect_template_injection "$url" && attacks+=("TEMPLATE_INJECTION")
     detect_encoding_bypass "$url" && attacks+=("ENCODING_BYPASS")
 
+    # Application-specific detection
+    detect_credential_stuffing "$url" "$method" && attacks+=("CREDENTIAL_STUFFING")
+    detect_api_abuse "$url" "$method" && attacks+=("API_ABUSE")
+    detect_cms_exploit "$url" && attacks+=("CMS_EXPLOIT")
+    detect_ecommerce_exploit "$url" && attacks+=("ECOMMERCE_EXPLOIT")
+
     # User-Agent based detection
     if [ -n "$user_agent" ]; then
         detect_suspicious_ua "$user_agent" && attacks+=("SUSPICIOUS_UA")
@@ -356,6 +470,10 @@ calculate_attack_score() {
     [[ "$attacks" =~ (^|,)SUSPICIOUS_UA(,|$) ]] && score=$((score + 10))
     [[ "$attacks" =~ (^|,)BOT_FINGERPRINT(,|$) ]] && score=$((score + 8))
     [[ "$attacks" =~ (^|,)ANONYMIZER(,|$) ]] && score=$((score + 15))
+    [[ "$attacks" =~ (^|,)CREDENTIAL_STUFFING(,|$) ]] && score=$((score + 18))
+    [[ "$attacks" =~ (^|,)API_ABUSE(,|$) ]] && score=$((score + 12))
+    [[ "$attacks" =~ (^|,)CMS_EXPLOIT(,|$) ]] && score=$((score + 16))
+    [[ "$attacks" =~ (^|,)ECOMMERCE_EXPLOIT(,|$) ]] && score=$((score + 20))
 
     echo "$score"
 }
@@ -381,6 +499,10 @@ get_attack_icon() {
         SUSPICIOUS_UA) echo "🎭" ;;
         BOT_FINGERPRINT) echo "🤖" ;;
         ANONYMIZER) echo "🕶️ " ;;
+        CREDENTIAL_STUFFING) echo "🔑" ;;
+        API_ABUSE) echo "⚡" ;;
+        CMS_EXPLOIT) echo "🎯" ;;
+        ECOMMERCE_EXPLOIT) echo "💳" ;;
         BOT) echo "🤖" ;;
         SCANNER) echo "🔎" ;;
         *) echo "❓" ;;
@@ -392,9 +514,9 @@ get_attack_color() {
     local attack_type="$1"
 
     case "$attack_type" in
-        SQL_INJECTION|RCE|TEMPLATE_INJECTION) echo '\033[1;41;97m' ;;  # White on Red (CRITICAL)
-        XSS|PATH_TRAVERSAL|BRUTEFORCE|XXE|SSRF|NOSQL_INJECTION|ANONYMIZER) echo '\033[1;31m' ;;  # Bold Red (HIGH)
-        INFO_DISCLOSURE|ADMIN_PROBE|ENCODING_BYPASS|SUSPICIOUS_UA|BOT_FINGERPRINT) echo '\033[1;33m' ;;  # Bold Yellow (MEDIUM)
+        SQL_INJECTION|RCE|TEMPLATE_INJECTION|ECOMMERCE_EXPLOIT) echo '\033[1;41;97m' ;;  # White on Red (CRITICAL)
+        XSS|PATH_TRAVERSAL|BRUTEFORCE|XXE|SSRF|NOSQL_INJECTION|ANONYMIZER|CREDENTIAL_STUFFING|CMS_EXPLOIT) echo '\033[1;31m' ;;  # Bold Red (HIGH)
+        INFO_DISCLOSURE|ADMIN_PROBE|ENCODING_BYPASS|SUSPICIOUS_UA|BOT_FINGERPRINT|API_ABUSE) echo '\033[1;33m' ;;  # Bold Yellow (MEDIUM)
         *) echo '\033[0;36m' ;;  # Cyan (LOW)
     esac
 }
@@ -414,6 +536,10 @@ export -f detect_encoding_bypass
 export -f detect_suspicious_ua
 export -f detect_anonymizer
 export -f detect_bot_fingerprint
+export -f detect_credential_stuffing
+export -f detect_api_abuse
+export -f detect_cms_exploit
+export -f detect_ecommerce_exploit
 export -f detect_all_attacks
 export -f calculate_attack_score
 export -f get_attack_icon