#!/bin/bash

################################################################################
# Attack Pattern Detection Library
################################################################################
# Purpose: Shared attack vector detection for bot-analyzer and live-monitor
# Features: SQL injection, XSS, Path traversal, RCE, Info disclosure, Bruteforce
################################################################################

# Cache hostname to avoid subprocess on every open redirect check
CACHED_HOSTNAME="${HOSTNAME:-$(hostname 2>/dev/null || echo "unknown")}"

# IP Address Validation
# Returns: 0 (valid) or 1 (invalid)
is_valid_ip() {
    local ip="$1"

    # IPv4 validation
    if [[ "$ip" =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}$ ]]; then
        local IFS='.'
        local -a octets=($ip)
        for octet in "${octets[@]}"; do
            [ "$octet" -gt 255 ] && return 1
        done
        return 0
    fi

    # IPv6 validation (basic)
    if [[ "$ip" =~ ^([0-9a-fA-F]{0,4}:){2,7}[0-9a-fA-F]{0,4}$ ]]; then
        return 0
    fi

    return 1
}

# SQL Injection Detection
# Returns: 0 (true) if SQL injection detected, 1 (false) if not
detect_sql_injection() {
    local url="$1"
    local url_lower="${url,,}"

    # Enhanced SQL injection patterns
    if [[ "$url_lower" =~ (union.*select|concat\(|benchmark\(|sleep\(|waitfor|cast\(|exec\() ]] ||
       [[ "$url_lower" =~ (information_schema|drop table|insert into|update.*set|delete from) ]] ||
       [[ "$url_lower" =~ (%27|0x[0-9a-f]+|hex\(|unhex\(|load_file\() ]]; then
        return 0
    fi

    return 1
}

# XSS (Cross-Site Scripting) Detection
detect_xss() {
    local url="$1"
    local url_lower="${url,,}"

    if [[ "$url_lower" =~ (<script|javascript:|onerror=|onload=|<iframe|eval\(|alert\() ]] ||
       [[ "$url_lower" =~ (document\.cookie|document\.write|\.innerhtml) ]]; then
        return 0
    fi

    return 1
}

# Path Traversal / LFI Detection
detect_path_traversal() {
    local url="$1"
    local url_lower="${url,,}"

    if [[ "$url_lower" =~ (\.\.\/|\.\.\\|etc\/passwd|etc\/shadow|boot\.ini|win\.ini) ]] ||
       [[ "$url_lower" =~ (proc\/self|\/etc\/|c:\\|windows\/system32) ]]; then
        return 0
    fi

    return 1
}

# RCE (Remote Code Execution) / Shell Upload Detection
detect_rce() {
    local url="$1"
    local method="${2:-GET}"
    local url_lower="${url,,}"

    # Command execution patterns
    if [[ "$url_lower" =~ (cmd\.exe|\/bin\/bash|\/bin\/sh|phpinfo\(|system\(|exec\(|passthru\(|shell_exec\(|popen\() ]] ||
       [[ "$url_lower" =~ (proc_open|pcntl_exec|eval\(|assert\(|base64_decode\(|gzinflate\() ]]; then
        return 0
    fi

    # Shell/backdoor files (common webshell names)
    if [[ "$url_lower" =~ (shell\.php|c99\.php|r57\.php|backdoor|webshell|wso\.php|b374k) ]] ||
       [[ "$url_lower" =~ (shell_exec|1337|defac|index\.php\?|cmd|evil) ]]; then
        return 0
    fi

    # Suspicious POST to script files
    if [[ "$url_lower" =~ \.(php|jsp|asp|aspx)$ ]] && [[ "$method" == "POST" ]]; then
        return 0
    fi

    # PHP shell probing - random .php files (common scanner behavior)
    # Detect short/random PHP filenames that are typical webshell probes
    if [[ "$url_lower" =~ ^/[a-z0-9]{1,15}\.php$ ]] && [[ "$method" == "GET" ]]; then
        # Whitelist common legitimate PHP files
        if [[ ! "$url_lower" =~ (index\.php|wp-login\.php|xmlrpc\.php|admin\.php|contact\.php|search\.php) ]]; then
            return 0
        fi
    fi

    return 1
}

# Info Disclosure Detection
detect_info_disclosure() {
    local url="$1"
    local url_lower="${url,,}"

    if [[ "$url_lower" =~ (phpinfo|server-status|server-info|\.git\/|\.env|\.htaccess) ]] ||
       [[ "$url_lower" =~ (\.sql|\.dump|backup\.zip|database\.sql|wp-config\.php\.bak) ]] ||
       [[ "$url_lower" =~ (\.log$|error_log|debug\.log|access\.log) ]]; then
        return 0
    fi

    return 1
}

# Login Bruteforce Detection (URL-based)
detect_login_bruteforce_url() {
    local url="$1"
    local url_lower="${url,,}"

    if [[ "$url_lower" =~ (wp-login\.php|wp-admin|xmlrpc\.php) ]] ||
       [[ "$url_lower" =~ (\/admin|\/login|\/signin|\/auth) ]]; then
        return 0
    fi

    return 1
}

# Admin Path Probing Detection
detect_admin_probe() {
    local url="$1"
    local url_lower="${url,,}"

    if [[ "$url_lower" =~ (\/admin|\/administrator|\/wp-admin|\/phpmyadmin) ]] ||
       [[ "$url_lower" =~ (\/manager|\/controlpanel|\/cpanel|\/webmin) ]] ||
       [[ "$url_lower" =~ (wp-content\/uploads.*\.php|wp-includes.*\.php|wp-admin\/includes) ]]; then
        return 0
    fi

    return 1
}

# XXE (XML External Entity) Detection
detect_xxe() {
    local url="$1"
    local url_lower="${url,,}"

    # XML entity patterns and external entity references
    if [[ "$url_lower" =~ (<!entity|<!doctype|system|file://|php://|expect://) ]] ||
       [[ "$url_lower" =~ (%3c!entity|%3c!doctype|%3centity|jar:) ]] ||
       [[ "$url_lower" =~ (xml.*<!|\.xml.*entity|\.dtd) ]]; then
        return 0
    fi

    return 1
}

# SSRF (Server-Side Request Forgery) Detection
detect_ssrf() {
    local url="$1"
    local url_lower="${url,,}"

    # Internal network targeting
    if [[ "$url_lower" =~ (localhost|127\.0\.0\.|169\.254\.|10\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[01])\.) ]] ||
       [[ "$url_lower" =~ (metadata\.google|169\.254\.169\.254|metadata\.aws|metadata) ]] ||
       [[ "$url_lower" =~ (file://|gopher://|dict://|ftp://localhost|http://127|http://0\.0\.0\.0) ]] ||
       [[ "$url_lower" =~ (url=http|redirect.*http|fetch.*http|proxy.*http) ]]; then
        return 0
    fi

    return 1
}

# NoSQL Injection Detection
detect_nosql_injection() {
    local url="$1"
    local url_lower="${url,,}"

    # MongoDB and NoSQL patterns
    if [[ "$url_lower" =~ (\$ne|\$gt|\$lt|\$regex|\$where|\$in|\$nin) ]] ||
       [[ "$url_lower" =~ (%24ne|%24gt|%24regex|%24where) ]] ||
       [[ "$url_lower" =~ (sleep\(.*\)|this\.|function\(|javascript:) ]]; then
        return 0
    fi

    return 1
}

# Template Injection (SSTI) Detection
detect_template_injection() {
    local url="$1"
    local url_lower="${url,,}"

    # Jinja2, Twig, FreeMarker, etc.
    if [[ "$url_lower" =~ (\{\{.*\}\}|\{%.*%\}|\$\{.*\}|<%.*%>) ]] ||
       [[ "$url_lower" =~ (%7b%7b|%7b%25|%24%7b) ]] ||
       [[ "$url_lower" =~ (7\*7|config\.|self\.|request\.|env\.) ]]; then
        return 0
    fi

    return 1
}

# Encoding Bypass Detection (Multiple layers of encoding)
detect_encoding_bypass() {
    local url="$1"

    # Double/triple URL encoding (bypass WAF)
    if [[ "$url" =~ %25[0-9a-fA-F]{2} ]] ||
       [[ "$url" =~ (%252[0-9a-fA-F]|%25%32|%2525) ]]; then
        return 0
    fi

    # Unicode/UTF-8 bypass attempts
    if [[ "$url" =~ (%u[0-9a-fA-F]{4}|\\u[0-9a-fA-F]{4}) ]] ||
       [[ "$url" =~ (%c0%af|%e0%80%af) ]]; then
        return 0
    fi

    return 1
}

# Suspicious User-Agent Detection
detect_suspicious_ua() {
    local user_agent="$1"
    local ua_lower="${user_agent,,}"

    # Empty or missing UA (common in automated attacks)
    if [ -z "$user_agent" ] || [ "$user_agent" = "-" ]; then
        return 0
    fi

    # Common attack tools and scanners
    if [[ "$ua_lower" =~ (nikto|nmap|masscan|nessus|acunetix|burp|sqlmap|metasploit) ]] ||
       [[ "$ua_lower" =~ (havij|pangolin|w3af|skipfish|dirbuster|gobuster|wpscan|joomla) ]] ||
       [[ "$ua_lower" =~ (nuclei|jaeles|ffuf|hydra|medusa|zgrab|shodan|censys) ]] ||
       [[ "$ua_lower" =~ (python-requests|curl/|wget/|libwww-perl|go-http-client) ]] ||
       [[ "$ua_lower" =~ (scrapy|mechanize|httpclient|okhttp|urllib|axios) ]]; then
        return 0
    fi

    # Suspicious patterns
    if [[ "$ua_lower" =~ (bot|crawler|spider|scraper) ]] &&
       [[ ! "$ua_lower" =~ (googlebot|bingbot|slurp|duckduckbot|baiduspider|yandexbot|facebookexternalhit) ]]; then
        return 0
    fi

    # Very short UA (< 10 chars, likely fake)
    if [ ${#user_agent} -lt 10 ]; then
        return 0
    fi

    # Generic/suspicious patterns
    # Only flag Mozilla/X.0 if it's JUST that (no browser details after)
    if [[ "$ua_lower" =~ ^mozilla/[45]\.0$ ]] ||
       [[ "$ua_lower" =~ ^(test|scanner|exploit|attack|shell) ]]; then
        return 0
    fi

    return 1
}

# Tor/VPN/Proxy Detection (IP-based patterns)
detect_anonymizer() {
    local ip="$1"

    # Known Tor exit node patterns (common ranges - not exhaustive)
    # Note: For production, should use actual Tor exit node lists
    # This is a simplified detection based on common patterns

    # VPN/Proxy indicators in IP behavior require historical analysis
    # This function is a placeholder for IP reputation integration
    # Real implementation would check against:
    # - Tor exit node lists (https://check.torproject.org/exit-addresses)
    # - VPN provider IP ranges
    # - Known proxy/datacenter ranges

    # For now, we'll flag datacenter/hosting IPs which are common for VPNs
    # This requires external IP reputation data

    return 1  # Placeholder - requires external data integration
}

# Advanced Bot Fingerprinting (behavior-based)
detect_bot_fingerprint() {
    local user_agent="$1"
    local ua_lower="${user_agent,,}"

    # Headless browser detection
    if [[ "$ua_lower" =~ (headless|phantom|selenium|puppeteer|playwright|chromium.*headless) ]] ||
       [[ "$ua_lower" =~ (chrome/.*headless|firefox.*headless) ]]; then
        return 0
    fi

    # Automated browser frameworks
    if [[ "$ua_lower" =~ (webdriver|automation|bot\.html|slimer|casper) ]]; then
        return 0
    fi

    # Missing common browser components (suspicious)
    # Real browsers include: Mozilla, AppleWebKit, Chrome/Firefox/Safari
    if [[ "$ua_lower" =~ mozilla ]] &&
       [[ ! "$ua_lower" =~ (applewebkit|gecko|chrome|firefox|safari|edge) ]]; then
        return 0
    fi

    return 1
}

# Credential Stuffing / Password Spraying Detection
detect_credential_stuffing() {
    local url="$1"
    local method="${2:-GET}"
    local url_lower="${url,,}"

    # Must be POST to login endpoints
    if [ "$method" != "POST" ]; then
        return 1
    fi

    # Common credential stuffing targets
    if [[ "$url_lower" =~ (wp-login\.php|xmlrpc\.php) ]] ||
       [[ "$url_lower" =~ (/login|/signin|/auth|/authenticate|/session) ]] ||
       [[ "$url_lower" =~ (/api/login|/api/auth|/api/token|/oauth/token) ]] ||
       [[ "$url_lower" =~ (/user/login|/account/login|/customer/login) ]]; then
        return 0
    fi

    return 1
}

# API Abuse Detection
detect_api_abuse() {
    local url="$1"
    local method="${2:-GET}"
    local url_lower="${url,,}"

    # API endpoint patterns
    if [[ "$url_lower" =~ (/api/|/v[0-9]+/|/rest/|/graphql|/webhook) ]] ||
       [[ "$url_lower" =~ \.json(\?|$)|\.xml(\?|$) ]]; then

        # Suspicious API patterns
        if [[ "$url_lower" =~ (/api/.*admin|/api/.*debug|/api/.*test|/api/.*internal) ]] ||
           [[ "$url_lower" =~ (/api/users/all|/api/.*dump|/api/.*export|/api/backup) ]] ||
           [[ "$url_lower" =~ (/api/.*delete|/api/.*drop|/api/.*truncate) ]]; then
            return 0
        fi

        # Mass data extraction attempts
        if [[ "$url_lower" =~ (limit=[0-9]{4,}|limit=999|per_page=[0-9]{3,}) ]] ||
           [[ "$url_lower" =~ (offset=[0-9]{5,}|page=[0-9]{3,}) ]]; then
            return 0
        fi
    fi

    return 1
}

# Content Management System (CMS) Vulnerability Probing
detect_cms_exploit() {
    local url="$1"
    local url_lower="${url,,}"

    # WordPress vulnerabilities
    if [[ "$url_lower" =~ (wp-content/plugins/.*\.\.|wp-content/themes/.*\.\.) ]] ||
       [[ "$url_lower" =~ (wp-json/wp/v2/users|wp-json/.*users) ]] ||
       [[ "$url_lower" =~ (wp-config\.php|wp-admin/install\.php|wp-admin/setup-config\.php) ]]; then
        return 0
    fi

    # Drupal vulnerabilities
    if [[ "$url_lower" =~ (/user/register|/user/password|/?q=node/add) ]] ||
       [[ "$url_lower" =~ (drupalgeddon|sites/default/files/\.\./) ]]; then
        return 0
    fi

    # Joomla vulnerabilities
    if [[ "$url_lower" =~ (index\.php\?option=com_|/configuration\.php) ]] ||
       [[ "$url_lower" =~ (com_foxcontact|com_fabrik|com_user) ]]; then
        return 0
    fi

    # Generic CMS probing
    if [[ "$url_lower" =~ (readme\.html|license\.txt|changelog\.txt) ]] ||
       [[ "$url_lower" =~ (/install/|/setup/|/upgrade/|/migration/) ]]; then
        return 0
    fi

    return 1
}

# E-commerce Platform Exploitation
detect_ecommerce_exploit() {
    local url="$1"
    local url_lower="${url,,}"

    # Shopping cart manipulation
    if [[ "$url_lower" =~ (price=0|price=-|quantity=-|discount=100) ]] ||
       [[ "$url_lower" =~ (total=0|amount=0\.0|cost=0) ]]; then
        return 0
    fi

    # Payment bypass attempts
    if [[ "$url_lower" =~ (payment.*bypass|order.*complete|checkout.*skip) ]] ||
       [[ "$url_lower" =~ (invoice.*paid|transaction.*success) ]]; then
        return 0
    fi

    # Common e-commerce platforms
    if [[ "$url_lower" =~ (magento.*admin|shopify.*admin|woocommerce.*admin) ]] ||
       [[ "$url_lower" =~ (/admin/sales/|/admin/order/|/admin/customer/) ]]; then
        return 0
    fi

    return 1
}

# HTTP Request Smuggling Detection
detect_http_smuggling() {
    local url="$1"
    local headers="${2:-}"
    local url_lower="${url,,}"

    # Content-Length and Transfer-Encoding manipulation
    if [[ "$headers" =~ content-length.*transfer-encoding ]] ||
       [[ "$headers" =~ transfer-encoding.*chunked.*content-length ]]; then
        return 0
    fi

    # Double Content-Length headers
    if [[ "$headers" =~ content-length.*content-length ]]; then
        return 0
    fi

    # Suspicious chunked encoding patterns (URL-encoded CRLF)
    if [[ "$url_lower" =~ (%0d%0a|%0a%0d|%0d|%0a) ]]; then
        return 0
    fi

    # CRLF injection attempts (URL-encoded only, not literal newlines)
    # Note: Literal \r\n in URLs would be encoded by browsers, so only check encoded forms
    if [[ "$url" =~ (%0d%0a|%0a%0d|%0d|%0a) ]]; then
        return 0
    fi

    return 1
}

# Resource Exhaustion / DoS Detection
detect_resource_exhaustion() {
    local url="$1"
    local url_lower="${url,,}"

    # Billion laughs / XML bomb patterns
    if [[ "$url_lower" =~ (<!entity.*<!entity|&[a-z0-9]+;){5,} ]] ||
       [[ "$url_lower" =~ lol[0-9]+|entity[0-9]{2,} ]]; then
        return 0
    fi

    # ReDoS (Regular Expression Denial of Service) patterns
    if [[ "$url_lower" =~ ((\(.*){5,}|(.*\*){5,}|(.*\+){5,}) ]] ||
       [[ "$url_lower" =~ (a+){10,}|(a\*){10,} ]]; then
        return 0
    fi

    # Large parameter values (potential buffer overflow or memory exhaustion)
    if [[ "$url" =~ [=]([A]{500,}|[0-9]{500,}|[%][0-9a-fA-F]{500,}) ]]; then
        return 0
    fi

    # Zip bomb indicators
    if [[ "$url_lower" =~ (\.zip|\.tar\.gz|\.tgz|\.rar).*bomb ]] ||
       [[ "$url_lower" =~ (upload.*\.zip|compress.*\.zip) ]]; then
        return 0
    fi

    # Slowloris patterns (slow request indicators)
    if [[ "$url" =~ (sleep=[0-9]{3,}|delay=[0-9]{3,}|timeout=[0-9]{4,}) ]]; then
        return 0
    fi

    return 1
}

# Open Redirect Detection
detect_open_redirect() {
    local url="$1"
    local url_lower="${url,,}"

    # Redirect parameter patterns with external URLs
    if [[ "$url_lower" =~ (redirect=http|return=http|url=http|next=http|goto=http) ]] ||
       [[ "$url_lower" =~ (returnto=http|redir=http|target=http|destination=http) ]] ||
       [[ "$url_lower" =~ (continue=http|view=http|return_to=http|redirect_uri=http) ]]; then

        # Exclude same-domain redirects (basic check)
        if [[ ! "$url_lower" =~ (redirect=https?://(www\.)?${CACHED_HOSTNAME}|localhost) ]]; then
            return 0
        fi
    fi

    # URL-encoded redirect patterns
    if [[ "$url" =~ (redirect=%68%74%74%70|url=%68%74%74%70) ]] ||
       [[ "$url" =~ (%2F%2F|//) ]]; then
        return 0
    fi

    # JavaScript protocol redirects
    if [[ "$url_lower" =~ (redirect=javascript:|url=javascript:|goto=javascript:) ]]; then
        return 0
    fi

    return 1
}

# LDAP Injection Detection
detect_ldap_injection() {
    local url="$1"
    local url_lower="${url,,}"

    # LDAP special characters and operators
    if [[ "$url" =~ (\*|\(|\)|&|\||!|=|>|<|~|%2a|%28|%29|%26|%7c|%21) ]]; then
        # LDAP filter patterns
        if [[ "$url_lower" =~ (cn=|uid=|ou=|dc=|objectclass=) ]] ||
           [[ "$url_lower" =~ (\(\*|\*\)|&\(|\|\() ]]; then
            return 0
        fi

        # LDAP injection patterns
        if [[ "$url" =~ (\)\(\||admin\)\(|\*\)\(|pwd=\*) ]]; then
            return 0
        fi
    fi

    return 1
}

# File Upload Vulnerability Detection
detect_file_upload_exploit() {
    local url="$1"
    local method="${2:-GET}"
    local url_lower="${url,,}"

    # Must be POST or PUT (upload operations)
    if [[ "$method" != "POST" ]] && [[ "$method" != "PUT" ]]; then
        return 1
    fi

    # Suspicious file upload endpoints
    if [[ "$url_lower" =~ (/upload|/file|/attachment|/media|/document) ]]; then
        # Double extension attempts
        if [[ "$url_lower" =~ \.(php|jsp|asp|aspx|cgi|pl)\.(jpg|jpeg|png|gif|txt|pdf) ]] ||
           [[ "$url_lower" =~ \.(jpg|jpeg|png|gif)\.php ]]; then
            return 0
        fi

        # Null byte injection
        if [[ "$url" =~ (%00|\\x00|\x00) ]]; then
            return 0
        fi

        # Path traversal in filename
        if [[ "$url_lower" =~ (filename=.*\.\.|name=.*\.\.) ]]; then
            return 0
        fi

        # Executable file uploads
        if [[ "$url_lower" =~ \.(php|php3|php4|php5|phtml|phar|jsp|jspx|asp|aspx|asa|cer|cdx|shtm|shtml|swf|war) ]]; then
            return 0
        fi
    fi

    return 1
}

# GraphQL Introspection / Query Complexity
detect_graphql_abuse() {
    local url="$1"
    local method="${2:-GET}"
    local url_lower="${url,,}"

    # GraphQL endpoint
    if [[ "$url_lower" =~ (/graphql|/api/graphql|/query|/api/query) ]]; then
        # Introspection query patterns
        if [[ "$url_lower" =~ (__schema|__type|introspectionquery) ]]; then
            return 0
        fi

        # Deeply nested queries (query complexity attack)
        if [[ "$url" =~ (\{.*\{.*\{.*\{.*\{) ]]; then
            return 0
        fi

        # Batch query abuse
        if [[ "$url" =~ (\[.*\{.*\}.*,.*\{.*\}.*,.*\{.*\}.*\]) ]]; then
            return 0
        fi

        # Recursive fragment patterns
        if [[ "$url_lower" =~ (fragment.*on.*fragment) ]]; then
            return 0
        fi
    fi

    return 1
}

# Detect all attack vectors for a URL
# Returns: attack_type1,attack_type2,... or empty if none
# Parameters: url method user_agent ip
detect_all_attacks() {
    local url="$1"
    local method="${2:-GET}"
    local user_agent="${3:-}"
    local ip="${4:-}"
    local attacks=()

    # URL-based detection (OWASP Top 10 + Modern Vectors)
    detect_sql_injection "$url" && attacks+=("SQL_INJECTION")
    detect_xss "$url" && attacks+=("XSS")
    detect_path_traversal "$url" && attacks+=("PATH_TRAVERSAL")
    detect_rce "$url" "$method" && attacks+=("RCE")
    detect_info_disclosure "$url" && attacks+=("INFO_DISCLOSURE")
    detect_login_bruteforce_url "$url" && attacks+=("BRUTEFORCE")
    detect_admin_probe "$url" && attacks+=("ADMIN_PROBE")
    detect_xxe "$url" && attacks+=("XXE")
    detect_ssrf "$url" && attacks+=("SSRF")
    detect_nosql_injection "$url" && attacks+=("NOSQL_INJECTION")
    detect_template_injection "$url" && attacks+=("TEMPLATE_INJECTION")
    detect_encoding_bypass "$url" && attacks+=("ENCODING_BYPASS")

    # Application-specific detection
    detect_credential_stuffing "$url" "$method" && attacks+=("CREDENTIAL_STUFFING")
    detect_api_abuse "$url" "$method" && attacks+=("API_ABUSE")
    detect_cms_exploit "$url" && attacks+=("CMS_EXPLOIT")
    detect_ecommerce_exploit "$url" && attacks+=("ECOMMERCE_EXPLOIT")

    # Advanced protocol attacks
    detect_http_smuggling "$url" && attacks+=("HTTP_SMUGGLING")
    detect_resource_exhaustion "$url" && attacks+=("RESOURCE_EXHAUSTION")
    detect_open_redirect "$url" && attacks+=("OPEN_REDIRECT")
    detect_ldap_injection "$url" && attacks+=("LDAP_INJECTION")
    detect_file_upload_exploit "$url" "$method" && attacks+=("FILE_UPLOAD_EXPLOIT")
    detect_graphql_abuse "$url" "$method" && attacks+=("GRAPHQL_ABUSE")

    # User-Agent based detection
    if [ -n "$user_agent" ]; then
        detect_suspicious_ua "$user_agent" && attacks+=("SUSPICIOUS_UA")
        detect_bot_fingerprint "$user_agent" && attacks+=("BOT_FINGERPRINT")
    fi

    # IP-based detection
    if [ -n "$ip" ]; then
        detect_anonymizer "$ip" && attacks+=("ANONYMIZER")
    fi

    if [ ${#attacks[@]} -gt 0 ]; then
        IFS=','; echo "${attacks[*]}"
    else
        echo ""
    fi
}

# Calculate threat score based on attack types
# Returns: score (0-100)
calculate_attack_score() {
    local attacks="$1"

    local score=0

    # Use word boundaries to avoid false matches (e.g., RCE in BRUTEFORCE)
    [[ "$attacks" =~ (^|,)SQL_INJECTION(,|$) ]] && score=$((score + 15))
    [[ "$attacks" =~ (^|,)XSS(,|$) ]] && score=$((score + 12))
    [[ "$attacks" =~ (^|,)PATH_TRAVERSAL(,|$) ]] && score=$((score + 15))
    [[ "$attacks" =~ (^|,)RCE(,|$) ]] && score=$((score + 20))
    [[ "$attacks" =~ (^|,)INFO_DISCLOSURE(,|$) ]] && score=$((score + 8))
    [[ "$attacks" =~ (^|,)BRUTEFORCE(,|$) ]] && score=$((score + 10))
    [[ "$attacks" =~ (^|,)ADMIN_PROBE(,|$) ]] && score=$((score + 5))
    [[ "$attacks" =~ (^|,)DDOS(,|$) ]] && score=$((score + 25))
    [[ "$attacks" =~ (^|,)XXE(,|$) ]] && score=$((score + 18))
    [[ "$attacks" =~ (^|,)SSRF(,|$) ]] && score=$((score + 18))
    [[ "$attacks" =~ (^|,)NOSQL_INJECTION(,|$) ]] && score=$((score + 15))
    [[ "$attacks" =~ (^|,)TEMPLATE_INJECTION(,|$) ]] && score=$((score + 20))
    [[ "$attacks" =~ (^|,)ENCODING_BYPASS(,|$) ]] && score=$((score + 12))
    [[ "$attacks" =~ (^|,)SUSPICIOUS_UA(,|$) ]] && score=$((score + 15))
    [[ "$attacks" =~ (^|,)BOT_FINGERPRINT(,|$) ]] && score=$((score + 15))
    [[ "$attacks" =~ (^|,)ANONYMIZER(,|$) ]] && score=$((score + 15))
    [[ "$attacks" =~ (^|,)CREDENTIAL_STUFFING(,|$) ]] && score=$((score + 18))
    [[ "$attacks" =~ (^|,)API_ABUSE(,|$) ]] && score=$((score + 12))
    [[ "$attacks" =~ (^|,)CMS_EXPLOIT(,|$) ]] && score=$((score + 16))
    [[ "$attacks" =~ (^|,)ECOMMERCE_EXPLOIT(,|$) ]] && score=$((score + 20))
    [[ "$attacks" =~ (^|,)HTTP_SMUGGLING(,|$) ]] && score=$((score + 22))
    [[ "$attacks" =~ (^|,)RESOURCE_EXHAUSTION(,|$) ]] && score=$((score + 14))
    [[ "$attacks" =~ (^|,)OPEN_REDIRECT(,|$) ]] && score=$((score + 10))
    [[ "$attacks" =~ (^|,)LDAP_INJECTION(,|$) ]] && score=$((score + 17))
    [[ "$attacks" =~ (^|,)FILE_UPLOAD_EXPLOIT(,|$) ]] && score=$((score + 19))
    [[ "$attacks" =~ (^|,)GRAPHQL_ABUSE(,|$) ]] && score=$((score + 13))

    echo "$score"
}

# Get attack icon for display
get_attack_icon() {
    local attack_type="$1"

    case "$attack_type" in
        SQL_INJECTION) echo "💉" ;;
        XSS) echo "⚠️ " ;;
        PATH_TRAVERSAL) echo "📁" ;;
        RCE) echo "☠️ " ;;
        INFO_DISCLOSURE) echo "🔓" ;;
        BRUTEFORCE) echo "🔐" ;;
        ADMIN_PROBE) echo "🔍" ;;
        DDOS) echo "💥" ;;
        XXE) echo "📄" ;;
        SSRF) echo "🌐" ;;
        NOSQL_INJECTION) echo "🗄️ " ;;
        TEMPLATE_INJECTION) echo "📝" ;;
        ENCODING_BYPASS) echo "🔀" ;;
        SUSPICIOUS_UA) echo "🎭" ;;
        BOT_FINGERPRINT) echo "🤖" ;;
        ANONYMIZER) echo "🕶️ " ;;
        CREDENTIAL_STUFFING) echo "🔑" ;;
        API_ABUSE) echo "⚡" ;;
        CMS_EXPLOIT) echo "🎯" ;;
        ECOMMERCE_EXPLOIT) echo "💳" ;;
        HTTP_SMUGGLING) echo "📦" ;;
        RESOURCE_EXHAUSTION) echo "⏱️ " ;;
        OPEN_REDIRECT) echo "↩️ " ;;
        LDAP_INJECTION) echo "🗂️ " ;;
        FILE_UPLOAD_EXPLOIT) echo "📤" ;;
        GRAPHQL_ABUSE) echo "🔗" ;;
        BOT) echo "🤖" ;;
        SCANNER) echo "🔎" ;;
        *) echo "❓" ;;
    esac
}

# Get attack color for display
get_attack_color() {
    local attack_type="$1"

    case "$attack_type" in
        SQL_INJECTION|RCE|TEMPLATE_INJECTION|ECOMMERCE_EXPLOIT|HTTP_SMUGGLING) echo '\033[1;41;97m' ;;  # White on Red (CRITICAL)
        XSS|PATH_TRAVERSAL|BRUTEFORCE|XXE|SSRF|NOSQL_INJECTION|ANONYMIZER|CREDENTIAL_STUFFING|CMS_EXPLOIT|LDAP_INJECTION|FILE_UPLOAD_EXPLOIT) echo '\033[1;31m' ;;  # Bold Red (HIGH)
        INFO_DISCLOSURE|ADMIN_PROBE|ENCODING_BYPASS|SUSPICIOUS_UA|BOT_FINGERPRINT|API_ABUSE|RESOURCE_EXHAUSTION|GRAPHQL_ABUSE|OPEN_REDIRECT) echo '\033[1;33m' ;;  # Bold Yellow (MEDIUM)
        *) echo '\033[0;36m' ;;  # Cyan (LOW)
    esac
}

export -f is_valid_ip
export -f detect_sql_injection
export -f detect_xss
export -f detect_path_traversal
export -f detect_rce
export -f detect_info_disclosure
export -f detect_login_bruteforce_url
export -f detect_admin_probe
export -f detect_xxe
export -f detect_ssrf
export -f detect_nosql_injection
export -f detect_template_injection
export -f detect_encoding_bypass
export -f detect_suspicious_ua
export -f detect_anonymizer
export -f detect_bot_fingerprint
export -f detect_credential_stuffing
export -f detect_api_abuse
export -f detect_cms_exploit
export -f detect_ecommerce_exploit
export -f detect_http_smuggling
export -f detect_resource_exhaustion
export -f detect_open_redirect
export -f detect_ldap_injection
export -f detect_file_upload_exploit
export -f detect_graphql_abuse
export -f detect_all_attacks
export -f calculate_attack_score
export -f get_attack_icon
export -f get_attack_color