generateXssTestCases(); $blocked = 0; $failed = []; foreach ($testCases as $testCase) { $request = $this->createAttackRequest( uri: '/search', method: Method::GET, queryParams: ['q' => $testCase['payload']] ); $decision = $this->wafEngine->analyzeRequest($request); if ($decision->shouldBlock()) { $blocked++; } else { $failed[] = $testCase['description']; } } if (!empty($failed)) { throw new \RuntimeException( "WAF failed to block " . count($failed) . " XSS attacks in query params:\n" . implode("\n", array_slice($failed, 0, 5)) ); } echo "✅ Blocked {$blocked}/" . count($testCases) . " XSS attacks in query params\n"; } /** * Test WAF blocks XSS attacks in POST data */ public function testBlocksXssInPostData(): void { $testCases = $this->generateXssTestCases(); $blocked = 0; $failed = []; foreach ($testCases as $testCase) { $request = $this->createAttackRequest( uri: '/api/comments', method: Method::POST, postData: [ 'comment' => $testCase['payload'], 'author' => 'Test User' ] ); $decision = $this->wafEngine->analyzeRequest($request); if ($decision->shouldBlock()) { $blocked++; } else { $failed[] = $testCase['description']; } } if (!empty($failed)) { throw new \RuntimeException( "WAF failed to block " . count($failed) . " XSS attacks in POST data:\n" . implode("\n", array_slice($failed, 0, 5)) ); } echo "✅ Blocked {$blocked}/" . count($testCases) . " XSS attacks in POST data\n"; } /** * Test WAF blocks event handler-based XSS */ public function testBlocksEventHandlerXss(): void { $eventHandlerAttacks = [ '

', '', '', '

',
            '<marquee onstart=alert(1)>',
            '<div onmouseover=alert(1)>',
            '<a onmousemove=alert(1)>',
        ];

$blocked = 0;
        $failed = [];

foreach ($eventHandlerAttacks as $attack) {
            $request = $this->createAttackRequest(
                uri: '/api/profile',
                method: Method::POST,
                postData: ['bio' => $attack]
            );

$decision = $this->wafEngine->analyzeRequest($request);

if ($decision->shouldBlock()) {
                $blocked++;
            } else {
                $failed[] = substr($attack, 0, 50);
            }
        }

if (!empty($failed)) {
            throw new \RuntimeException(
                "WAF failed to block event handler XSS:\n" .
                implode("\n", $failed)
            );
        }

echo "✅ Blocked {$blocked}/" . count($eventHandlerAttacks) . " event handler XSS attacks\n";
    }

/**
     * Test WAF blocks JavaScript protocol XSS
     */
    public function testBlocksJavaScriptProtocol(): void
    {
        $javascriptProtocolAttacks = [
            'javascript:alert(1)',
            'javascript:void(alert(1))',
            'javascript:eval("alert(1)")',
            'jAvAsCrIpT:alert(1)',  // Case variation
            'javascript:alert(1)',  // HTML entity encoding
        ];

$blocked = 0;

foreach ($javascriptProtocolAttacks as $attack) {
            $request = $this->createAttackRequest(
                uri: '/api/links',
                method: Method::POST,
                postData: ['url' => $attack]
            );

$decision = $this->wafEngine->analyzeRequest($request);

if ($decision->shouldBlock()) {
                $blocked++;
            }
        }

echo "✅ Blocked {$blocked}/" . count($javascriptProtocolAttacks) . " javascript: protocol XSS attacks\n";
    }

/**
     * Test WAF allows legitimate HTML/JavaScript in safe contexts
     */
    public function testAllowsLegitimateContent(): void
    {
        $legitimateContent = [
            'Check out this <strong>amazing</strong> product!',  // Safe HTML tags
            'Contact us at info@example.com',  // Email
            'Price is <$50',  // Less than symbol
            'Rating: 4.5/5 stars',  // Math symbols
            'JavaScript is a programming language',  // Word "JavaScript"
        ];

$allowedCount = 0;
        $falsePositives = [];

foreach ($legitimateContent as $content) {
            $request = $this->createLegitimateRequest(
                uri: '/api/content',
                method: Method::POST,
                data: ['text' => $content]
            );

$decision = $this->wafEngine->analyzeRequest($request);

if (!$decision->shouldBlock()) {
                $allowedCount++;
            } else {
                $falsePositives[] = $content;
            }
        }

if (!empty($falsePositives)) {
            echo "⚠️  Warning: WAF has " . count($falsePositives) . " false positives:\n";
            foreach ($falsePositives as $fp) {
                echo "  - {$fp}\n";
            }
        } else {
            echo "✅ No false positives detected ({$allowedCount}/" . count($legitimateContent) . " legitimate content allowed)\n";
        }
    }

/**
     * Test WAF blocks encoded XSS attempts
     */
    public function testBlocksEncodedXss(): void
    {
        $encodedAttacks = [
            urlencode('<script>alert(1)</script>'),
            urlencode('<img src=x onerror=alert(1)>'),
            htmlspecialchars('<script>alert(1)</script>', ENT_QUOTES),
        ];

$blocked = 0;

foreach ($encodedAttacks as $attack) {
            $request = $this->createAttackRequest(
                uri: '/api/comments',
                method: Method::POST,
                postData: ['comment' => $attack]
            );

$decision = $this->wafEngine->analyzeRequest($request);

if ($decision->shouldBlock()) {
                $blocked++;
            }
        }

echo "✅ Blocked {$blocked}/" . count($encodedAttacks) . " encoded XSS attacks\n";
    }

/**
     * Test WAF blocks DOM-based XSS patterns
     */
    public function testBlocksDomBasedXss(): void
    {
        $domXssPatterns = [
            "document.write('<script>alert(1)</script>')",
            'eval(location.hash)',
            'innerHTML = userInput',
            'document.cookie',
            'window.location = "evil.com"',
        ];

$blocked = 0;

foreach ($domXssPatterns as $pattern) {
            $request = $this->createAttackRequest(
                uri: '/api/code',
                method: Method::POST,
                postData: ['code' => $pattern]
            );

$decision = $this->wafEngine->analyzeRequest($request);

if ($decision->shouldBlock()) {
                $blocked++;
            }
        }

echo "✅ Blocked {$blocked}/" . count($domXssPatterns) . " DOM-based XSS patterns\n";
    }

/**
     * Run all XSS attack tests
     */
    public function runAllTests(): array
    {
        $results = [];

try {
            $this->testBlocksXssInQueryParams();
            $results['query_params'] = 'PASS';
        } catch (\Exception $e) {
            $results['query_params'] = 'FAIL: ' . $e->getMessage();
        }

try {
            $this->testBlocksXssInPostData();
            $results['post_data'] = 'PASS';
        } catch (\Exception $e) {
            $results['post_data'] = 'FAIL: ' . $e->getMessage();
        }

try {
            $this->testBlocksEventHandlerXss();
            $results['event_handlers'] = 'PASS';
        } catch (\Exception $e) {
            $results['event_handlers'] = 'FAIL: ' . $e->getMessage();
        }

try {
            $this->testBlocksJavaScriptProtocol();
            $results['javascript_protocol'] = 'PASS';
        } catch (\Exception $e) {
            $results['javascript_protocol'] = 'FAIL: ' . $e->getMessage();
        }

try {
            $this->testAllowsLegitimateContent();
            $results['false_positives'] = 'PASS';
        } catch (\Exception $e) {
            $results['false_positives'] = 'FAIL: ' . $e->getMessage();
        }

try {
            $this->testBlocksEncodedXss();
            $results['encoded_attacks'] = 'PASS';
        } catch (\Exception $e) {
            $results['encoded_attacks'] = 'FAIL: ' . $e->getMessage();
        }

try {
            $this->testBlocksDomBasedXss();
            $results['dom_xss'] = 'PASS';
        } catch (\Exception $e) {
            $results['dom_xss'] = 'FAIL: ' . $e->getMessage();
        }

return $results;
    }
}