#!/usr/bin/env bash # Quick smoke probe of betterbrowsing.org. Hits each major endpoint once # and prints a one-line status summary. Useful as a baseline to compare # against the same probes run through an intermediary. # # Usage: # ./probe.sh # direct # ./probe.sh --proxy URL # through a proxy # ./probe.sh --proxy URL --cacert PATH # vendor re-signs TLS at the proxy # # Examples of compare: # ./probe.sh > direct.txt # ./probe.sh --proxy http://my-proxy:8080 > proxied.txt # diff direct.txt proxied.txt set -euo pipefail BASE="${BB_BASE:-https://betterbrowsing.org}" CURL=(curl -sS --max-time 30) while [[ $# -gt 0 ]]; do case "$1" in --proxy) CURL+=(-x "$2"); shift 2 ;; --cacert) CURL+=(--cacert "$2"); shift 2 ;; -h|--help) sed -n '2,/^set/p' "$0" | sed 's/^# \{0,1\}//' | grep -v '^set'; exit 0 ;; *) echo "unknown arg: $1" >&2; exit 2 ;; esac done probe() { local name="$1" method="$2" url="$3" shift 3 local out out=$("${CURL[@]}" -o /dev/null -w "%{http_code} %{size_download}B %{time_total}s" -X "$method" "$@" "$BASE$url" || echo "FAIL") printf "%-30s %-4s %-40s -> %s\n" "$name" "$method" "$url" "$out" } echo "## Diagnostic endpoints (JSON output is the contract)" probe "echo headers" GET "/api/echo/headers" probe "echo headers custom" GET "/api/echo/headers" -H "X-Probe-Custom: hi" probe "echo ip" GET "/api/echo/ip" probe "echo user-agent" GET "/api/echo/user-agent" -H "User-Agent: betterbrowsing-probe/1.0" probe "echo get + query" GET "/api/echo/get?foo=bar&n=42" probe "echo post (form)" POST "/api/echo/post" -d "k=v&n=42" probe "echo post (json)" POST "/api/echo/post" -H "Content-Type: application/json" -d '{"k":"v"}' probe "status 200" GET "/api/status/200" probe "status 418" GET "/api/status/418" probe "status 500" GET "/api/status/500" probe "status 599" GET "/api/status/599" probe "redirect 0" GET "/api/redirect/0" probe "redirect 3" GET "/api/redirect/3" probe "delay 0" GET "/api/delay/0" probe "delay 1" GET "/api/delay/1" probe "health" GET "/api/health" probe "fail" GET "/api/fail" probe "fingerprint" GET "/fingerprint/data" echo "" echo "## Real-website-simulation endpoints" probe "ratecap (default)" GET "/api/ratecap" probe "ratecap 0%" GET "/api/ratecap?fail_pct=0" probe "ratecap 100%" GET "/api/ratecap?fail_pct=100" probe "login POST (canon)" POST "/login/post" -d "email=synth@example.invalid&password=x&form_variant=post-password" probe "login POST (text)" POST "/login/post" -d "email=synth@example.invalid&password=x&form_variant=post-text-pw" probe "login POST (renam)" POST "/login/post" -d "user_credential=synth&secret_key=x&form_variant=post-renamed" probe "login POST (json)" POST "/login/post" -H "Content-Type: application/json" -d '{"email":"x@y","password":"z","form_variant":"xhr"}' probe "login GET" GET "/login/get?email=synth@example.invalid&password=x&form_variant=get-form" probe "signup POST" POST "/signup/post" -d "username=u&email=signup@example.invalid&password=x&password_confirm=x" probe "comment POST" POST "/comment/post" -d "body=hello&author=anon&target_post_id=p1" probe "listing POST" POST "/listing/post" -d "title=test&category=misc&price=100" probe "engagement like" POST "/engagement/like" -H "Content-Type: application/json" -d '{"action":"like","target_post_id":"p1"}' probe "ad click" GET "/ad/click?creative=demo-001&placement=above-fold&campaign=test" echo "" echo "## Recon / OSINT bait" for p in /admin /wp-login.php /server-status /phpmyadmin /.env /.git/config; do probe "scan $p" GET "$p" done echo "" echo "## robots.txt enforcement" echo "## (Direct: all of these return 200. Through a robots-respecting" echo "## intermediary: /private/* should be blocked while everything else passes.)" probe "robots.txt" GET "/robots.txt" for p in /private /private/data.json /private/secret; do probe "disallowed $p" GET "$p" done echo "" echo "## Cookie round-trip (only __session survives Firebase Hosting)" probe "echo with __session" GET "/api/echo/headers" -H "Cookie: __session=round-trip-probe" probe "echo with stripped name" GET "/api/echo/headers" -H "Cookie: probe=stripped-by-hosting"