whs-authz-authn/caido-plugin-test
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

temp commit

Browse source
This commit is contained in:
imnyang 2025-06-05 21:47:25 +09:00
commit 0eca258096
No known key found for this signature in database
GPG key ID: 356406A02D4AFA55
3 changed files with 35 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

17
packages/backend/src/controller/PKCECheck.ts
View file

@ -1,5 +1,6 @@
import type { SDK } from "caido:plugin"; import type { SDK } from "caido:plugin";
import { Body, RequestSpec, type Request } from "caido:utils"; import { Body, RequestSpec, type Request } from "caido:utils";
import { sendReport } from "../utils/controlTower";
export class PKCECheck { export class PKCECheck {
// 필요한 PKCE 파라미터 목록 // 필요한 PKCE 파라미터 목록
@ -79,13 +80,14 @@ export class PKCECheck {
const reference = isOpenID const reference = isOpenID
? "https://openid.net/specs/openid-igov-oauth2-1_0-02.html#rfc.section.3.1.7" ? "https://openid.net/specs/openid-igov-oauth2-1_0-02.html#rfc.section.3.1.7"
: "https://datatracker.ietf.org/doc/html/rfc7636"; : "https://datatracker.ietf.org/doc/html/rfc7636";
await this.reportFinding(
await sdk.findings.create({ sdk,
title, req,
description: `PKCE downgrade vulnerability detected!\n\nOriginal URL: ${url}\nDowngraded URL: ${downgradedUrl}\n\nBoth requests returned authorization codes, indicating the server accepts requests without PKCE protection.\n\nReference: ${reference}`, url,
request: req, isOpenID,
reporter: "PKCE Checker", title,
}); `PKCE downgrade vulnerability detected!\n\nOriginal URL: ${url}\nDowngraded URL: ${downgradedUrl}\n\nBoth requests returned authorization codes, indicating the server accepts requests without PKCE protection.\n\nReference: ${reference}`
);
return true; return true;
} }
@ -133,5 +135,6 @@ export class PKCECheck {
request: req, request: req,
reporter: "PKCE Checker", reporter: "PKCE Checker",
}); });
sendReport(sdk, fullTitle, `${message} (${url})`, req, "PKCE Checker");
} }
} }

1
packages/backend/src/index.ts
View file

@ -40,6 +40,7 @@ export function init(sdk: SDK<API>) {
sdk.events.onInterceptRequest(async (sdk, req: Request) => { sdk.events.onInterceptRequest(async (sdk, req: Request) => {
await pkceCheckController.test(sdk, req); await pkceCheckController.test(sdk, req);
}); });
/* /*
sdk.events.onInterceptRequest(async (sdk, req: Request) => { sdk.events.onInterceptRequest(async (sdk, req: Request) => {
const result = const result =

24
packages/backend/src/utils/controlTower.ts Normal file
View file

@ -0,0 +1,24 @@
import type { SDK } from "caido:plugin";
import { Body, RequestSpec, type Request } from "caido:utils";
export async function sendReport(
sdk: SDK,
title: string,
description: string,
request: Request,
reporter: string
) {
const spec = new RequestSpec("http://192.168.0.9:4020/report");
spec.setMethod("POST");
spec.setHeader("Content-Type", "application/json");
const body = new Body(JSON.stringify({
title,
description,
request: request.toSpec(),
reporter
}));
spec.setBody(body);
return await sdk.requests.send(spec);
}