What's happening!!

2025-05-25 16:59:51 +09:00 · 2025-05-25 16:59:51 +09:00 · 12f635c77b
commit 12f635c77b
parent c355038288
6 changed files with 617 additions and 1 deletions
--- a/packages/backend/src/controller/PKCEDowngradeCheck.ts
+++ b/packages/backend/src/controller/PKCEDowngradeCheck.ts
@ -0,0 +1,108 @@
+import type { SDK } from "caido:plugin";
+import type { Request, Response } from "caido:utils";
+import { fetch, Request as FetchRequest } from "caido:http";
+
+export class PKCEDowngradeCheck {
+  async test(sdk: SDK, req: Request): Promise<boolean> {
+    const method = req.getMethod();
+    const query = req.getQuery();
+
+    sdk.console.log(`[PKCEDowngradeCheck] Method: ${method}`);
+    sdk.console.log(`[PKCEDowngradeCheck] Query: ${query}`);
+
+    if (method !== "GET") {
+      sdk.console.log("[PKCEDowngradeCheck] Not a GET request. Skipping.");
+      return false;
+    }
+
+    if (
+      !query.includes("client_id=") ||
+      !query.includes("response_type=code") ||
+      !query.includes("code_challenge=") ||
+      !query.includes("code_challenge_method=")
+    ) {
+      sdk.console.log("[PKCEDowngradeCheck] Required PKCE parameters missing. Skipping.");
+      return false;
+    }
+
+    const url = req.getUrl();
+    const isOpenID =
+      query.includes("scope=openid") || query.includes("id_token");
+
+    sdk.console.log(`[PKCEDowngradeCheck] URL: ${url}`);
+    sdk.console.log(`[PKCEDowngradeCheck] isOpenID: ${isOpenID}`);
+
+    const methodMatch = query.match(/code_challenge_method=([^&]*)/);
+    const challengeMatch = query.match(/code_challenge=([^&]*)/);
+    if (!methodMatch || !challengeMatch) {
+      sdk.console.log("[PKCEDowngradeCheck] code_challenge or code_challenge_method missing in query. Skipping.");
+      return false;
+    }
+
+    const methodVal = decodeURIComponent(methodMatch[1] ?? "");
+    sdk.console.log(`[PKCEDowngradeCheck] code_challenge_method: ${methodVal}`);
+    if (methodVal === "plain") {
+      sdk.console.log("[PKCEDowngradeCheck] code_challenge_method is plain. Skipping.");
+      return false;
+    }
+
+    const modifiedQuery = query
+      .replace(/code_challenge_method=[^&]*&?/, "")
+      .replace(/code_challenge=[^&]*&?/, "")
+      .replace(/[?&]$/, "");
+
+    const downgradedUrl = `${req.getUrl().split("://")[0]}://${req.getHost()}:${req.getPort()}${req.getPath()}?${modifiedQuery}`;
+    sdk.console.log(`[PKCEDowngradeCheck] Downgraded URL: ${downgradedUrl}`);
+
+    try {
+      const fetchOriginal = new FetchRequest(url, { method: "GET" });
+      const fetchDowngraded = new FetchRequest(downgradedUrl, { method: "GET" });
+
+      sdk.console.log("[PKCEDowngradeCheck] Sending original request...");
+      const resOriginal = await fetch(fetchOriginal);
+      sdk.console.log(`[PKCEDowngradeCheck] Original response status: ${resOriginal.status}`);
+
+      sdk.console.log("[PKCEDowngradeCheck] Sending downgraded request...");
+      const resDowngraded = await fetch(fetchDowngraded);
+      sdk.console.log(`[PKCEDowngradeCheck] Downgraded response status: ${resDowngraded.status}`);
+
+      const statusEqual = resOriginal.status === resDowngraded.status;
+      sdk.console.log(`[PKCEDowngradeCheck] Status equal: ${statusEqual}`);
+
+      const bodyOriginal = await resOriginal.text();
+      const bodyDowngraded = await resDowngraded.text();
+
+      const codeInOriginal = bodyOriginal.includes("code=");
+      const codeInDowngrade = bodyDowngraded.includes("code=");
+
+      sdk.console.log(`[PKCEDowngradeCheck] code= in original: ${codeInOriginal}`);
+      sdk.console.log(`[PKCEDowngradeCheck] code= in downgraded: ${codeInDowngrade}`);
+
+      if (statusEqual && codeInOriginal && codeInDowngrade) {
+        const title = isOpenID
+          ? "OpenID Flow PKCE Downgraded to Plaintext"
+          : "OAuth2 Flow PKCE Downgraded to Plaintext";
+
+        const reference = isOpenID
+          ? "https://openid.net/specs/openid-igov-oauth2-1_0-02.html#rfc.section.3.1.7"
+          : "https://datatracker.ietf.org/doc/html/rfc7636";
+
+        sdk.console.log(`[PKCEDowngradeCheck] PKCE downgrade detected! Creating finding.`);
+
+        await sdk.findings.create({
+          title,
+          description: `PKCE downgrade detected for ${url}.\n\nDowngraded URL: ${downgradedUrl}\n\nReference: ${reference}`,
+          request: req,
+          reporter: "",
+        });
+
+        return true;
+      }
+    } catch (e) {
+      sdk.console.error(`PKCE downgrade check failed for ${url}: ${String(e)}`);
+    }
+
+    sdk.console.log("[PKCEDowngradeCheck] No PKCE downgrade detected.");
+    return false;
+  }
+}
--- a/packages/backend/src/index.ts
+++ b/packages/backend/src/index.ts
@ -2,11 +2,13 @@ import type { SDK, DefineAPI } from "caido:plugin";
 import type { Request } from "caido:utils";
 import { ImplicitGrantController } from "./controller/implictGrant";
 import { AuthZCodeGrantController } from "./controller/authZCodeGrant";
+import { PKCEDowngradeCheck } from "./controller/PKCEDowngradeCheck";

 export type API = DefineAPI<{}>;

 const implicitGrantController = new ImplicitGrantController();
 const authZCodeGrantController = new AuthZCodeGrantController();
+const pkceDowngradeCheck = new PKCEDowngradeCheck();

 // function matchSSORequest(req: Request): boolean {
 //   const raw = req.getRaw().toString();
@ -33,6 +35,8 @@ export function init(sdk: SDK<API>) {
      implicitGrantController.testReq(req);

    if (result) {
+      await pkceDowngradeCheck.test(sdk, req);
+
      await sdk.findings.create({
        title: "Possible SSO Request Detected",
        description: `SSO-related parameters detected in request:\n\n${req.getMethod()} ${req.getUrl()} : ${result}`,
@ -40,5 +44,6 @@ export function init(sdk: SDK<API>) {
        reporter: "",
      });
    }
+
  });
 }