[Add] is authZ|implict grant type

2025-05-19 11:08:20 +09:00 · 2025-05-19 11:08:20 +09:00 · 889d7cfbf2
commit 889d7cfbf2
parent d21ee1eac0
12 changed files with 2437 additions and 0 deletions
--- a/packages/backend/src/controller/authZCodeGrant.ts
+++ b/packages/backend/src/controller/authZCodeGrant.ts
@ -0,0 +1,48 @@
+import type { Request } from "caido:utils";
+
+export class AuthZCodeGrantController {
+  constructor() {}
+
+  isAuthZReq(req: Request) {
+    // const path = req.getPath();
+    const query = req.getQuery();
+    // const raw = req.getRaw().toString();
+
+    // 쿼리에 client_id and response_type=code 포함 확인
+    if (query.includes("client_id=") && query.includes("response_type=code")) {
+      return true;
+    }
+
+    return false;
+  }
+
+  isSendCodeToClient(req: Request) {
+    const path = req.getPath();
+    const query = req.getQuery();
+
+    // code & state 쌍 또는 path에 &code= 또는 쿼리로 code= 유사 일치 확인
+    if (
+      (query.includes("code=") && query.includes("state=")) ||
+      path.includes("&code=") ||
+      /code=%/i.test(query)
+    ) {
+      return true;
+    }
+
+    return false;
+  }
+
+  testReq(req: Request) {
+    if (this.isAuthZReq(req)) {
+      return "isAuthZReq";
+    }
+    if (this.isSendCodeToClient(req)) {
+      return "isSendCodeToClient";
+    }
+    return false;
+  }
+
+  // isAccessTokenReq(req: Response) {
+
+  // }
+}
--- a/packages/backend/src/controller/implictGrant.ts
+++ b/packages/backend/src/controller/implictGrant.ts
@ -0,0 +1,40 @@
+import type { Request } from "caido:utils";
+
+export class ImplicitGrantController {
+  isImplicitGrantReq(req: Request) {
+    const query = req.getQuery();
+    // const raw = req.getRaw().toString();
+
+    // 쿼리에 client_id and response_type=token 포함 확인
+    if (query.includes("client_id=") && query.includes("response_type=token")) {
+      return true;
+    }
+
+    return false;
+  }
+
+  isSendTokenToClient(req: Request) {
+    const path = req.getPath();
+    const query = req.getQuery();
+
+    if (
+      (query.includes("access_token=") && query.includes("state=")) ||
+      path.includes("&access_token=") ||
+      /access_token=%/i.test(query)
+    ) {
+      return true;
+    }
+
+    return false;
+  }
+
+  testReq(req: Request) {
+    if (this.isImplicitGrantReq(req)) {
+      return "isImplicitGrantReq";
+    }
+    if (this.isSendTokenToClient(req)) {
+      return "isSendTokenToClient";
+    }
+    return false;
+  }
+}
--- a/packages/backend/src/index.ts
+++ b/packages/backend/src/index.ts
@ -0,0 +1,44 @@
+import type { SDK, DefineAPI } from "caido:plugin";
+import type { Request } from "caido:utils";
+import { ImplicitGrantController } from "./controller/implictGrant";
+import { AuthZCodeGrantController } from "./controller/authZCodeGrant";
+
+export type API = DefineAPI<{}>;
+
+const implicitGrantController = new ImplicitGrantController();
+const authZCodeGrantController = new AuthZCodeGrantController();
+
+// function matchSSORequest(req: Request): boolean {
+//   const raw = req.getRaw().toString();
+
+//   // 조건 3: Raw request에 SAMLRequest 또는 SAMLResponse 포함
+//   if (raw.includes("SAMLRequest=") || raw.includes("SAMLResponse=")) {
+//     return true;
+//   }
+
+//   return false;
+// }
+
+// function matchAccessTokenResponse(resp: Response): boolean {
+//   const raw = resp.getRaw().toString();
+
+//   const match = /"access_token"\s*:\s*"([^"]+)"/.exec(raw);
+//   return !!match;
+// }
+
+export function init(sdk: SDK<API>) {
+  sdk.events.onInterceptRequest(async (sdk, req: Request) => {
+    const result =
+      authZCodeGrantController.testReq(req) ||
+      implicitGrantController.testReq(req);
+
+    if (result) {
+      await sdk.findings.create({
+        title: "Possible SSO Request Detected",
+        description: `SSO-related parameters detected in request:\n\n${req.getMethod()} ${req.getUrl()} : ${result}`,
+        request: req,
+        reporter: "",
+      });
+    }
+  });
+}