diff --git a/README.md b/README.md index 4cb6778..c5497cc 100644 --- a/README.md +++ b/README.md @@ -1 +1,19 @@ -# caido-plugin-test \ No newline at end of file +# caido-plugin-test + +## To-Do +- [ ] PKCE 다운그래이드 https에서 작동 안하는 이슈 고치기 + +```log +2025-05-25T15:52:40.757475Z INFO actix-rt|system:0|arbiter:6 proxy|connect: Client connection (29e74afd-9006-445e-88a9-3fc5d4796af9) +2025-05-25T15:52:40.757530Z INFO actix-rt|system:0|arbiter:6 proxy|connect: Client connected for http://localhost:8787 (29e74afd-9006-445e-88a9-3fc5d4796af9) +2025-05-25T15:52:40.757562Z INFO actix-rt|system:0|arbiter:6 proxy|http1|logger: GET http://localhost/login (29e74afd-9006-445e-88a9-3fc5d4796af9) +2025-05-25T15:52:40.767186Z INFO actix-rt|system:0|arbiter:6 proxy|http1|logger: GET http://localhost:8787/login -> 302 361 (29e74afd-9006-445e-88a9-3fc5d4796af9) +2025-05-25T15:52:40.768696Z INFO actix-rt|system:0|arbiter:9 proxy|http1|logger: GET https://github.com/login/oauth/authorize?client_id=Ov23lixietSCQOHxPvcr&redirect_uri=http%3A%2F%2Flocalhost%3A8787%2Fcallback&scope=read%3Auser&state=bc11db571a4737d0&response_type=code&code_challenge=FtSdQsWI342PKH6BGgKYR6AOzW95LaS0jeVcwTmHaro&code_challenge_method=S256 (90f314dc-9480-4bd8-b7b6-5acba6b8bc7b) +2025-05-25T15:52:41.103596Z INFO actix-rt|system:0|arbiter:9 proxy|http1|logger: GET https://github.com/login/oauth/authorize?client_id=Ov23lixietSCQOHxPvcr&redirect_uri=http%3A%2F%2Flocalhost%3A8787%2Fcallback&scope=read%3Auser&state=bc11db571a4737d0&response_type=code&code_challenge=FtSdQsWI342PKH6BGgKYR6AOzW95LaS0jeVcwTmHaro&code_challenge_method=S256 -> 302 4927 (90f314dc-9480-4bd8-b7b6-5acba6b8bc7b) +2025-05-25T15:52:41.105944Z INFO actix-rt|system:0|arbiter:7 proxy|connect: Client connection (34585a00-9f9f-4c72-b087-2e9e92418dad) +2025-05-25T15:52:41.105993Z INFO actix-rt|system:0|arbiter:7 proxy|connect: Client connected for http://localhost:8787 (34585a00-9f9f-4c72-b087-2e9e92418dad) +2025-05-25T15:52:41.106023Z INFO actix-rt|system:0|arbiter:7 proxy|http1|logger: GET http://localhost/callback?code=10c34dcc4d3f7302e707&state=bc11db571a4737d0 (34585a00-9f9f-4c72-b087-2e9e92418dad) +2025-05-25T15:52:41.108270Z INFO plugin:65ad3a87-0257-4408-a9c7-e0885e04c162 js|sdk: [PKCEDowngradeCheck] Required PKCE parameters missing. Skipping. +2025-05-25T15:52:41.277387Z INFO plugin:65ad3a87-0257-4408-a9c7-e0885e04c162 js|sdk: [PKCEDowngradeCheck] No PKCE downgrade detected. +2025-05-25T15:52:41.686109Z INFO actix-rt|system:0|arbiter:7 proxy|http1|logger: GET http://localhost:8787/callback?code=10c34dcc4d3f7302e707&state=bc11db571a4737d0 -> 200 1582 (34585a00-9f9f-4c72-b087-2e9e92418dad) +``` \ No newline at end of file diff --git a/packages/backend/src/controller/PKCECheck.ts b/packages/backend/src/controller/PKCECheck.ts index 3e41154..8fc5671 100644 --- a/packages/backend/src/controller/PKCECheck.ts +++ b/packages/backend/src/controller/PKCECheck.ts @@ -1,6 +1,5 @@ import type { SDK } from "caido:plugin"; -import type { Request } from "caido:utils"; -import { fetch, Request as FetchRequest } from "caido:http"; +import { Body, RequestSpec, type Request } from "caido:utils"; export class PKCECheck { async test(sdk: SDK, req: Request): Promise { @@ -11,18 +10,20 @@ export class PKCECheck { } const query = req.getQuery(); - const requiredParams = ["client_id=", "response_type=code", "code_challenge=", "code_challenge_method="]; - if (!requiredParams.every(param => query.includes(param))) { + const searchParams = new URLSearchParams(query); + const requiredKeys = ["client_id", "response_type", "code_challenge", "code_challenge_method"]; + + if (!requiredKeys.every((key) => searchParams.has(key))) { sdk.console.log("[PKCEDowngradeCheck] Required PKCE parameters missing. Skipping."); return false; } const url = req.getUrl(); - const isOpenID = query.includes("scope=openid") || query.includes("id_token"); - const methodMatch = query.match(/code_challenge_method=([^&]*)/); - const challengeMatch = query.match(/code_challenge=([^&]*)/); + const isOpenID = searchParams.get("scope")?.includes("openid") || url.includes("id_token"); + const methodVal = searchParams.get("code_challenge_method"); + const challengeVal = searchParams.get("code_challenge"); - if (!methodMatch || !challengeMatch) { + if (!methodVal || !challengeVal) { sdk.console.log("[PKCEDowngradeCheck] code_challenge or method missing. Skipping."); await sdk.findings.create({ title: isOpenID @@ -30,12 +31,11 @@ export class PKCECheck { : "[WARN] OAuth2 Flow PKCE Parameters Missing", description: `PKCE parameters are missing or incomplete for ${url}. This may indicate a misconfiguration.`, request: req, - reporter: "", + reporter: "PKCE Checker", }); return false; } - const methodVal = decodeURIComponent(methodMatch[1]!); if (methodVal === "plain") { sdk.console.log("[PKCEDowngradeCheck] code_challenge_method is 'plain'. Skipping."); await sdk.findings.create({ @@ -44,34 +44,80 @@ export class PKCECheck { : "[WARN] OAuth2 Flow PKCE Method is 'plain'", description: `PKCE method is set to 'plain' for ${url}. This may indicate a downgrade vulnerability.`, request: req, - reporter: "", + reporter: "PKCE Checker", }); - return false; } - const downgradedQuery = query - .replace(/code_challenge_method=[^&]*&?/, "") - .replace(/code_challenge=[^&]*&?/, "") - .replace(/[?&]$/, ""); + // Remove PKCE parameters to simulate a downgraded request + searchParams.delete("code_challenge"); + searchParams.delete("code_challenge_method"); + const downgradedQuery = searchParams.toString(); + const scheme = req.getUrl().startsWith("https") ? "https" : "http"; + const downgradedUrl = `${scheme}://${req.getHost()}:${req.getPort()}${req.getPath()}?${downgradedQuery}`; - const downgradedUrl = `${req.getUrl().split("://")[0]}://${req.getHost()}:${req.getPort()}${req.getPath()}?${downgradedQuery}`; + sdk.console.log(`${req.getHost()} Original URL: ` + url); + sdk.console.log(`${req.getHost()} Downgraded URL: ` + downgradedUrl); try { - const [resOriginal, resDowngraded] = await Promise.all([ - fetch(new FetchRequest(url, { method: "GET" })), - fetch(new FetchRequest(downgradedUrl, { method: "GET" })) - ]); + // Use Caido Replay SDK to replay the original request + const spec = new RequestSpec(downgradedUrl); + spec.setBody(req.getBody() as Body); + for (const [key, value] of Object.entries(req.getHeaders())) { + if (Array.isArray(value)) { + spec.setHeader(key, value.join(', ')); // or another suitable delimiter + } else { + spec.setHeader(key, value); + } + } + spec.setHost(req.getHost()); + spec.setMethod(req.getMethod()); + spec.setPath(req.getPath()); + spec.setQuery(downgradedQuery); + spec.setTls(req.getTls()); + spec.setPort(req.getPort()); - const [bodyOriginal, bodyDowngraded] = await Promise.all([ - resOriginal.text(), - resDowngraded.text() - ]); + let sendDowngradedRequest = await sdk.requests.send(spec); + + if (sendDowngradedRequest.response) { + let domain = spec.getHost(); + let port = spec.getPort(); + let path = spec.getPath(); + let query = spec.getQuery(); + let id = sendDowngradedRequest.response.getId(); + let code = sendDowngradedRequest.response.getCode(); + sdk.console.log(`REQ ${id}: ${domain}:${port}${path}${query} received a status code of ${code}`); + } + + if (sendDowngradedRequest.response?.getCode() === 302) { + await sdk.findings.create({ + title: isOpenID + ? "[CRITICAL] OpenID Flow PKCE Downgrade Vulnerability" + : "[CRITICAL] OAuth2 Flow PKCE Downgrade Vulnerability", + description: `The request to ${url} is vulnerable to a PKCE downgrade attack. This may indicate a configuration error.`, + request: req, + reporter: "PKCE Checker", + }); + } + +/* + sdk.console.log(`${req.getHost()} Original Status: ` + resOriginal.status); + sdk.console.log(`${req.getHost()} Downgraded Status: ` + resDowngraded.status); + + sdk.console.log(`${req.getHost()} Original Headers: ` + JSON.stringify(resOriginal.headers)); + sdk.console.log(`${req.getHost()} Downgraded Headers: ` + JSON.stringify(resDowngraded.headers)); + + // Caido Dev Docs 기준으로, 리다이렉트된 URL은 Response 객체의 url 속성에 저장되어 있음 + const locationOriginal = resOriginal.url ?? ""; + const locationDowngraded = resDowngraded.url ?? ""; + + sdk.console.log(`${req.getHost()} Original Location: ` + locationOriginal); + sdk.console.log(`${req.getHost()} Downgraded Location: ` + locationDowngraded); const statusEqual = resOriginal.status === resDowngraded.status; - const codeInBoth = bodyOriginal.includes("code=") && bodyDowngraded.includes("code="); + const codeInRedirects = locationOriginal.includes("code=") && locationDowngraded.includes("code="); - if (statusEqual && codeInBoth) { + if (statusEqual && codeInRedirects) { const title = isOpenID ? "[CRITICAL] OpenID Flow PKCE Downgraded to Plaintext" : "[CRITICAL] OAuth2 Flow PKCE Downgraded to Plaintext"; @@ -81,13 +127,13 @@ export class PKCECheck { await sdk.findings.create({ title, - description: `PKCE downgrade detected for ${url}.\n\nDowngraded URL: ${downgradedUrl}\n\nReference: ${reference}`, + description: `PKCE downgrade detected for ${url}.\n\nDowngraded URL: ${downgradedUrl}\n\nRedirect contained code=.\n\nReference: ${reference}`, request: req, reporter: "", }); return true; - } + }*/ } catch (err) { sdk.console.error(`PKCE downgrade check failed for ${url}: ${String(err)}`); } diff --git a/packages/backend/src/index.ts b/packages/backend/src/index.ts index dc44468..c7a4a4e 100644 --- a/packages/backend/src/index.ts +++ b/packages/backend/src/index.ts @@ -6,8 +6,11 @@ import { CsrfCheck } from "./controller/csrfCheck"; import { PKCECheck } from "./controller/PKCECheck"; export type API = DefineAPI<{}>; + const csrfCheck = new CsrfCheck(); -const pkceCheck = new PKCECheck(); +const implicitGrantController = new ImplicitGrantController(); +const authZCodeGrantController = new AuthZCodeGrantController(); +const pkceCheckController = new PKCECheck(); export function init(sdk: SDK) { // sdk.events.onInterceptRequest(async (sdk, req: Request) => { @@ -26,7 +29,20 @@ export function init(sdk: SDK) { sdk.events.onInterceptResponse( async (sdk: SDK, {}>, req: Request, resp: Response) => { await csrfCheck.checker(sdk, req, resp); - await pkceCheck.test(sdk, req); + sdk.events.onInterceptRequest(async (sdk, req: Request) => { + const result = + authZCodeGrantController.testReq(req) || + implicitGrantController.testReq(req); + + if (result) { + await pkceCheckController.test(sdk, req); + + await sdk.findings.create({ + title: "Possible SSO Request Detected", + description: `SSO-related parameters detected in request:\n\n${req.getMethod()} ${req.getUrl()} : ${result}`, + request: req, + reporter: "", + }); } ); } diff --git a/playground/PKCEDowngrade/.env.example b/playground/PKCEDowngrade/.env.example new file mode 100644 index 0000000..13f5f37 --- /dev/null +++ b/playground/PKCEDowngrade/.env.example @@ -0,0 +1,2 @@ +GITHUB_CLIENT_ID= +GITHUB_CLIENT_SECRET= diff --git a/playground/PKCEDowngrade/.gitignore b/playground/PKCEDowngrade/.gitignore new file mode 100644 index 0000000..506e4c3 --- /dev/null +++ b/playground/PKCEDowngrade/.gitignore @@ -0,0 +1,2 @@ +# deps +node_modules/ diff --git a/playground/PKCEDowngrade/README.md b/playground/PKCEDowngrade/README.md new file mode 100644 index 0000000..6dd13e7 --- /dev/null +++ b/playground/PKCEDowngrade/README.md @@ -0,0 +1,11 @@ +To install dependencies: +```sh +bun install +``` + +To run: +```sh +bun run dev +``` + +open http://localhost:3000 diff --git a/playground/PKCEDowngrade/bun.lock b/playground/PKCEDowngrade/bun.lock new file mode 100644 index 0000000..ec75146 --- /dev/null +++ b/playground/PKCEDowngrade/bun.lock @@ -0,0 +1,25 @@ +{ + "lockfileVersion": 1, + "workspaces": { + "": { + "name": "PKCEDowngrade", + "dependencies": { + "hono": "^4.7.10", + }, + "devDependencies": { + "@types/bun": "latest", + }, + }, + }, + "packages": { + "@types/bun": ["@types/bun@1.2.14", "", { "dependencies": { "bun-types": "1.2.14" } }, "sha512-VsFZKs8oKHzI7zwvECiAJ5oSorWndIWEVhfbYqZd4HI/45kzW7PN2Rr5biAzvGvRuNmYLSANY+H59ubHq8xw7Q=="], + + "@types/node": ["@types/node@22.15.21", "", { "dependencies": { "undici-types": "~6.21.0" } }, "sha512-EV/37Td6c+MgKAbkcLG6vqZ2zEYHD7bvSrzqqs2RIhbA6w3x+Dqz8MZM3sP6kGTeLrdoOgKZe+Xja7tUB2DNkQ=="], + + "bun-types": ["bun-types@1.2.14", "", { "dependencies": { "@types/node": "*" } }, "sha512-Kuh4Ub28ucMRWeiUUWMHsT9Wcbr4H3kLIO72RZZElSDxSu7vpetRvxIUDUaW6QtaIeixIpm7OXtNnZPf82EzwA=="], + + "hono": ["hono@4.7.10", "", {}, "sha512-QkACju9MiN59CKSY5JsGZCYmPZkA6sIW6OFCUp7qDjZu6S6KHtJHhAc9Uy9mV9F8PJ1/HQ3ybZF2yjCa/73fvQ=="], + + "undici-types": ["undici-types@6.21.0", "", {}, "sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ=="], + } +} diff --git a/playground/PKCEDowngrade/package.json b/playground/PKCEDowngrade/package.json new file mode 100644 index 0000000..00ae1aa --- /dev/null +++ b/playground/PKCEDowngrade/package.json @@ -0,0 +1,12 @@ +{ + "name": "PKCEDowngrade", + "scripts": { + "dev": "bun run --hot src/index.ts" + }, + "dependencies": { + "hono": "^4.7.10" + }, + "devDependencies": { + "@types/bun": "latest" + } +} \ No newline at end of file diff --git a/playground/PKCEDowngrade/src/index.ts b/playground/PKCEDowngrade/src/index.ts new file mode 100644 index 0000000..4c61f36 --- /dev/null +++ b/playground/PKCEDowngrade/src/index.ts @@ -0,0 +1,94 @@ +import { Hono } from 'hono' +import { randomBytes, createHash } from 'crypto' +import { Buffer } from 'buffer' + +const app = new Hono() + +// In-memory PKCE store (should use Redis or similar in production) +const pkceStore = new Map() + +const generateCodeVerifier = () => { + return randomBytes(32).toString('hex') +} + +const generateCodeChallenge = (verifier: string) => { + const hash = createHash('sha256').update(verifier).digest() + return hash.toString('base64url') +} + +// Step 1: Redirect to GitHub with PKCE +app.get('/login', (c) => { + const codeVerifier = generateCodeVerifier() + const codeChallenge = generateCodeChallenge(codeVerifier) + const state = randomBytes(8).toString('hex') + + pkceStore.set(state, codeVerifier) + + const params = new URLSearchParams({ + client_id: process.env.GITHUB_CLIENT_ID!, + redirect_uri: 'http://localhost:8787/callback', + scope: 'read:user', + state, + response_type: 'code', + code_challenge: codeChallenge, + code_challenge_method: 'S256', + }) + + return c.redirect(`https://github.com/login/oauth/authorize?${params}`) +}) + +// Step 2: GitHub redirects back here +app.get('/callback', async (c) => { + const url = new URL(c.req.url) + const code = url.searchParams.get('code') + const state = url.searchParams.get('state') + + if (!code || !state) { + return c.text('Missing code or state', 400) + } + + const codeVerifier = pkceStore.get(state) + if (!codeVerifier) { + return c.text('Invalid or expired state', 400) + } + + // Step 3: Exchange code + verifier for token + const tokenRes = await fetch('https://github.com/login/oauth/access_token', { + method: 'POST', + headers: { + Accept: 'application/json', + 'Content-Type': 'application/json', + }, + body: JSON.stringify({ + client_id: process.env.GITHUB_CLIENT_ID, + client_secret: process.env.GITHUB_CLIENT_SECRET, + code, + redirect_uri: 'http://localhost:8787/callback', + code_verifier: codeVerifier, + }), + }) + + const tokenData = await tokenRes.json() + if (!tokenData.access_token) { + return c.text('Failed to get access token', 500) + } + + // Step 4: Use token to fetch user profile + const userRes = await fetch('https://api.github.com/user', { + headers: { + Authorization: `Bearer ${tokenData.access_token}`, + 'User-Agent': 'hono-app', + }, + }) + + const user = await userRes.json() + return c.json({ + message: 'GitHub login successful!', + user, + }) +}) + +export default { + port: 8787, + fetch: app.fetch, +} \ No newline at end of file diff --git a/playground/PKCEDowngrade/tsconfig.json b/playground/PKCEDowngrade/tsconfig.json new file mode 100644 index 0000000..c442b33 --- /dev/null +++ b/playground/PKCEDowngrade/tsconfig.json @@ -0,0 +1,7 @@ +{ + "compilerOptions": { + "strict": true, + "jsx": "react-jsx", + "jsxImportSource": "hono/jsx" + } +} \ No newline at end of file