Merge branch 'main' into feature/csrf

2025-05-31 11:41:54 +09:00 · 2025-05-31 11:41:54 +09:00 · dcb91d141f
commit dcb91d141f
parent ef1d8f40b3 19b6cb788c
10 changed files with 265 additions and 32 deletions
--- a/README.md
+++ b/README.md
@ -1 +1,19 @@
 # caido-plugin-test
 ## To-Do
 - [ ] PKCE 다운그래이드 https에서 작동 안하는 이슈 고치기
 ```log
 2025-05-25T15:52:40.757475Z  INFO actix-rt|system:0|arbiter:6 proxy|connect: Client connection (29e74afd-9006-445e-88a9-3fc5d4796af9)    
 2025-05-25T15:52:40.757530Z  INFO actix-rt|system:0|arbiter:6 proxy|connect: Client connected for http://localhost:8787 (29e74afd-9006-445e-88a9-3fc5d4796af9)    
 2025-05-25T15:52:40.757562Z  INFO actix-rt|system:0|arbiter:6 proxy|http1|logger: GET http://localhost/login (29e74afd-9006-445e-88a9-3fc5d4796af9)    
 2025-05-25T15:52:40.767186Z  INFO actix-rt|system:0|arbiter:6 proxy|http1|logger: GET http://localhost:8787/login -> 302 361 (29e74afd-9006-445e-88a9-3fc5d4796af9)    
 2025-05-25T15:52:40.768696Z  INFO actix-rt|system:0|arbiter:9 proxy|http1|logger: GET https://github.com/login/oauth/authorize?client_id=Ov23lixietSCQOHxPvcr&redirect_uri=http%3A%2F%2Flocalhost%3A8787%2Fcallback&scope=read%3Auser&state=bc11db571a4737d0&response_type=code&code_challenge=FtSdQsWI342PKH6BGgKYR6AOzW95LaS0jeVcwTmHaro&code_challenge_method=S256 (90f314dc-9480-4bd8-b7b6-5acba6b8bc7b)    
 2025-05-25T15:52:41.103596Z  INFO actix-rt|system:0|arbiter:9 proxy|http1|logger: GET https://github.com/login/oauth/authorize?client_id=Ov23lixietSCQOHxPvcr&redirect_uri=http%3A%2F%2Flocalhost%3A8787%2Fcallback&scope=read%3Auser&state=bc11db571a4737d0&response_type=code&code_challenge=FtSdQsWI342PKH6BGgKYR6AOzW95LaS0jeVcwTmHaro&code_challenge_method=S256 -> 302 4927 (90f314dc-9480-4bd8-b7b6-5acba6b8bc7b)    
 2025-05-25T15:52:41.105944Z  INFO actix-rt|system:0|arbiter:7 proxy|connect: Client connection (34585a00-9f9f-4c72-b087-2e9e92418dad)    
 2025-05-25T15:52:41.105993Z  INFO actix-rt|system:0|arbiter:7 proxy|connect: Client connected for http://localhost:8787 (34585a00-9f9f-4c72-b087-2e9e92418dad)    
 2025-05-25T15:52:41.106023Z  INFO actix-rt|system:0|arbiter:7 proxy|http1|logger: GET http://localhost/callback?code=10c34dcc4d3f7302e707&state=bc11db571a4737d0 (34585a00-9f9f-4c72-b087-2e9e92418dad)    
 2025-05-25T15:52:41.108270Z  INFO plugin:65ad3a87-0257-4408-a9c7-e0885e04c162 js|sdk: [PKCEDowngradeCheck] Required PKCE parameters missing. Skipping.    
 2025-05-25T15:52:41.277387Z  INFO plugin:65ad3a87-0257-4408-a9c7-e0885e04c162 js|sdk: [PKCEDowngradeCheck] No PKCE downgrade detected.    
 2025-05-25T15:52:41.686109Z  INFO actix-rt|system:0|arbiter:7 proxy|http1|logger: GET http://localhost:8787/callback?code=10c34dcc4d3f7302e707&state=bc11db571a4737d0 -> 200 1582 (34585a00-9f9f-4c72-b087-2e9e92418dad)
 ```
--- a/packages/backend/src/controller/PKCECheck.ts
+++ b/packages/backend/src/controller/PKCECheck.ts
@ -1,6 +1,5 @@
 import type { SDK } from "caido:plugin";
-import type { Request } from "caido:utils";
+import { Body, RequestSpec, type Request } from "caido:utils";
 import { fetch, Request as FetchRequest } from "caido:http";
 export class PKCECheck {
  async test(sdk: SDK, req: Request): Promise<boolean> {
@ -11,18 +10,20 @@ export class PKCECheck {
    }
    const query = req.getQuery();
-    const requiredParams = ["client_id=", "response_type=code", "code_challenge=", "code_challenge_method="];
+    const searchParams = new URLSearchParams(query);
-    if (!requiredParams.every(param => query.includes(param))) {
+    const requiredKeys = ["client_id", "response_type", "code_challenge", "code_challenge_method"];
    if (!requiredKeys.every((key) => searchParams.has(key))) {
      sdk.console.log("[PKCEDowngradeCheck] Required PKCE parameters missing. Skipping.");
      return false;
    }
    const url = req.getUrl();
-    const isOpenID = query.includes("scope=openid") || query.includes("id_token");
+    const isOpenID = searchParams.get("scope")?.includes("openid") || url.includes("id_token");
-    const methodMatch = query.match(/code_challenge_method=([^&]*)/);
+    const methodVal = searchParams.get("code_challenge_method");
-    const challengeMatch = query.match(/code_challenge=([^&]*)/);
+    const challengeVal = searchParams.get("code_challenge");
-    if (!methodMatch || !challengeMatch) {
+    if (!methodVal || !challengeVal) {
      sdk.console.log("[PKCEDowngradeCheck] code_challenge or method missing. Skipping.");
      await sdk.findings.create({
        title: isOpenID
@ -30,12 +31,11 @@ export class PKCECheck {
          : "[WARN] OAuth2 Flow PKCE Parameters Missing",
        description: `PKCE parameters are missing or incomplete for ${url}. This may indicate a misconfiguration.`,
        request: req,
-        reporter: "",
+        reporter: "PKCE Checker",
      });
      return false;
    }
    const methodVal = decodeURIComponent(methodMatch[1]!);
    if (methodVal === "plain") {
      sdk.console.log("[PKCEDowngradeCheck] code_challenge_method is 'plain'. Skipping.");
      await sdk.findings.create({
@ -44,34 +44,80 @@ export class PKCECheck {
          : "[WARN] OAuth2 Flow PKCE Method is 'plain'",
        description: `PKCE method is set to 'plain' for ${url}. This may indicate a downgrade vulnerability.`,
        request: req,
-        reporter: "",
+        reporter: "PKCE Checker",
      });
      return false;
    }
-    const downgradedQuery = query
+    // Remove PKCE parameters to simulate a downgraded request
-      .replace(/code_challenge_method=[^&]*&?/, "")
+    searchParams.delete("code_challenge");
-      .replace(/code_challenge=[^&]*&?/, "")
+    searchParams.delete("code_challenge_method");
-      .replace(/[?&]$/, "");
+    const downgradedQuery = searchParams.toString();
    const scheme = req.getUrl().startsWith("https") ? "https" : "http";
    const downgradedUrl = `${scheme}://${req.getHost()}:${req.getPort()}${req.getPath()}?${downgradedQuery}`;
-    const downgradedUrl = `${req.getUrl().split("://")[0]}://${req.getHost()}:${req.getPort()}${req.getPath()}?${downgradedQuery}`;
+    sdk.console.log(`${req.getHost()} Original URL: ` + url);
    sdk.console.log(`${req.getHost()} Downgraded URL: ` + downgradedUrl);
    try {
-      const [resOriginal, resDowngraded] = await Promise.all([
+      // Use Caido Replay SDK to replay the original request
-        fetch(new FetchRequest(url, { method: "GET" })),
+      const spec = new RequestSpec(downgradedUrl);
-        fetch(new FetchRequest(downgradedUrl, { method: "GET" }))
+      spec.setBody(req.getBody() as Body);
-      ]);
+      for (const [key, value] of Object.entries(req.getHeaders())) {
        if (Array.isArray(value)) {
          spec.setHeader(key, value.join(', ')); // or another suitable delimiter
        } else {
          spec.setHeader(key, value);
        }
      }
      spec.setHost(req.getHost());
      spec.setMethod(req.getMethod());
      spec.setPath(req.getPath());
      spec.setQuery(downgradedQuery);
      spec.setTls(req.getTls());
      spec.setPort(req.getPort());
-      const [bodyOriginal, bodyDowngraded] = await Promise.all([
+      let sendDowngradedRequest = await sdk.requests.send(spec);
-        resOriginal.text(),
+
-        resDowngraded.text()
+      if (sendDowngradedRequest.response) {
-      ]);
+        let domain = spec.getHost();
        let port = spec.getPort();
        let path = spec.getPath();
        let query = spec.getQuery();
        let id = sendDowngradedRequest.response.getId();
        let code = sendDowngradedRequest.response.getCode();
        sdk.console.log(`REQ ${id}: ${domain}:${port}${path}${query} received a status code of ${code}`);
      }
      if (sendDowngradedRequest.response?.getCode() === 302) {
        await sdk.findings.create({
          title: isOpenID
            ? "[CRITICAL] OpenID Flow PKCE Downgrade Vulnerability"
            : "[CRITICAL] OAuth2 Flow PKCE Downgrade Vulnerability",
          description: `The request to ${url} is vulnerable to a PKCE downgrade attack. This may indicate a configuration error.`,
          request: req,
          reporter: "PKCE Checker",
        });
      }
 /*
      sdk.console.log(`${req.getHost()} Original Status: ` + resOriginal.status);
      sdk.console.log(`${req.getHost()} Downgraded Status: ` + resDowngraded.status);
      sdk.console.log(`${req.getHost()} Original Headers: ` + JSON.stringify(resOriginal.headers));
      sdk.console.log(`${req.getHost()} Downgraded Headers: ` + JSON.stringify(resDowngraded.headers));
      // Caido Dev Docs 기준으로, 리다이렉트된 URL은 Response 객체의 url 속성에 저장되어 있음
      const locationOriginal = resOriginal.url ?? "";
      const locationDowngraded = resDowngraded.url ?? "";
      sdk.console.log(`${req.getHost()} Original Location: ` + locationOriginal);
      sdk.console.log(`${req.getHost()} Downgraded Location: ` + locationDowngraded);
      const statusEqual = resOriginal.status === resDowngraded.status;
-      const codeInBoth = bodyOriginal.includes("code=") && bodyDowngraded.includes("code=");
+      const codeInRedirects = locationOriginal.includes("code=") && locationDowngraded.includes("code=");
-      if (statusEqual && codeInBoth) {
+      if (statusEqual && codeInRedirects) {
        const title = isOpenID
          ? "[CRITICAL] OpenID Flow PKCE Downgraded to Plaintext"
          : "[CRITICAL] OAuth2 Flow PKCE Downgraded to Plaintext";
@ -81,13 +127,13 @@ export class PKCECheck {
        await sdk.findings.create({
          title,
-          description: `PKCE downgrade detected for ${url}.\n\nDowngraded URL: ${downgradedUrl}\n\nReference: ${reference}`,
+          description: `PKCE downgrade detected for ${url}.\n\nDowngraded URL: ${downgradedUrl}\n\nRedirect contained code=.\n\nReference: ${reference}`,
          request: req,
          reporter: "",
        });
        return true;
-      }
+      }*/
    } catch (err) {
      sdk.console.error(`PKCE downgrade check failed for ${url}: ${String(err)}`);
    }
--- a/packages/backend/src/index.ts
+++ b/packages/backend/src/index.ts
@ -6,8 +6,11 @@ import { CsrfCheck } from "./controller/csrfCheck";
 import { PKCECheck } from "./controller/PKCECheck";
 export type API = DefineAPI<{}>;
 const csrfCheck = new CsrfCheck();
-const pkceCheck = new PKCECheck();
+const implicitGrantController = new ImplicitGrantController();
 const authZCodeGrantController = new AuthZCodeGrantController();
 const pkceCheckController = new PKCECheck();
 export function init(sdk: SDK<API>) {
  // sdk.events.onInterceptRequest(async (sdk, req: Request) => {
@ -26,7 +29,20 @@ export function init(sdk: SDK<API>) {
  sdk.events.onInterceptResponse(
    async (sdk: SDK<DefineAPI<{}>, {}>, req: Request, resp: Response) => {
      await csrfCheck.checker(sdk, req, resp);
-      await pkceCheck.test(sdk, req);
+  sdk.events.onInterceptRequest(async (sdk, req: Request) => {
    const result =
      authZCodeGrantController.testReq(req) ||
      implicitGrantController.testReq(req);
    if (result) {
      await pkceCheckController.test(sdk, req);
      await sdk.findings.create({
        title: "Possible SSO Request Detected",
        description: `SSO-related parameters detected in request:\n\n${req.getMethod()} ${req.getUrl()} : ${result}`,
        request: req,
        reporter: "",
      });
    }
  );
 }
--- a/playground/PKCEDowngrade/.env.example
+++ b/playground/PKCEDowngrade/.env.example
@ -0,0 +1,2 @@
 GITHUB_CLIENT_ID=
 GITHUB_CLIENT_SECRET=
--- a/playground/PKCEDowngrade/.gitignore
+++ b/playground/PKCEDowngrade/.gitignore
@ -0,0 +1,2 @@
 # deps
 node_modules/
--- a/playground/PKCEDowngrade/README.md
+++ b/playground/PKCEDowngrade/README.md
@ -0,0 +1,11 @@
 To install dependencies:
 ```sh
 bun install
 ```
 To run:
 ```sh
 bun run dev
 ```
 open http://localhost:3000
--- a/playground/PKCEDowngrade/bun.lock
+++ b/playground/PKCEDowngrade/bun.lock
@ -0,0 +1,25 @@
 {
  "lockfileVersion": 1,
  "workspaces": {
    "": {
      "name": "PKCEDowngrade",
      "dependencies": {
        "hono": "^4.7.10",
      },
      "devDependencies": {
        "@types/bun": "latest",
      },
    },
  },
  "packages": {
    "@types/bun": ["@types/bun@1.2.14", "", { "dependencies": { "bun-types": "1.2.14" } }, "sha512-VsFZKs8oKHzI7zwvECiAJ5oSorWndIWEVhfbYqZd4HI/45kzW7PN2Rr5biAzvGvRuNmYLSANY+H59ubHq8xw7Q=="],
    "@types/node": ["@types/node@22.15.21", "", { "dependencies": { "undici-types": "~6.21.0" } }, "sha512-EV/37Td6c+MgKAbkcLG6vqZ2zEYHD7bvSrzqqs2RIhbA6w3x+Dqz8MZM3sP6kGTeLrdoOgKZe+Xja7tUB2DNkQ=="],
    "bun-types": ["bun-types@1.2.14", "", { "dependencies": { "@types/node": "*" } }, "sha512-Kuh4Ub28ucMRWeiUUWMHsT9Wcbr4H3kLIO72RZZElSDxSu7vpetRvxIUDUaW6QtaIeixIpm7OXtNnZPf82EzwA=="],
    "hono": ["hono@4.7.10", "", {}, "sha512-QkACju9MiN59CKSY5JsGZCYmPZkA6sIW6OFCUp7qDjZu6S6KHtJHhAc9Uy9mV9F8PJ1/HQ3ybZF2yjCa/73fvQ=="],
    "undici-types": ["undici-types@6.21.0", "", {}, "sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ=="],
  }
 }
--- a/playground/PKCEDowngrade/package.json
+++ b/playground/PKCEDowngrade/package.json
@ -0,0 +1,12 @@
 {
  "name": "PKCEDowngrade",
  "scripts": {
    "dev": "bun run --hot src/index.ts"
  },
  "dependencies": {
    "hono": "^4.7.10"
  },
  "devDependencies": {
    "@types/bun": "latest"
  }
 }
--- a/playground/PKCEDowngrade/src/index.ts
+++ b/playground/PKCEDowngrade/src/index.ts
@ -0,0 +1,94 @@
 import { Hono } from 'hono'
 import { randomBytes, createHash } from 'crypto'
 import { Buffer } from 'buffer'
 const app = new Hono()
 // In-memory PKCE store (should use Redis or similar in production)
 const pkceStore = new Map<string, string>()
 const generateCodeVerifier = () => {
  return randomBytes(32).toString('hex')
 }
 const generateCodeChallenge = (verifier: string) => {
  const hash = createHash('sha256').update(verifier).digest()
  return hash.toString('base64url')
 }
 // Step 1: Redirect to GitHub with PKCE
 app.get('/login', (c) => {
  const codeVerifier = generateCodeVerifier()
  const codeChallenge = generateCodeChallenge(codeVerifier)
  const state = randomBytes(8).toString('hex')
  pkceStore.set(state, codeVerifier)
  const params = new URLSearchParams({
    client_id: process.env.GITHUB_CLIENT_ID!,
    redirect_uri: 'http://localhost:8787/callback',
    scope: 'read:user',
    state,
    response_type: 'code',
    code_challenge: codeChallenge,
    code_challenge_method: 'S256',
  })
  return c.redirect(`https://github.com/login/oauth/authorize?${params}`)
 })
 // Step 2: GitHub redirects back here
 app.get('/callback', async (c) => {
  const url = new URL(c.req.url)
  const code = url.searchParams.get('code')
  const state = url.searchParams.get('state')
  if (!code || !state) {
    return c.text('Missing code or state', 400)
  }
  const codeVerifier = pkceStore.get(state)
  if (!codeVerifier) {
    return c.text('Invalid or expired state', 400)
  }
  // Step 3: Exchange code + verifier for token
  const tokenRes = await fetch('https://github.com/login/oauth/access_token', {
    method: 'POST',
    headers: {
      Accept: 'application/json',
      'Content-Type': 'application/json',
    },
    body: JSON.stringify({
      client_id: process.env.GITHUB_CLIENT_ID,
      client_secret: process.env.GITHUB_CLIENT_SECRET,
      code,
      redirect_uri: 'http://localhost:8787/callback',
      code_verifier: codeVerifier,
    }),
  })
  const tokenData = await tokenRes.json()
  if (!tokenData.access_token) {
    return c.text('Failed to get access token', 500)
  }
  // Step 4: Use token to fetch user profile
  const userRes = await fetch('https://api.github.com/user', {
    headers: {
      Authorization: `Bearer ${tokenData.access_token}`,
      'User-Agent': 'hono-app',
    },
  })
  const user = await userRes.json()
  return c.json({
    message: 'GitHub login successful!',
    user,
  })
 })
 export default { 
  port: 8787,
  fetch: app.fetch,
 }
--- a/playground/PKCEDowngrade/tsconfig.json
+++ b/playground/PKCEDowngrade/tsconfig.json
@ -0,0 +1,7 @@
 {
  "compilerOptions": {
    "strict": true,
    "jsx": "react-jsx",
    "jsxImportSource": "hono/jsx"
  }
 }