whs-authz-authn/caido-plugin-test
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'main' into feature/csrf

Browse source
This commit is contained in:
암냥 (imnyang) 2025-05-31 11:41:54 +09:00 committed by GitHub
commit dcb91d141f
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
10 changed files with 265 additions and 32 deletions
Download patch file Download diff file Expand all files Collapse all files

18
README.md
View file

@ -1 +1,19 @@
# caido-plugin-test
## To-Do
- [ ] PKCE 다운그래이드 https에서 작동 안하는 이슈 고치기
```log
2025-05-25T15:52:40.757475Z INFO actix-rt|system:0|arbiter:6 proxy|connect: Client connection (29e74afd-9006-445e-88a9-3fc5d4796af9)
2025-05-25T15:52:40.757530Z INFO actix-rt|system:0|arbiter:6 proxy|connect: Client connected for http://localhost:8787 (29e74afd-9006-445e-88a9-3fc5d4796af9)
2025-05-25T15:52:40.757562Z INFO actix-rt|system:0|arbiter:6 proxy|http1|logger: GET http://localhost/login (29e74afd-9006-445e-88a9-3fc5d4796af9)
2025-05-25T15:52:40.767186Z INFO actix-rt|system:0|arbiter:6 proxy|http1|logger: GET http://localhost:8787/login -> 302 361 (29e74afd-9006-445e-88a9-3fc5d4796af9)
2025-05-25T15:52:40.768696Z INFO actix-rt|system:0|arbiter:9 proxy|http1|logger: GET https://github.com/login/oauth/authorize?client_id=Ov23lixietSCQOHxPvcr&redirect_uri=http%3A%2F%2Flocalhost%3A8787%2Fcallback&scope=read%3Auser&state=bc11db571a4737d0&response_type=code&code_challenge=FtSdQsWI342PKH6BGgKYR6AOzW95LaS0jeVcwTmHaro&code_challenge_method=S256 (90f314dc-9480-4bd8-b7b6-5acba6b8bc7b)
2025-05-25T15:52:41.103596Z INFO actix-rt|system:0|arbiter:9 proxy|http1|logger: GET https://github.com/login/oauth/authorize?client_id=Ov23lixietSCQOHxPvcr&redirect_uri=http%3A%2F%2Flocalhost%3A8787%2Fcallback&scope=read%3Auser&state=bc11db571a4737d0&response_type=code&code_challenge=FtSdQsWI342PKH6BGgKYR6AOzW95LaS0jeVcwTmHaro&code_challenge_method=S256 -> 302 4927 (90f314dc-9480-4bd8-b7b6-5acba6b8bc7b)
2025-05-25T15:52:41.105944Z INFO actix-rt|system:0|arbiter:7 proxy|connect: Client connection (34585a00-9f9f-4c72-b087-2e9e92418dad)
2025-05-25T15:52:41.105993Z INFO actix-rt|system:0|arbiter:7 proxy|connect: Client connected for http://localhost:8787 (34585a00-9f9f-4c72-b087-2e9e92418dad)
2025-05-25T15:52:41.106023Z INFO actix-rt|system:0|arbiter:7 proxy|http1|logger: GET http://localhost/callback?code=10c34dcc4d3f7302e707&state=bc11db571a4737d0 (34585a00-9f9f-4c72-b087-2e9e92418dad)
2025-05-25T15:52:41.108270Z INFO plugin:65ad3a87-0257-4408-a9c7-e0885e04c162 js|sdk: [PKCEDowngradeCheck] Required PKCE parameters missing. Skipping.
2025-05-25T15:52:41.277387Z INFO plugin:65ad3a87-0257-4408-a9c7-e0885e04c162 js|sdk: [PKCEDowngradeCheck] No PKCE downgrade detected.
2025-05-25T15:52:41.686109Z INFO actix-rt|system:0|arbiter:7 proxy|http1|logger: GET http://localhost:8787/callback?code=10c34dcc4d3f7302e707&state=bc11db571a4737d0 -> 200 1582 (34585a00-9f9f-4c72-b087-2e9e92418dad)
```

104
packages/backend/src/controller/PKCECheck.ts
View file

@ -1,6 +1,5 @@
import type { SDK } from "caido:plugin";
import type { Request } from "caido:utils";
import { fetch, Request as FetchRequest } from "caido:http";
import { Body, RequestSpec, type Request } from "caido:utils";
export class PKCECheck {
async test(sdk: SDK, req: Request): Promise<boolean> {
@ -11,18 +10,20 @@ export class PKCECheck {
}
const query = req.getQuery();
const requiredParams = ["client_id=", "response_type=code", "code_challenge=", "code_challenge_method="];
if (!requiredParams.every(param => query.includes(param))) {
const searchParams = new URLSearchParams(query);
const requiredKeys = ["client_id", "response_type", "code_challenge", "code_challenge_method"];
if (!requiredKeys.every((key) => searchParams.has(key))) {
sdk.console.log("[PKCEDowngradeCheck] Required PKCE parameters missing. Skipping.");
return false;
}
const url = req.getUrl();
const isOpenID = query.includes("scope=openid") || query.includes("id_token");
const methodMatch = query.match(/code_challenge_method=([^&]*)/);
const challengeMatch = query.match(/code_challenge=([^&]*)/);
const isOpenID = searchParams.get("scope")?.includes("openid") || url.includes("id_token");
const methodVal = searchParams.get("code_challenge_method");
const challengeVal = searchParams.get("code_challenge");
if (!methodMatch || !challengeMatch) {
if (!methodVal || !challengeVal) {
sdk.console.log("[PKCEDowngradeCheck] code_challenge or method missing. Skipping.");
await sdk.findings.create({
title: isOpenID
@ -30,12 +31,11 @@ export class PKCECheck {
: "[WARN] OAuth2 Flow PKCE Parameters Missing",
description: `PKCE parameters are missing or incomplete for ${url}. This may indicate a misconfiguration.`,
request: req,
reporter: "",
reporter: "PKCE Checker",
});
return false;
}
const methodVal = decodeURIComponent(methodMatch[1]!);
if (methodVal === "plain") {
sdk.console.log("[PKCEDowngradeCheck] code_challenge_method is 'plain'. Skipping.");
await sdk.findings.create({
@ -44,34 +44,80 @@ export class PKCECheck {
: "[WARN] OAuth2 Flow PKCE Method is 'plain'",
description: `PKCE method is set to 'plain' for ${url}. This may indicate a downgrade vulnerability.`,
request: req,
reporter: "",
reporter: "PKCE Checker",
});
return false;
}
const downgradedQuery = query
.replace(/code_challenge_method=[^&]*&?/, "")
.replace(/code_challenge=[^&]*&?/, "")
.replace(/[?&]$/, "");
// Remove PKCE parameters to simulate a downgraded request
searchParams.delete("code_challenge");
searchParams.delete("code_challenge_method");
const downgradedQuery = searchParams.toString();
const scheme = req.getUrl().startsWith("https") ? "https" : "http";
const downgradedUrl = `${scheme}://${req.getHost()}:${req.getPort()}${req.getPath()}?${downgradedQuery}`;
const downgradedUrl = `${req.getUrl().split("://")[0]}://${req.getHost()}:${req.getPort()}${req.getPath()}?${downgradedQuery}`;
sdk.console.log(`${req.getHost()} Original URL: ` + url);
sdk.console.log(`${req.getHost()} Downgraded URL: ` + downgradedUrl);
try {
const [resOriginal, resDowngraded] = await Promise.all([
fetch(new FetchRequest(url, { method: "GET" })),
fetch(new FetchRequest(downgradedUrl, { method: "GET" }))
]);
// Use Caido Replay SDK to replay the original request
const spec = new RequestSpec(downgradedUrl);
spec.setBody(req.getBody() as Body);
for (const [key, value] of Object.entries(req.getHeaders())) {
if (Array.isArray(value)) {
spec.setHeader(key, value.join(', ')); // or another suitable delimiter
} else {
spec.setHeader(key, value);
}
}
spec.setHost(req.getHost());
spec.setMethod(req.getMethod());
spec.setPath(req.getPath());
spec.setQuery(downgradedQuery);
spec.setTls(req.getTls());
spec.setPort(req.getPort());
const [bodyOriginal, bodyDowngraded] = await Promise.all([
resOriginal.text(),
resDowngraded.text()
]);
let sendDowngradedRequest = await sdk.requests.send(spec);
if (sendDowngradedRequest.response) {
let domain = spec.getHost();
let port = spec.getPort();
let path = spec.getPath();
let query = spec.getQuery();
let id = sendDowngradedRequest.response.getId();
let code = sendDowngradedRequest.response.getCode();
sdk.console.log(`REQ ${id}: ${domain}:${port}${path}${query} received a status code of ${code}`);
}
if (sendDowngradedRequest.response?.getCode() === 302) {
await sdk.findings.create({
title: isOpenID
? "[CRITICAL] OpenID Flow PKCE Downgrade Vulnerability"
: "[CRITICAL] OAuth2 Flow PKCE Downgrade Vulnerability",
description: `The request to ${url} is vulnerable to a PKCE downgrade attack. This may indicate a configuration error.`,
request: req,
reporter: "PKCE Checker",
});
}
/*
sdk.console.log(`${req.getHost()} Original Status: ` + resOriginal.status);
sdk.console.log(`${req.getHost()} Downgraded Status: ` + resDowngraded.status);
sdk.console.log(`${req.getHost()} Original Headers: ` + JSON.stringify(resOriginal.headers));
sdk.console.log(`${req.getHost()} Downgraded Headers: ` + JSON.stringify(resDowngraded.headers));
// Caido Dev Docs 기준으로, 리다이렉트된 URL은 Response 객체의 url 속성에 저장되어 있음
const locationOriginal = resOriginal.url ?? "";
const locationDowngraded = resDowngraded.url ?? "";
sdk.console.log(`${req.getHost()} Original Location: ` + locationOriginal);
sdk.console.log(`${req.getHost()} Downgraded Location: ` + locationDowngraded);
const statusEqual = resOriginal.status === resDowngraded.status;
const codeInBoth = bodyOriginal.includes("code=") && bodyDowngraded.includes("code=");
const codeInRedirects = locationOriginal.includes("code=") && locationDowngraded.includes("code=");
if (statusEqual && codeInBoth) {
if (statusEqual && codeInRedirects) {
const title = isOpenID
? "[CRITICAL] OpenID Flow PKCE Downgraded to Plaintext"
: "[CRITICAL] OAuth2 Flow PKCE Downgraded to Plaintext";
@ -81,13 +127,13 @@ export class PKCECheck {
await sdk.findings.create({
title,
description: `PKCE downgrade detected for ${url}.\n\nDowngraded URL: ${downgradedUrl}\n\nReference: ${reference}`,
description: `PKCE downgrade detected for ${url}.\n\nDowngraded URL: ${downgradedUrl}\n\nRedirect contained code=.\n\nReference: ${reference}`,
request: req,
reporter: "",
});
return true;
}
}*/
} catch (err) {
sdk.console.error(`PKCE downgrade check failed for ${url}: ${String(err)}`);
}

20
packages/backend/src/index.ts
View file

@ -6,8 +6,11 @@ import { CsrfCheck } from "./controller/csrfCheck";
import { PKCECheck } from "./controller/PKCECheck";
export type API = DefineAPI<{}>;
const csrfCheck = new CsrfCheck();
const pkceCheck = new PKCECheck();
const implicitGrantController = new ImplicitGrantController();
const authZCodeGrantController = new AuthZCodeGrantController();
const pkceCheckController = new PKCECheck();
export function init(sdk: SDK<API>) {
// sdk.events.onInterceptRequest(async (sdk, req: Request) => {
@ -26,7 +29,20 @@ export function init(sdk: SDK<API>) {
sdk.events.onInterceptResponse(
async (sdk: SDK<DefineAPI<{}>, {}>, req: Request, resp: Response) => {
await csrfCheck.checker(sdk, req, resp);
await pkceCheck.test(sdk, req);
sdk.events.onInterceptRequest(async (sdk, req: Request) => {
const result =
authZCodeGrantController.testReq(req) ||
implicitGrantController.testReq(req);
if (result) {
await pkceCheckController.test(sdk, req);
await sdk.findings.create({
title: "Possible SSO Request Detected",
description: `SSO-related parameters detected in request:\n\n${req.getMethod()} ${req.getUrl()} : ${result}`,
request: req,
reporter: "",
});
}
);
}

2
playground/PKCEDowngrade/.env.example Normal file
View file

@ -0,0 +1,2 @@
GITHUB_CLIENT_ID=
GITHUB_CLIENT_SECRET=

2
playground/PKCEDowngrade/.gitignore vendored Normal file
View file

@ -0,0 +1,2 @@
# deps
node_modules/

11
playground/PKCEDowngrade/README.md Normal file
View file

@ -0,0 +1,11 @@
To install dependencies:
```sh
bun install
```
To run:
```sh
bun run dev
```
open http://localhost:3000

25
playground/PKCEDowngrade/bun.lock Normal file
View file

@ -0,0 +1,25 @@
{
"lockfileVersion": 1,
"workspaces": {
"": {
"name": "PKCEDowngrade",
"dependencies": {
"hono": "^4.7.10",
},
"devDependencies": {
"@types/bun": "latest",
},
},
},
"packages": {
"@types/bun": ["@types/bun@1.2.14", "", { "dependencies": { "bun-types": "1.2.14" } }, "sha512-VsFZKs8oKHzI7zwvECiAJ5oSorWndIWEVhfbYqZd4HI/45kzW7PN2Rr5biAzvGvRuNmYLSANY+H59ubHq8xw7Q=="],
"@types/node": ["@types/node@22.15.21", "", { "dependencies": { "undici-types": "~6.21.0" } }, "sha512-EV/37Td6c+MgKAbkcLG6vqZ2zEYHD7bvSrzqqs2RIhbA6w3x+Dqz8MZM3sP6kGTeLrdoOgKZe+Xja7tUB2DNkQ=="],
"bun-types": ["bun-types@1.2.14", "", { "dependencies": { "@types/node": "*" } }, "sha512-Kuh4Ub28ucMRWeiUUWMHsT9Wcbr4H3kLIO72RZZElSDxSu7vpetRvxIUDUaW6QtaIeixIpm7OXtNnZPf82EzwA=="],
"hono": ["hono@4.7.10", "", {}, "sha512-QkACju9MiN59CKSY5JsGZCYmPZkA6sIW6OFCUp7qDjZu6S6KHtJHhAc9Uy9mV9F8PJ1/HQ3ybZF2yjCa/73fvQ=="],
"undici-types": ["undici-types@6.21.0", "", {}, "sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ=="],
}
}

12
playground/PKCEDowngrade/package.json Normal file
View file

@ -0,0 +1,12 @@
{
"name": "PKCEDowngrade",
"scripts": {
"dev": "bun run --hot src/index.ts"
},
"dependencies": {
"hono": "^4.7.10"
},
"devDependencies": {
"@types/bun": "latest"
}
}

94
playground/PKCEDowngrade/src/index.ts Normal file
View file

@ -0,0 +1,94 @@
import { Hono } from 'hono'
import { randomBytes, createHash } from 'crypto'
import { Buffer } from 'buffer'
const app = new Hono()
// In-memory PKCE store (should use Redis or similar in production)
const pkceStore = new Map<string, string>()
const generateCodeVerifier = () => {
return randomBytes(32).toString('hex')
}
const generateCodeChallenge = (verifier: string) => {
const hash = createHash('sha256').update(verifier).digest()
return hash.toString('base64url')
}
// Step 1: Redirect to GitHub with PKCE
app.get('/login', (c) => {
const codeVerifier = generateCodeVerifier()
const codeChallenge = generateCodeChallenge(codeVerifier)
const state = randomBytes(8).toString('hex')
pkceStore.set(state, codeVerifier)
const params = new URLSearchParams({
client_id: process.env.GITHUB_CLIENT_ID!,
redirect_uri: 'http://localhost:8787/callback',
scope: 'read:user',
state,
response_type: 'code',
code_challenge: codeChallenge,
code_challenge_method: 'S256',
})
return c.redirect(`https://github.com/login/oauth/authorize?${params}`)
})
// Step 2: GitHub redirects back here
app.get('/callback', async (c) => {
const url = new URL(c.req.url)
const code = url.searchParams.get('code')
const state = url.searchParams.get('state')
if (!code || !state) {
return c.text('Missing code or state', 400)
}
const codeVerifier = pkceStore.get(state)
if (!codeVerifier) {
return c.text('Invalid or expired state', 400)
}
// Step 3: Exchange code + verifier for token
const tokenRes = await fetch('https://github.com/login/oauth/access_token', {
method: 'POST',
headers: {
Accept: 'application/json',
'Content-Type': 'application/json',
},
body: JSON.stringify({
client_id: process.env.GITHUB_CLIENT_ID,
client_secret: process.env.GITHUB_CLIENT_SECRET,
code,
redirect_uri: 'http://localhost:8787/callback',
code_verifier: codeVerifier,
}),
})
const tokenData = await tokenRes.json()
if (!tokenData.access_token) {
return c.text('Failed to get access token', 500)
}
// Step 4: Use token to fetch user profile
const userRes = await fetch('https://api.github.com/user', {
headers: {
Authorization: `Bearer ${tokenData.access_token}`,
'User-Agent': 'hono-app',
},
})
const user = await userRes.json()
return c.json({
message: 'GitHub login successful!',
user,
})
})
export default {
port: 8787,
fetch: app.fetch,
}

7
playground/PKCEDowngrade/tsconfig.json Normal file
View file

@ -0,0 +1,7 @@
{
"compilerOptions": {
"strict": true,
"jsx": "react-jsx",
"jsxImportSource": "hono/jsx"
}
}