diff --git a/.gitignore b/.gitignore index 3c3629e..648628f 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,224 @@ -node_modules +# Created by https://www.toptal.com/developers/gitignore/api/node,macos,windows,linux +# Edit at https://www.toptal.com/developers/gitignore?templates=node,macos,windows,linux + +### Linux ### +*~ + +# temporary files which can be created if a process still has a handle open of a deleted file +.fuse_hidden* + +# KDE directory preferences +.directory + +# Linux trash folder which might appear on any partition or disk +.Trash-* + +# .nfs files are created when an open file is removed but is still being accessed +.nfs* + +### macOS ### +# General +.DS_Store +.AppleDouble +.LSOverride + +# Icon must end with two \r +Icon + + +# Thumbnails +._* + +# Files that might appear in the root of a volume +.DocumentRevisions-V100 +.fseventsd +.Spotlight-V100 +.TemporaryItems +.Trashes +.VolumeIcon.icns +.com.apple.timemachine.donotpresent + +# Directories potentially created on remote AFP share +.AppleDB +.AppleDesktop +Network Trash Folder +Temporary Items +.apdisk + +### macOS Patch ### +# iCloud generated files +*.icloud + +### Node ### +# Logs +logs +*.log +npm-debug.log* +yarn-debug.log* +yarn-error.log* +lerna-debug.log* +.pnpm-debug.log* + +# Diagnostic reports (https://nodejs.org/api/report.html) +report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json + +# Runtime data +pids +*.pid +*.seed +*.pid.lock + +# Directory for instrumented libs generated by jscoverage/JSCover +lib-cov + +# Coverage directory used by tools like istanbul +coverage +*.lcov + +# nyc test coverage +.nyc_output + +# Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files) +.grunt + +# Bower dependency directory (https://bower.io/) +bower_components + +# node-waf configuration +.lock-wscript + +# Compiled binary addons (https://nodejs.org/api/addons.html) +build/Release + +# Dependency directories +node_modules/ +jspm_packages/ + +# Snowpack dependency directory (https://snowpack.dev/) +web_modules/ + +# TypeScript cache +*.tsbuildinfo + +# Optional npm cache directory +.npm + +# Optional eslint cache +.eslintcache + +# Optional stylelint cache +.stylelintcache + +# Microbundle cache +.rpt2_cache/ +.rts2_cache_cjs/ +.rts2_cache_es/ +.rts2_cache_umd/ + +# Optional REPL history +.node_repl_history + +# Output of 'npm pack' +*.tgz + +# Yarn Integrity file +.yarn-integrity + +# dotenv environment variable files +.env +.env.development.local +.env.test.local +.env.production.local +.env.local + +# parcel-bundler cache (https://parceljs.org/) +.cache +.parcel-cache + +# Next.js build output +.next +out + +# Nuxt.js build / generate output +.nuxt +dist + +# Gatsby files +.cache/ +# Comment in the public line in if your project uses Gatsby and not Next.js +# https://nextjs.org/blog/next-9-1#public-directory-support +# public + +# vuepress build output +.vuepress/dist + +# vuepress v2.x temp and cache directory +.temp + +# Docusaurus cache and generated files +.docusaurus + +# Serverless directories +.serverless/ + +# FuseBox cache +.fusebox/ + +# DynamoDB Local files +.dynamodb/ + +# TernJS port file +.tern-port + +# Stores VSCode versions used for testing VSCode extensions +.vscode-test + +# yarn v2 +.yarn/cache +.yarn/unplugged +.yarn/build-state.yml +.yarn/install-state.gz +.pnp.* + +### Node Patch ### +# Serverless Webpack directories +.webpack/ + +# Optional stylelint cache + +# SvelteKit build / generate output +.svelte-kit + +### Windows ### +# Windows thumbnail cache files +Thumbs.db +Thumbs.db:encryptable +ehthumbs.db +ehthumbs_vista.db + +# Dump file +*.stackdump + +# Folder config file +[Dd]esktop.ini + +# Recycle Bin used on file shares +$RECYCLE.BIN/ + +# Windows Installer files +*.cab +*.msi +*.msix +*.msm +*.msp + +# Windows shortcuts +*.lnk + +#!dist/ +dist/* +packages/frontend/dist +packages/backend/dist +#!dist/*.zip + +# End of https://www.toptal.com/developers/gitignore/api/node,macos,windows,linux \ No newline at end of file diff --git a/dist/plugin_package.zip b/dist/plugin_package.zip deleted file mode 100644 index 9573ba3..0000000 Binary files a/dist/plugin_package.zip and /dev/null differ diff --git a/dist/plugin_package/manifest.json b/dist/plugin_package/manifest.json deleted file mode 100644 index 18a8e47..0000000 --- a/dist/plugin_package/manifest.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "id": "oauth-vuln-detector", - "name": "OAuth Vuln Detector", - "version": "0.0.1", - "description": "Detects OAuth misconfiguration.", - "author": { - "name": "caterpii", - "email": "dlaha171@gmail.com", - "url": "https://github.com/katerpii" - }, - "links": {}, - "plugins": [ - { - "id": "oauth-backend", - "kind": "backend", - "name": "backend", - "entrypoint": "oauth-backend/index.js", - "runtime": "javascript" - } - ] -} \ No newline at end of file diff --git a/dist/plugin_package/oauth-backend/index.js b/dist/plugin_package/oauth-backend/index.js deleted file mode 100644 index d244654..0000000 --- a/dist/plugin_package/oauth-backend/index.js +++ /dev/null @@ -1,83 +0,0 @@ -// packages/backend/src/index.ts -import { promises as fs } from "fs"; -import * as path from "path"; -import os from "os"; -var requestMap = /* @__PURE__ */ new Map(); -function init(sdk) { - sdk.events.onInterceptRequest(async (sdk2, req) => { - try { - const urlString = req.getUrl(); - const url = new URL(urlString); - sdk2.console.log(`[OAuthPlugin] Intercepted request: ${urlString}`); - if (!url.pathname.includes("/authorize") && !url.pathname.includes("/auth")) return; - const params = new URLSearchParams(url.search); - const redirectUri = params.get("redirect_uri"); - if (!redirectUri) return; - const reqId = req.getId(); - requestMap.set(reqId, redirectUri); - const clientId = params.get("client_id") ?? "(missing)"; - const responseType = params.get("response_type") ?? "(missing)"; - const isScan = params.has("scan"); - if (isScan) return; - const output = { - original_url: urlString, - client_id: clientId, - redirect_uri: redirectUri, - response_type: responseType - }; - try { - const filePath = path.join(os.tmpdir(), "oauth-fuzz-input.json"); - await fs.writeFile(filePath, JSON.stringify(output, null, 2)); - } catch (err) { - await sdk2.findings.create({ - title: "[fs] Write Failed", - description: `Could not write to file: ${err}`, - request: req, - reporter: "oauth-open-redirect-detector" - }); - } - await sdk2.findings.create({ - title: "[ ] OAuth2 Authorization Request Collected", - description: `client_id: ${clientId} -redirect_uri: ${redirectUri} -response_type: ${responseType}`, - request: req, - reporter: "oauth-open-redirect-detector" - }); - } catch (err) { - sdk2.console.error(`Error in onInterceptRequest: ${err}`); - } - }); - sdk.events.onInterceptResponse(async (sdk2, req, resp) => { - try { - const reqId = req.getId(); - const url = new URL(req.getUrl()); - const status = resp.getCode(); - const location = resp.getHeader("location")?.[0]; - const params = new URLSearchParams(url.search); - const isScan = params.has("scan"); - if (!isScan) { - requestMap.delete(reqId); - return; - } - if (status >= 300 && status < 400 && location) { - const redirectUri = requestMap.get(reqId) ?? "(unknown)"; - await sdk2.findings.create({ - title: "[+] Redirect URI Misconfiguration Detected", - description: `Status: ${status} -Location: ${location} -Original Redirect URI: ${redirectUri} -Request URL: ${url.href}`, - request: req, - reporter: "oauth-open-redirect-detector" - }); - } - requestMap.delete(reqId); - } catch (err) { - sdk2.console.error(`Error in onInterceptResponse: ${err}`); - } - }); -} -export { - init -};