whs-authz-authn/caido-plugin-test
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'main' of https://github.com/whs-authz-authn-project/caido-plugin-test into sujin

Browse source
This commit is contained in:
sultanofdisco 2025-06-07 13:40:44 +09:00
commit dfa5392038
7 changed files with 556 additions and 242 deletions
Download patch file Download diff file Expand all files Collapse all files

191
packages/backend/src/controller/PKCECheck.ts
View file

@ -2,138 +2,94 @@ import type { SDK } from "caido:plugin";
import { Body, RequestSpec, type Request } from "caido:utils";
export class PKCECheck {
// 필요한 PKCE 파라미터 목록
private readonly requiredPKCEKeys = ["client_id", "response_type", "code_challenge", "code_challenge_method"];
// PKCE 취약점 테스트 메인 함수
async test(sdk: SDK, req: Request): Promise<boolean> {
const method = req.getMethod();
const url = req.getUrl();
// GET 요청이 아니면 검사하지 않음
if (method !== "GET") {
sdk.console.log("[PKCEDowngradeCheck] Not a GET request. Skipping.");
return false;
}
const query = req.getQuery();
const searchParams = new URLSearchParams(query);
const requiredKeys = ["client_id", "response_type", "code_challenge", "code_challenge_method"];
const searchParams = new URLSearchParams(req.getQuery());
if (!requiredKeys.every((key) => searchParams.has(key))) {
// 필수 PKCE 파라미터들이 모두 있는지 확인
if (!this.requiredPKCEKeys.every(key => searchParams.has(key))) {
sdk.console.log("[PKCEDowngradeCheck] Required PKCE parameters missing. Skipping.");
return false;
}
const url = req.getUrl();
// OpenID 여부 확인
const isOpenID = searchParams.get("scope")?.includes("openid") || url.includes("id_token");
const methodVal = searchParams.get("code_challenge_method");
const challengeVal = searchParams.get("code_challenge");
// 파라미터가 없으면 경고 리포트 생성
if (!methodVal || !challengeVal) {
sdk.console.log("[PKCEDowngradeCheck] code_challenge or method missing. Skipping.");
await sdk.findings.create({
title: isOpenID
? "[WARN] OpenID Flow PKCE Parameters Missing"
: "[WARN] OAuth2 Flow PKCE Parameters Missing",
description: `PKCE parameters are missing or incomplete for ${url}. This may indicate a misconfiguration.`,
request: req,
reporter: "PKCE Checker",
});
await this.reportFinding(sdk, req, url, isOpenID, "[WARN] PKCE Parameters Missing", "PKCE parameters are missing or incomplete.");
return false;
}
// code_challenge_method가 'plain'이면 취약할 수 있음
if (methodVal === "plain") {
sdk.console.log("[PKCEDowngradeCheck] code_challenge_method is 'plain'. Skipping.");
await sdk.findings.create({
title: isOpenID
? "[WARN] OpenID Flow PKCE Method is 'plain'"
: "[WARN] OAuth2 Flow PKCE Method is 'plain'",
description: `PKCE method is set to 'plain' for ${url}. This may indicate a downgrade vulnerability.`,
request: req,
reporter: "PKCE Checker",
});
await this.reportFinding(sdk, req, url, isOpenID, "[WARN] PKCE Method is 'plain'", "PKCE method is set to 'plain'. This may indicate a downgrade vulnerability.");
return false;
}
// Remove PKCE parameters to simulate a downgraded request
// PKCE 관련 파라미터 제거하여 다운그레이드된 URL 생성
searchParams.delete("code_challenge");
searchParams.delete("code_challenge_method");
const downgradedQuery = searchParams.toString();
const scheme = req.getUrl().startsWith("https") ? "https" : "http";
const scheme = url.startsWith("https") ? "https" : "http";
const downgradedUrl = `${scheme}://${req.getHost()}:${req.getPort()}${req.getPath()}?${downgradedQuery}`;
sdk.console.log(`${req.getHost()} Original URL: ` + url);
sdk.console.log(`${req.getHost()} Downgraded URL: ` + downgradedUrl);
sdk.console.log(`${req.getHost()} Original URL: ${url}`);
sdk.console.log(`${req.getHost()} Downgraded URL: ${downgradedUrl}`);
try {
// Use Caido Replay SDK to replay the original request
const spec = new RequestSpec(downgradedUrl);
spec.setBody(req.getBody() as Body);
for (const [key, value] of Object.entries(req.getHeaders())) {
if (Array.isArray(value)) {
spec.setHeader(key, value.join(', ')); // or another suitable delimiter
} else {
spec.setHeader(key, value);
// 원래 요청과 다운그레이드된 요청 각각 전송
const downgradedResponse = await this.sendRequest(sdk, req, downgradedUrl, downgradedQuery);
const originalResponse = await this.sendRequest(sdk, req, url, req.getQuery());
if (downgradedResponse && originalResponse) {
const originalCode = originalResponse.getCode();
const downgradedCode = downgradedResponse.getCode();
const originalLoc = originalResponse.getHeader("location") || "";
const downgradedLoc = downgradedResponse.getHeader("location") || "";
sdk.console.log(`${req.getHost()} Original Status: ${originalCode}`);
sdk.console.log(`${req.getHost()} Downgraded Status: ${downgradedCode}`);
sdk.console.log(`${req.getHost()} Original Location: ${originalLoc}`);
sdk.console.log(`${req.getHost()} Downgraded Location: ${downgradedLoc}`);
// 두 응답 모두 리디렉션이면서 code= 파라미터 포함 시 취약점 리포트 생성
const bothRedirect = [301, 302].includes(originalCode) && [301, 302].includes(downgradedCode);
const bothContainCode = originalLoc.includes("code=") && downgradedLoc.includes("code=");
if (bothRedirect && bothContainCode) {
const title = isOpenID
? "[CRITICAL] OpenID Flow PKCE Downgrade Vulnerability"
: "[CRITICAL] OAuth2 Flow PKCE Downgrade Vulnerability";
const reference = isOpenID
? "https://openid.net/specs/openid-igov-oauth2-1_0-02.html#rfc.section.3.1.7"
: "https://datatracker.ietf.org/doc/html/rfc7636";
await sdk.findings.create({
title,
description: `PKCE downgrade vulnerability detected!\n\nOriginal URL: ${url}\nDowngraded URL: ${downgradedUrl}\n\nBoth requests returned authorization codes, indicating the server accepts requests without PKCE protection.\n\nReference: ${reference}`,
request: req,
reporter: "PKCE Checker",
});
return true;
}
}
spec.setHost(req.getHost());
spec.setMethod(req.getMethod());
spec.setPath(req.getPath());
spec.setQuery(downgradedQuery);
spec.setTls(req.getTls());
spec.setPort(req.getPort());
let sendDowngradedRequest = await sdk.requests.send(spec);
if (sendDowngradedRequest.response) {
let domain = spec.getHost();
let port = spec.getPort();
let path = spec.getPath();
let query = spec.getQuery();
let id = sendDowngradedRequest.response.getId();
let code = sendDowngradedRequest.response.getCode();
sdk.console.log(`REQ ${id}: ${domain}:${port}${path}${query} received a status code of ${code}`);
}
if (sendDowngradedRequest.response?.getCode() === 302) {
await sdk.findings.create({
title: isOpenID
? "[CRITICAL] OpenID Flow PKCE Downgrade Vulnerability"
: "[CRITICAL] OAuth2 Flow PKCE Downgrade Vulnerability",
description: `The request to ${url} is vulnerable to a PKCE downgrade attack. This may indicate a configuration error.`,
request: req,
reporter: "PKCE Checker",
});
}
/*
sdk.console.log(`${req.getHost()} Original Status: ` + resOriginal.status);
sdk.console.log(`${req.getHost()} Downgraded Status: ` + resDowngraded.status);
sdk.console.log(`${req.getHost()} Original Headers: ` + JSON.stringify(resOriginal.headers));
sdk.console.log(`${req.getHost()} Downgraded Headers: ` + JSON.stringify(resDowngraded.headers));
// Caido Dev Docs 기준으로, 리다이렉트된 URL은 Response 객체의 url 속성에 저장되어 있음
const locationOriginal = resOriginal.url ?? "";
const locationDowngraded = resDowngraded.url ?? "";
sdk.console.log(`${req.getHost()} Original Location: ` + locationOriginal);
sdk.console.log(`${req.getHost()} Downgraded Location: ` + locationDowngraded);
const statusEqual = resOriginal.status === resDowngraded.status;
const codeInRedirects = locationOriginal.includes("code=") && locationDowngraded.includes("code=");
if (statusEqual && codeInRedirects) {
const title = isOpenID
? "[CRITICAL] OpenID Flow PKCE Downgraded to Plaintext"
: "[CRITICAL] OAuth2 Flow PKCE Downgraded to Plaintext";
const reference = isOpenID
? "https://openid.net/specs/openid-igov-oauth2-1_0-02.html#rfc.section.3.1.7"
: "https://datatracker.ietf.org/doc/html/rfc7636";
await sdk.findings.create({
title,
description: `PKCE downgrade detected for ${url}.\n\nDowngraded URL: ${downgradedUrl}\n\nRedirect contained code=.\n\nReference: ${reference}`,
request: req,
reporter: "",
});
return true;
}*/
} catch (err) {
sdk.console.error(`PKCE downgrade check failed for ${url}: ${String(err)}`);
}
@ -141,4 +97,41 @@ export class PKCECheck {
sdk.console.log("[PKCEDowngradeCheck] No PKCE downgrade detected.");
return false;
}
// 요청 전송 도우미 함수
private async sendRequest(sdk: SDK, req: Request, url: string, query: string) {
const spec = new RequestSpec(url);
spec.setMethod(req.getMethod());
spec.setPath(req.getPath());
spec.setQuery(query);
spec.setBody(req.getBody() as Body);
spec.setHost(req.getHost());
spec.setPort(req.getPort());
spec.setTls(req.getTls());
for (const [key, value] of Object.entries(req.getHeaders())) {
spec.setHeader(key, Array.isArray(value) ? value.join(', ') : value);
}
const result = await sdk.requests.send(spec);
return result.response ?? null;
}
// 경고 리포트 생성 함수
private async reportFinding(
sdk: SDK,
req: Request,
url: string,
isOpenID: boolean,
title: string,
message: string
) {
const fullTitle = isOpenID ? `[WARN] OpenID Flow ${title}` : `[WARN] OAuth2 Flow ${title}`;
await sdk.findings.create({
title: fullTitle,
description: `${message} (${url})`,
request: req,
reporter: "PKCE Checker",
});
}
}

75
packages/backend/src/controller/accessTokenDetector.ts
View file

@ -19,7 +19,7 @@ export class AccessTokenLeakController {
title: result.title,
description: result.description,
request,
reporter: "",
reporter: "AccessTokenLeak",
});
}
}
@ -31,7 +31,7 @@ export class AccessTokenLeakController {
title: result.title,
description: result.description,
request,
reporter: "",
reporter: "AccessTokenLeak",
});
}
}
@ -132,34 +132,53 @@ export class AccessTokenLeakController {
* @param text -
* @returns , null
*/
private extractTokenFromText(text: string): string | null {
private extractTokenFromText(text: string): string | null {
// 토큰 관련 키워드 리스트
const tokenKeys = [
'access_token',
'accesstoken',
'Access-Token',
'Refresh_Token',
'Refresh-Token',
'RefreshToken',
'Secret_Token',
'Secret-Token',
'SecretToken',
'SSO_Auth',
'SSO-Auth',
'SSOAuth',
'auth_token',
'session_token'
];
'access_token',
'accesstoken',
'Access-Token',
'Refresh_Token',
'Refresh-Token',
'RefreshToken',
'Secret_Token',
'Secret-Token',
'SecretToken',
'SSO_Auth',
'SSO-Auth',
'SSOAuth',
'auth_token',
'session_token'
];
// 정규표현식 패턴 리스트 생성
const tokenTypeKeys = [
'token_type',
'tokenType'
];
// 정규표현식 토큰 타입 유무 패턴 리스트 생성
const tokenTypeRegexes: RegExp[] = [];
for (const key of tokenTypeKeys) {
// JSON 형식: "token_type": "Bearer"
tokenTypeRegexes.push(new RegExp(`"${key}"\\s*:\\s*"bearer"`, 'i'));
// 일반 key=value 형식: token_type=Bearer
tokenTypeRegexes.push(new RegExp(`${key}[=:]\\s*bearer`, 'i'));
// 공백 있는 형식: token_type : Bearer
tokenTypeRegexes.push(new RegExp(`${key}\\s*:\\s*bearer`, 'i'));
}
// token_type=bearer 형태 중 하나라도 포함되는지 확인
const hasTokenTypeBearer = tokenTypeRegexes.some(rx => rx.test(text));
// 정규표현식 토큰 유무 패턴 리스트 생성
const tokenPatterns: RegExp[] = [];
for (const key of tokenKeys) {
// 1. key=token 또는 key: token
tokenPatterns.push(new RegExp(`${key}[=:]\\s*([a-zA-Z0-9\\-._~+/]+=*)`, 'i'));
// 1. key=token 또는 key: token
tokenPatterns.push(new RegExp(`${key}[=:]\\s*([a-zA-Z0-9\\-._~+/]+=*)`, 'i'));
// 2. JSON 형태의 "key": "token"
tokenPatterns.push(new RegExp(`"${key}"\\s*:\\s*"([^"]+)"`, 'i'));
// 2. JSON 형태의 "key": "token"
tokenPatterns.push(new RegExp(`"${key}"\\s*:\\s*"([^"]+)"`, 'i'));
}
// 3. Authorization: Bearer <token> 형태
@ -167,12 +186,14 @@ private extractTokenFromText(text: string): string | null {
// 모든 패턴에 대해 검사
for (const pattern of tokenPatterns) {
const match = pattern.exec(text);
if (match && match[1]) {
return match[1];
const match = pattern.exec(text);
if (match && match[1]) {
if(hasTokenTypeBearer){
return match[1];
}
}
}
return null;
}
}
}

291
packages/backend/src/controller/csrfCheck.ts
View file

@ -5,15 +5,24 @@ import { HttpUtils } from "../utils/http";
const httpUtils = new HttpUtils();
export class CsrfCheck {
private nonceParam = [
"state",
"nonce",
"as",
"frame_id",
"csrf_token",
"csrf",
];
private isTargetUri(uri: string): boolean {
if (
uri.includes("client_id=") &&
(uri.includes("response_type=") ||
uri.includes("grant_type=") ||
uri.includes("redirect_uri=") ||
uri.includes("scope=") ||
uri.includes("state=") ||
uri.includes("nonce="))
httpUtils.getQueryParamFromURI(uri, "client_id") !== null &&
(httpUtils.getQueryParamFromURI(uri, "response_type") !== null ||
httpUtils.getQueryParamFromURI(uri, "grant_type") !== null ||
httpUtils.getQueryParamFromURI(uri, "redirect_uri") !== null ||
httpUtils.getQueryParamFromURI(uri, "scope") !== null ||
httpUtils.getQueryParamFromURI(uri, "state") !== null ||
httpUtils.getQueryParamFromURI(uri, "nonce") !== null)
) {
return true;
}
@ -43,105 +52,178 @@ export class CsrfCheck {
return false;
}
private isStateInQuery(request: Request): boolean {
const query = request.getQuery();
const stateValue =
httpUtils.getQueryParam(query || "", "state") ||
httpUtils.getQueryParam(query || "", "nonce");
if (!stateValue) {
return false;
private isNonceInQuery(request: Request): boolean {
const query = request.getQuery() || "";
for (const param of this.nonceParam) {
if (httpUtils.getQueryParam(query, param) !== null) {
return true; // Nonce parameter is present in the query
}
}
return true;
return false; // No nonce parameter found in the query
}
private checkStateAtResponseLocationHeader(
private getNonceParamName(url: string): string | null {
for (const param of this.nonceParam) {
if (httpUtils.getQueryParamFromURI(url, param) !== null) {
return param; // Return the first matching nonce parameter
}
}
return null; // No nonce parameter found
}
private checkNonceAtResponseLocationHeader(
request: Request,
response: Response
): string[] | 0 {
const nonceParamName = this.getNonceParamName(request.getUrl() || "");
if (
!(
this.isOauthUri(request) &&
this.isStateInQuery(request) &&
this.isOauthRedirectResponse(response)
)
!this.isOauthUri(request) ||
!this.isNonceInQuery(request) ||
!this.isOauthRedirectResponse(response) ||
!nonceParamName
) {
return 0; // Not a target, no CSRF risk
}
// 요청에서 보낸 state 추출
// 요청에서 보낸 Nonce 추출
const query = request.getQuery() || "";
const originalState =
httpUtils.getQueryParam(query, "state") ||
httpUtils.getQueryParam(query || "", "nonce");
const originalNonce = httpUtils.getQueryParam(query, nonceParamName);
// 리다이렉트 URL에서 쿼리 부분만 추출
const locationHeader = httpUtils.getHeaderValue(
response.getHeaders(),
"location"
);
const responseState =
httpUtils.getQueryParamFromURI(locationHeader || "", "state") ||
httpUtils.getQueryParamFromURI(locationHeader || "", "nonce");
const locationHeader =
httpUtils.getHeaderValue(response.getHeaders(), "location") || "";
// state가 없거나, 요청값과 다르면 CSRF 위험
if (!responseState) {
const responseNonce = httpUtils.getQueryParamFromURI(
locationHeader || "",
nonceParamName
);
// Nonce가 없거나, 요청값과 다르면 CSRF 위험
if (!responseNonce) {
// missing state
return ["state parameter is missing in the response location header"];
return ["Nonce parameter is missing in the response location header"];
}
if (originalState !== responseState) {
if (originalNonce !== responseNonce) {
// mismatch
return ["state parameter mismatch between request and response"];
return ["Nonce parameter mismatch between request and response"];
}
return 0; // no CSRF risk detected
}
// private async checkStateReuse(
// request: Request,
// originResponse: Response
// ): Promise<string[] | 0> {
// // uri에 oauth 관련 파라미터가 없지만, 응답이 oauth 리다이렉트 응답인지 확인
// // 즉, 처음으로 state를 발급한 요청인지 확인
// if (
// !(
// !this.isOauthUri(request) &&
// this.isOauthRedirectResponse(originResponse)
// )
// ) {
// return 0; // Not a target, no CSRF risk
// }
private async checkNonceReuse(
sdk: SDK<DefineAPI<{}>, {}>,
request: Request,
originResponse: Response
): Promise<string[] | 0> {
// uri에 oauth 관련 파라미터가 없지만, 응답이 oauth 리다이렉트 응답인지 확인
// 즉, 처음으로 Nonce를 발급한 요청인지 확인
if (
this.isOauthUri(request) ||
!this.isOauthRedirectResponse(originResponse)
) {
return 0; // Not a target, no CSRF risk
}
// const originResponseLocationHeader = httpUtils.getHeaderValue(
// originResponse.getHeaders(),
// "location"
// );
// const originState = httpUtils.getQueryParamFromURI(
// originResponseLocationHeader || "",
// "state"
// );
// 기존 응답의 location 헤더의 url에서 Nonce 파라미터 이름, nonce 파라미터 값, 쿼리 추출
const originResponseLocationHeader =
httpUtils.getHeaderValue(originResponse.getHeaders(), "location") || "";
const nonceParamName =
this.getNonceParamName(originResponseLocationHeader || "") || "state";
const originLocationQuery =
httpUtils.getQueryFromURI(originResponseLocationHeader || "") || "";
const originLocationNonce = httpUtils.getQueryParam(
originLocationQuery,
nonceParamName
);
// const requestHeaders = request.getHeaders();
// const noCookieHeaders = httpUtils.removeHeaders(requestHeaders, ["cookie"]);
// const newResponse = await httpUtils.resend(request, {
// headers: noCookieHeaders,
// });
// const newLocationHeader = httpUtils.getHeaderValue(
// newResponse.getHeaders(),
// "location"
// );
// const newState = httpUtils.getQueryParamFromURI(
// newLocationHeader || "",
// "state"
// );
// 쿠키가 없는 헤더로 새로운 nonce를 발급받기 위해 요청
const noCookieHeaders = httpUtils.removeHeaders(request.getHeaders(), [
"cookie",
]);
const noCookieResponse = await httpUtils.resend(sdk, request, {
headers: noCookieHeaders,
});
if (!noCookieResponse || noCookieResponse?.getCode() >= 400) {
return 0;
}
// if (originState === newState) {
// return [
// "State parameter reused in the response location header, indicating a potential CSRF risk",
// ];
// }
// 쿠키가 없는 응답의 location 헤더 추출 및 Nonce 추출
const noCookieLocationHeader = httpUtils.getHeaderValue(
noCookieResponse?.getHeaders() || {},
"location"
);
const newNonce =
httpUtils.getQueryParamFromURI(
noCookieLocationHeader || "",
nonceParamName
) || "";
// return 0; // no CSRF risk detected
// }
if (originLocationNonce === newNonce) {
return [
"State parameter reused in the response location header, indicating a potential CSRF risk",
];
}
// 기존 쿠키와 함께 새로운 Nonce로 요청
const newQuery = httpUtils.setQueryParam(
originLocationQuery,
nonceParamName,
newNonce
);
// 기존 location 헤더의 uri 요청과 location 헤더에서 nonce값만 새로 발급한 값으로 바꾸어 요청한 결과를 비교
const res1 = await httpUtils.customFetch(
sdk,
originResponseLocationHeader,
"GET",
originLocationQuery,
request.getHeaders()
);
const res2 = await httpUtils.customFetch(
sdk,
originResponseLocationHeader,
"GET",
newQuery,
request.getHeaders()
);
if (
!res1 ||
!res2 ||
res1.getCode() >= 400 ||
res2.getCode() >= 400 ||
res1.getCode() !== res2.getCode()
) {
return 0;
}
if (
res1.getCode() === res2.getCode() &&
300 <= res1.getCode() &&
res1.getCode() < 400
) {
const res1LocationHeader =
httpUtils.getHeaderValue(res1.getHeaders(), "location") || "";
const res2LocationHeader =
httpUtils.getHeaderValue(res2.getHeaders(), "location") || "";
const res1ReirectPath = httpUtils.getPathFromURI(res1LocationHeader);
const res2ReirectPath = httpUtils.getPathFromURI(res2LocationHeader);
if (res1ReirectPath === res2ReirectPath) {
return [
"When nonce parameter reused in the response location header, it might not be verified. Indicating a potential CSRF risk",
];
}
}
return 0; // no CSRF risk detected
}
async checker(
sdk: SDK<DefineAPI<{}>, {}>,
@ -151,30 +233,45 @@ export class CsrfCheck {
let result = ``;
// 쿼리에 state 파라미터가 없으면 CSRF 위험
if (this.isOauthUri(request) && !this.isStateInQuery(request)) {
result += "CSRF risk: missing state parameter"; // CSRF risk: missing state parameter
try {
if (this.isOauthUri(request) && !this.isNonceInQuery(request)) {
result += "CSRF risk: missing state parameter"; // CSRF risk: missing state parameter
}
} catch (error) {
sdk.console.error(`Error checking state in query: ${error}`);
}
// location 헤더에 state 파라미터가 없거나, 요청에서 보낸 state와 다르면 CSRF 위험
const stateAtResponseLocationHeaderCheck =
this.checkStateAtResponseLocationHeader(request, response);
if (stateAtResponseLocationHeaderCheck !== 0) {
result += `, ${stateAtResponseLocationHeaderCheck.join(", ")}`;
try {
const stateAtResponseLocationHeaderCheck =
this.checkNonceAtResponseLocationHeader(request, response);
if (stateAtResponseLocationHeaderCheck !== 0) {
result += `, ${stateAtResponseLocationHeaderCheck.join(", ")}`;
}
} catch (error) {
sdk.console.error(
`Error checking state in response location header: ${error}`
);
}
// // 처음으로 state를 발급한 요청에서 state 파라미터를 바꿔서 보내기
// const reusedStateCheck = await this.checkStateReuse(request, response);
// if (reusedStateCheck !== 0) {
// result += `, ${reusedStateCheck.join(", ")}`;
// }
// 처음으로 state를 발급한 요청에서 state 파라미터를 바꿔서 보내기
const reusedStateCheck = await this.checkNonceReuse(sdk, request, response);
if (reusedStateCheck !== 0) {
result += `, ${reusedStateCheck.join(", ")}`;
}
if (result) {
await sdk.findings.create({
title: "csrf vuln",
description: `SSO-related parameters detected in response:\n\n${request.getMethod()} ${request.getUrl()} : ${result}`,
request,
reporter: "csrf reporter",
});
try {
result.replace(/^\s*,\s*|\s*$/, ""); // Remove leading/trailing commas
if (result) {
await sdk.findings.create({
title: "csrf vuln",
description: `SSO-related parameters detected in response:\n\n${request.getMethod()} ${request.getUrl()} : ${result}`,
request,
reporter: "csrf reporter",
});
}
} catch (error) {
sdk.console.error(`Error creating finding: ${error}`);
}
}
}

59
packages/backend/src/controller/redirect_uriBypass.ts Normal file
View file

@ -0,0 +1,59 @@
import type { Request, Response } from "caido:utils";
import type { SDK } from "caido:plugin";
export class RedirectBypassController {
// redirect_uri를 확인하는 함수
isRedirectUri(req: Request): { detected: boolean; redirectUri?: string } {
// ? 뒤에 오는 파라미터 모두 가져오고, 정규표현식으로 redirect_uri= 이후 주소만 뽑음(없으면 null)
const query = req.getQuery();
const redirectUriMatch = query.match(/redirect_uri=([^&]+)/i);
// redirectUriMatch[1]은 ()로 감싼 부분
// redirect_uri 파라미터가 없거나 있어도 주소가 문자열이 아니면 false
if (!redirectUriMatch || typeof redirectUriMatch[1] !== "string") {
return { detected: false };
}
// 인코딩된 주소를 원래대로 바꿈 (ex. https://~~)
const redirectUri = decodeURIComponent(redirectUriMatch[1]);
const bypassPatterns = [
"%ff@", "", "%2f@", "%0a@", "%0d@", "\\", ".evil.com", "@", "%2f..%2f",
];
// 위 패턴에 일치하는 게 있으면 true랑 redirectUri 반환 (false일 땐 undefined)
const detected = bypassPatterns.some(pattern => redirectUri.includes(pattern));
return { detected, redirectUri: detected ? redirectUri : undefined };
}
// 응답에 인가 코드가 포함되어 있는지 확인하는 함수
isCodeIssued(res: Response): boolean {
const location = res.getHeader("Location") || "";
return location.includes("code=");
}
// 위의 두 함수 모두 만족하면 true, 문제의 주소를 반환하는 함수
test(req: Request, res: Response): { detected: boolean; redirectUri?: string } {
const redirectCheck = this.isRedirectUri(req);
const codeIssued = this.isCodeIssued(res);
if (redirectCheck.detected && codeIssued) {
return { detected: true, redirectUri: redirectCheck.redirectUri };
}
return { detected: false };
}
// 탐지된 결과 저장하는 함수
async testAsync(sdk: SDK, req: Request, res: Response): Promise<void> {
const result = this.test(req, res);
if (result.detected) {
await sdk.findings.create({
title: "Redirect URI Bypass Detected",
description: `redirect_uri 우회 발견\nRedirect URI: ${result.redirectUri}`,
request: req,
reporter: "gyu",
});
}
}
}

13
packages/backend/src/index.ts
View file

@ -7,24 +7,23 @@ import { PKCECheck } from "./controller/PKCECheck";
import { AccessTokenLeakController } from "./controller/accessTokenDetector";
import { ScopeDetection } from "./controller/scopeDetection";
import { NonceCheckController } from "./controller/nonceCheck";
import { RedirectBypassController } from "./controller/redirect_uriBypass";
export type API = DefineAPI<{}>;
const csrfCheck = new CsrfCheck();
// const implicitGrantController = new ImplicitGrantController();
// const authZCodeGrantController = new AuthZCodeGrantController();
const pkceCheckController = new PKCECheck();
const tokenCheck = new AccessTokenLeakController();
const ScopeDetectionController = new ScopeDetection();
const redirectBypassController = new RedirectBypassController();
export function init(sdk: SDK<API>) {
sdk.events.onInterceptResponse(async (sdk, req: Request, res: Response) => {
await csrfCheck.checker(sdk, req, res);
await pkceCheckController.test(sdk, req);
await tokenCheck.testReq(sdk, req);
//await pkceCheckController.test(sdk, req);
await tokenCheck.testResp(sdk, res, req);
await ScopeDetectionController.scan(sdk, req.getUrl());
await redirectBypassController.testAsync(sdk, req, res);
// isOidcFlow는 비동기 메서드로 변경
if (await NonceCheckController.isOidcFlow(req, res)) {
@ -37,6 +36,10 @@ export function init(sdk: SDK<API>) {
}
});
sdk.events.onInterceptRequest(async (sdk, req: Request) => {
await tokenCheck.testReq(sdk, req);
await pkceCheckController.test(sdk, req);
});
/*
sdk.events.onInterceptRequest(async (sdk, req: Request) => {
const result =

139
packages/backend/src/utils/http.ts
View file

@ -1,3 +1,6 @@
import type { SDK } from "caido:plugin";
import { Body, RequestSpec, type Request, type Response } from "caido:utils";
let instance: HttpUtils | null = null;
export class HttpUtils {
/**
@ -11,6 +14,14 @@ export class HttpUtils {
return instance;
}
encodeAndLower(value: string): string {
try {
return encodeURIComponent(value).toLowerCase();
} catch {
return value.toLowerCase();
}
}
/**
* URI
* @param value -
@ -47,12 +58,35 @@ export class HttpUtils {
return result;
}
getQueryParamFromURI(uri: string, key: string): string | null {
getPathFromURI(uri: string): string | null {
uri = uri.toLowerCase();
key = key.toLowerCase();
try {
const urlObj = new URL(uri);
return urlObj.searchParams.get(key);
const path = urlObj.pathname;
return path ? decodeURIComponent(path) : null; // 경로가 없으면 null 반환
} catch (e) {
return null; // URL 파싱 실패 시 null 반환
}
}
getQueryFromURI(uri: string): string | null {
uri = uri.toLowerCase();
try {
const urlObj = new URL(uri);
const query = urlObj.search;
return query ? decodeURIComponent(query.slice(1)) : null; // 쿼리 문자열에서 ? 제거
} catch (e) {
return null; // URL 파싱 실패 시 null 반환
}
}
getQueryParamFromURI(uri: string, key: string): string | null {
uri = uri.toLowerCase();
key = this.decodeAndLower(key);
try {
const urlObj = new URL(uri);
const param = urlObj.searchParams.get(key);
return param ? decodeURIComponent(param) : null;
} catch (e) {
return null;
}
@ -67,10 +101,11 @@ export class HttpUtils {
*/
getQueryParam(query: string, key: string): string | null {
query = query.toLowerCase();
key = key.toLowerCase();
key = this.decodeAndLower(key);
const params = new URLSearchParams(query);
return params.get(key);
const targetParam = params.get(key);
return targetParam ? decodeURIComponent(targetParam) : null;
}
/**
@ -83,11 +118,11 @@ export class HttpUtils {
*/
setQueryParam(query: string, key: string, value: string): string {
query = query.toLowerCase();
key = key.toLowerCase();
value = value.toLowerCase();
key = this.decodeAndLower(key);
value = this.decodeAndLower(value);
const params = new URLSearchParams(query);
params.set(key, value);
params.set(key, this.encodeAndLower(value));
return params.toString();
}
@ -100,7 +135,7 @@ export class HttpUtils {
*/
removeQueryParam(query: string, key: string): string {
query = query.toLowerCase();
key = key.toLowerCase();
key = this.decodeAndLower(key);
const params = new URLSearchParams(query);
params.delete(key);
@ -109,6 +144,7 @@ export class HttpUtils {
// Headers
/**
* !! request.getHeader(`${key}`) .
* name에 .
* @param headers - Response.getHeaders()
* @param name - (: "location", "Content-Type")
@ -207,4 +243,89 @@ export class HttpUtils {
}
return filtered;
}
async resend(
sdk: SDK,
request: Request,
options?: {
headers?: Record<string, string | string[]>;
body?: Body;
method?: string;
query?: string;
}
): Promise<Response | null> {
try {
const spec = new RequestSpec(request.getUrl());
spec.setMethod(options?.method || request.getMethod() || "GET");
if (options?.query) {
spec.setQuery(options.query);
} else {
spec.setQuery(request.getQuery() || "");
}
const originBody = request.getBody();
if (options?.body) {
spec.setBody(options.body);
} else if (originBody) {
spec.setBody(originBody);
}
const headers = request.getHeaders();
if (options?.headers) {
// 기존 헤더에서 options.headers로 덮어쓰기
const newHeaders = this.lowerCaseAllHeaders({
...headers,
...options.headers,
});
for (const [key, value] of Object.entries(newHeaders)) {
spec.setHeader(key, Array.isArray(value) ? value.join(", ") : value);
}
} else {
// 기존 헤더 그대로 사용
for (const [key, value] of Object.entries(headers)) {
spec.setHeader(key, Array.isArray(value) ? value.join(", ") : value);
}
}
const result = await sdk.requests.send(spec);
return result.response ?? null;
} catch (error) {
sdk.console.error(
`Error resending request to ${request.getUrl()}: ${String(error)}`
);
return null;
}
}
async customFetch(
sdk: SDK,
url: string,
method?: string,
query?: string,
headers?: Record<string, string | string[]>,
body?: Body
): Promise<Response | null> {
try {
const spec = new RequestSpec(url);
spec.setMethod(method || "GET");
if (query) {
spec.setQuery(query);
}
if (body) {
spec.setBody(body);
}
for (const [key, value] of Object.entries(headers || {})) {
spec.setHeader(key, Array.isArray(value) ? value.join(", ") : value);
}
const result = await sdk.requests.send(spec);
return result.response ?? null;
} catch {
sdk.console.error(
`Error during custom fetch to ${url}: ${String(error)}`
);
return null;
}
}
}

24
playground/csrf/index.js
View file

@ -1,5 +1,6 @@
// app.js
const express = require("express");
const crypto = require("crypto");
const app = express();
const port = 8000;
@ -43,8 +44,6 @@ app.get("/authorize/mismatch-state", (req, res) => {
);
const code = "authcode-67890";
console.log(`[VULN] original state from client:`, originalState);
// 클라이언트 state와 다르게 'wrong-state'를 삽입
const wrongState = "wrong-state";
const location = `${redirectUri}?code=${code}&state=${wrongState}&client_id=${clientId}`;
@ -52,6 +51,24 @@ app.get("/authorize/mismatch-state", (req, res) => {
res.status(302).send(`Redirecting to ${location}`);
});
/**
* 3) 랜덤 state를 생성하여 리다이렉트를 발생시키는 테스트용 엔드포인트
* - /authorize/reuse-state-test 16 state
* - 최초 요청에 OAuth 파라미터가 없으므로 isOauthUri(request) == false
* - 응답에 Location 헤더로 '...?state=<랜덤값>' 포함
* -> Caido 플러그인의 checkNonceReuse 로직에서 새로운 state가 발급되었는지,
* 재사용되었는지를 검증할 있음
* - 더하여 callback uri에서 해당 nonce의 유효성을 판단하지 않고 응답 시에 vuln
*/
app.get("/authorize/reuse-state-test", (req, res) => {
const state = crypto.randomBytes(16).toString("hex");
// 고정된 콜백 URI로 리다이렉트 (OAuth 파라미터는 여기서만 주입)
const location = `http://localhost:${port}/callback?state=${state}&client_id=123`;
res.set("Location", location);
res.status(302).send(`Redirecting to ${location}`);
});
app.listen(port, () => {
console.log(
`Vulnerable OAuth test server listening at http://localhost:${port}`
@ -62,4 +79,7 @@ app.listen(port, () => {
console.log(
`2) Mismatch-State: http://localhost:${port}/authorize/mismatch-state?client_id=abc&state=xyz&redirect_uri=http://localhost:${port}/callback`
);
console.log(
`3) Reuse-State-Test: http://localhost:${port}/authorize/reuse-state-test`
);
});