Merge branch 'main' of https://github.com/whs-authz-authn-project/caido-plugin-test into feature/pkce
This commit is contained in:
imnyang
commit
e34649288c
4 changed files with 196 additions and 93 deletions
|
|
@ -7,13 +7,13 @@ const httpUtils = new HttpUtils();
|
|||
export class CsrfCheck {
|
||||
private isTargetUri(uri: string): boolean {
|
||||
if (
|
||||
uri.includes("client_id=") &&
|
||||
(uri.includes("response_type=") ||
|
||||
uri.includes("grant_type=") ||
|
||||
uri.includes("redirect_uri=") ||
|
||||
uri.includes("scope=") ||
|
||||
uri.includes("state=") ||
|
||||
uri.includes("nonce="))
|
||||
httpUtils.getQueryParamFromURI(uri, "client_id") !== null &&
|
||||
(httpUtils.getQueryParamFromURI(uri, "response_type") !== null ||
|
||||
httpUtils.getQueryParamFromURI(uri, "grant_type") !== null ||
|
||||
httpUtils.getQueryParamFromURI(uri, "redirect_uri") !== null ||
|
||||
httpUtils.getQueryParamFromURI(uri, "scope") !== null ||
|
||||
httpUtils.getQueryParamFromURI(uri, "state") !== null ||
|
||||
httpUtils.getQueryParamFromURI(uri, "nonce") !== null)
|
||||
) {
|
||||
return true;
|
||||
}
|
||||
|
|
@ -151,15 +151,25 @@ export class CsrfCheck {
|
|||
let result = ``;
|
||||
|
||||
// 쿼리에 state 파라미터가 없으면 CSRF 위험
|
||||
if (this.isOauthUri(request) && !this.isStateInQuery(request)) {
|
||||
result += "CSRF risk: missing state parameter"; // CSRF risk: missing state parameter
|
||||
try {
|
||||
if (this.isOauthUri(request) && !this.isStateInQuery(request)) {
|
||||
result += "CSRF risk: missing state parameter"; // CSRF risk: missing state parameter
|
||||
}
|
||||
} catch (error) {
|
||||
sdk.console.error(`Error checking state in query: ${error}`);
|
||||
}
|
||||
|
||||
// location 헤더에 state 파라미터가 없거나, 요청에서 보낸 state와 다르면 CSRF 위험
|
||||
const stateAtResponseLocationHeaderCheck =
|
||||
this.checkStateAtResponseLocationHeader(request, response);
|
||||
if (stateAtResponseLocationHeaderCheck !== 0) {
|
||||
result += `, ${stateAtResponseLocationHeaderCheck.join(", ")}`;
|
||||
try {
|
||||
const stateAtResponseLocationHeaderCheck =
|
||||
this.checkStateAtResponseLocationHeader(request, response);
|
||||
if (stateAtResponseLocationHeaderCheck !== 0) {
|
||||
result += `, ${stateAtResponseLocationHeaderCheck.join(", ")}`;
|
||||
}
|
||||
} catch (error) {
|
||||
sdk.console.error(
|
||||
`Error checking state in response location header: ${error}`
|
||||
);
|
||||
}
|
||||
|
||||
// // 처음으로 state를 발급한 요청에서 state 파라미터를 바꿔서 보내기
|
||||
|
|
@ -168,13 +178,19 @@ export class CsrfCheck {
|
|||
// result += `, ${reusedStateCheck.join(", ")}`;
|
||||
// }
|
||||
|
||||
if (result) {
|
||||
await sdk.findings.create({
|
||||
title: "csrf vuln",
|
||||
description: `SSO-related parameters detected in response:\n\n${request.getMethod()} ${request.getUrl()} : ${result}`,
|
||||
request,
|
||||
reporter: "csrf reporter",
|
||||
});
|
||||
result.replace(/^\s*,\s*|\s*$/, ""); // Remove leading/trailing commas
|
||||
try {
|
||||
if (result) {
|
||||
await sdk.findings.create({
|
||||
title: "csrf vuln",
|
||||
description: `SSO-related parameters detected in response:\n\n${request.getMethod()} ${request.getUrl()} : ${result}`,
|
||||
request,
|
||||
reporter: "csrf reporter",
|
||||
});
|
||||
sdk.console.log("qq");
|
||||
}
|
||||
} catch (error) {
|
||||
sdk.console.error(`Error creating finding: ${error}`);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -6,87 +6,53 @@ import { CsrfCheck } from "./controller/csrfCheck";
|
|||
import { PKCECheck } from "./controller/PKCECheck";
|
||||
import { AccessTokenLeakController } from "./controller/accessTokenDetector";
|
||||
import { ScopeDetection } from "./controller/scopeDetection";
|
||||
import { NonceCheckController } from "./controller/nonceCheck";
|
||||
// import { NonceCheckController } from "./controller/nonceCheck";
|
||||
|
||||
export type API = DefineAPI<{}>;
|
||||
|
||||
const csrfCheck = new CsrfCheck();
|
||||
// const implicitGrantController = new ImplicitGrantController();
|
||||
// const authZCodeGrantController = new AuthZCodeGrantController();
|
||||
const pkceCheckController = new PKCECheck();
|
||||
const tokenCheck = new AccessTokenLeakController();
|
||||
const ScopeDetectionController = new ScopeDetection();
|
||||
const nonceCheckController = new NonceCheckController();
|
||||
// const nonceCheckController = new NonceCheckController();
|
||||
|
||||
export function init(sdk: SDK<API>) {
|
||||
sdk.events.onInterceptResponse(async (sdk, req: Request, res: Response) => {
|
||||
await csrfCheck.checker(sdk, req, res);
|
||||
await pkceCheckController.test(sdk, req);
|
||||
//await pkceCheckController.test(sdk, req);
|
||||
await tokenCheck.testReq(sdk, req);
|
||||
await tokenCheck.testResp(sdk, res, req);
|
||||
await ScopeDetectionController.scan(sdk, req.getUrl());
|
||||
|
||||
// if (result) {
|
||||
// await sdk.findings.create({
|
||||
// title: "Possible SSO Request Detected",
|
||||
// description: `SSO-related parameters detected in request:\n\n${req.getMethod()} ${req.getUrl()} : ${result}`,
|
||||
// request: req,
|
||||
// reporter: "",
|
||||
// });
|
||||
// }
|
||||
// });
|
||||
// if (NonceCheckController.isOidcFlow(req, res)) {
|
||||
// await sdk.findings.create({
|
||||
// title: "OIDC Flow Detected",
|
||||
// description: "The request appears to be part of an OIDC flow.",
|
||||
// request: req,
|
||||
// reporter: "",
|
||||
// });
|
||||
// }
|
||||
});
|
||||
|
||||
sdk.events.onInterceptRequest(async (sdk, req: Request) => {
|
||||
await pkceCheckController.test(sdk, req);
|
||||
});
|
||||
/*
|
||||
sdk.events.onInterceptRequest(async (sdk, req: Request) => {
|
||||
const result =
|
||||
authZCodeGrantController.testReq(req) ||
|
||||
implicitGrantController.testReq(req);
|
||||
|
||||
sdk.events.onInterceptResponse(
|
||||
async (sdk: SDK<DefineAPI<{}>, {}>, req: Request, resp: Response) => {
|
||||
await csrfCheck.checker(sdk, req, resp);
|
||||
await tokenCheck.testReq(sdk, req);
|
||||
await tokenCheck.testResp(sdk, resp, req);
|
||||
await ScopeDetectionController.scan(sdk, req.getUrl());
|
||||
// sdk.events.onInterceptRequest(async (sdk, req: Request) => {
|
||||
// const result =
|
||||
// authZCodeGrantController.testReq(req) ||
|
||||
// implicitGrantController.testReq(req);
|
||||
if (result) {
|
||||
await pkceCheckController.test(sdk, req);
|
||||
|
||||
// if (result) {
|
||||
// await pkceCheckController.test(sdk, req);
|
||||
|
||||
// await sdk.findings.create({
|
||||
// title: "Possible SSO Request Detected",
|
||||
// description: `SSO-related parameters detected in request:\n\n${req.getMethod()} ${req.getUrl()} : ${result}`,
|
||||
// request: req,
|
||||
// reporter: "",
|
||||
// });
|
||||
if (NonceCheckController.isOidcFlow(req, res)) {
|
||||
await sdk.findings.create({
|
||||
title: "OIDC Flow Detected",
|
||||
description: "The request appears to be part of an OIDC flow.",
|
||||
title: "Possible SSO Request Detected",
|
||||
description: `SSO-related parameters detected in request:\n\n${req.getMethod()} ${req.getUrl()} : ${result}`,
|
||||
request: req,
|
||||
reporter: "",
|
||||
});
|
||||
}
|
||||
});
|
||||
|
||||
/*
|
||||
sdk.events.onInterceptRequest(async (sdk, req: Request) => {
|
||||
const result =
|
||||
authZCodeGrantController.testReq(req) ||
|
||||
implicitGrantController.testReq(req);
|
||||
|
||||
if (result) {
|
||||
await pkceCheckController.test(sdk, req);
|
||||
|
||||
await sdk.findings.create({
|
||||
title: "Possible SSO Request Detected",
|
||||
description: `SSO-related parameters detected in request:\n\n${req.getMethod()} ${req.getUrl()} : ${result}`,
|
||||
request: req,
|
||||
reporter: "",
|
||||
});
|
||||
}
|
||||
});
|
||||
*/
|
||||
}
|
||||
)}
|
||||
});
|
||||
}
|
||||
});
|
||||
*/
|
||||
}
|
||||
|
|
|
|||
|
|
@ -48,8 +48,8 @@ export class HttpUtils {
|
|||
}
|
||||
|
||||
getQueryParamFromURI(uri: string, key: string): string | null {
|
||||
uri = uri.toLowerCase();
|
||||
key = key.toLowerCase();
|
||||
uri = this.decodeAndLower(uri);
|
||||
key = this.decodeAndLower(key);
|
||||
try {
|
||||
const urlObj = new URL(uri);
|
||||
return urlObj.searchParams.get(key);
|
||||
|
|
@ -66,8 +66,8 @@ export class HttpUtils {
|
|||
* @returns - 해당 파라미터 값, 없으면 null
|
||||
*/
|
||||
getQueryParam(query: string, key: string): string | null {
|
||||
query = query.toLowerCase();
|
||||
key = key.toLowerCase();
|
||||
query = this.decodeAndLower(query);
|
||||
key = this.decodeAndLower(key);
|
||||
|
||||
const params = new URLSearchParams(query);
|
||||
return params.get(key);
|
||||
|
|
@ -82,9 +82,9 @@ export class HttpUtils {
|
|||
* @returns - "a=1&b=2&c=3..." 형태의 새로운 쿼리 문자열
|
||||
*/
|
||||
setQueryParam(query: string, key: string, value: string): string {
|
||||
query = query.toLowerCase();
|
||||
key = key.toLowerCase();
|
||||
value = value.toLowerCase();
|
||||
query = this.decodeAndLower(query);
|
||||
key = this.decodeAndLower(key);
|
||||
value = this.decodeAndLower(value);
|
||||
|
||||
const params = new URLSearchParams(query);
|
||||
params.set(key, value);
|
||||
|
|
@ -99,8 +99,8 @@ export class HttpUtils {
|
|||
* @returns - 삭제된 상태의 새로운 쿼리 문자열
|
||||
*/
|
||||
removeQueryParam(query: string, key: string): string {
|
||||
query = query.toLowerCase();
|
||||
key = key.toLowerCase();
|
||||
query = this.decodeAndLower(query);
|
||||
key = this.decodeAndLower(key);
|
||||
|
||||
const params = new URLSearchParams(query);
|
||||
params.delete(key);
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue