whs-authz-authn/caido-plugin-test
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

충돌해ㅐ결

Browse source
This commit is contained in:
kyu 2025-06-01 20:32:52 +09:00
commit ff6b4f02f8
28 changed files with 2225 additions and 216 deletions
Download patch file Download diff file Expand all files Collapse all files

1
.gitignore vendored
View file

@ -220,5 +220,6 @@ dist/*
packages/frontend/dist
packages/backend/dist
#!dist/*.zip
dist/plugin_package.zip
# End of https://www.toptal.com/developers/gitignore/api/node,macos,windows,linux

5
README.md
View file

@ -1 +1,6 @@
# caido-plugin-test
```bash
pnpm install
pnpm run watch
```

52
bun.lock
View file

@ -3,6 +3,10 @@
"workspaces": {
"": {
"name": "caido-oauth",
"dependencies": {
"@types/jsonwebtoken": "^9.0.9",
"jsonwebtoken": "^9.0.2",
},
"devDependencies": {
"@caido-community/dev": "^0.1.3",
"@caido/sdk-backend": "^0.48.1",
@ -127,6 +131,12 @@
"@types/estree": ["@types/estree@1.0.7", "", {}, "sha512-w28IoSUCJpidD/TGviZwwMJckNESJZXFu7NBZ5YJ4mEUnNraUn9Pm8HSZm/jDF1pDWYKspWE7oVphigUPRakIQ=="],
"@types/jsonwebtoken": ["@types/jsonwebtoken@9.0.9", "", { "dependencies": { "@types/ms": "*", "@types/node": "*" } }, "sha512-uoe+GxEuHbvy12OUQct2X9JenKM3qAscquYymuQN4fMWG9DBQtykrQEFcAbVACF7qaLw9BePSodUL0kquqBJpQ=="],
"@types/ms": ["@types/ms@2.1.0", "", {}, "sha512-GsCCIZDE/p3i96vtEqx+7dBUGXrc7zeSK3wwPHIaRThS+9OhWIXRqzs4d6k1SVU8g91DrNRWxWUGhp5KXQb2VA=="],
"@types/node": ["@types/node@22.15.29", "", { "dependencies": { "undici-types": "~6.21.0" } }, "sha512-LNdjOkUDlU1RZb8e1kOIUpN1qQUlzGkEtbVNo53vbrwDg5om6oduhm4SiUaPW5ASTXhAiP0jInWG8Qx9fVlOeQ=="],
"accepts": ["accepts@2.0.0", "", { "dependencies": { "mime-types": "^3.0.0", "negotiator": "^1.0.0" } }, "sha512-5cvg6CtKwfgdmVqY1WIiXKc3Q1bkRqGLi+2W/6ao+6Y7gu/RCwRuAhGEzh5B4KlszSuTLgZYuqFqo5bImjNKng=="],
"ajv": ["ajv@8.17.1", "", { "dependencies": { "fast-deep-equal": "^3.1.3", "fast-uri": "^3.0.1", "json-schema-traverse": "^1.0.0", "require-from-string": "^2.0.2" } }, "sha512-B/gBuNg5SiMTrPkC+A2+cW0RszwxYmn6VYxB/inlBStS5nx6xHIt/ehKRhIMhqusl7a8LjQoZnjCs5vhwxOQ1g=="],
@ -143,6 +153,8 @@
"brace-expansion": ["brace-expansion@2.0.1", "", { "dependencies": { "balanced-match": "^1.0.0" } }, "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA=="],
"buffer-equal-constant-time": ["buffer-equal-constant-time@1.0.1", "", {}, "sha512-zRpUiDwd/xk6ADqPMATG8vc9VPrkck7T07OIx0gnjmJAnHnTVXNQG3vfvWNuiZIkwu9KrKdA1iJKfsfTVxE6NA=="],
"bundle-require": ["bundle-require@5.1.0", "", { "dependencies": { "load-tsconfig": "^0.2.3" }, "peerDependencies": { "esbuild": ">=0.18" } }, "sha512-3WrrOuZiyaaZPWiEt4G3+IffISVC9HYlWueJEBWED4ZH4aIAC2PnkdnuRrR94M+w6yGWn4AglWtJtBI8YqvgoA=="],
"bytes": ["bytes@3.1.2", "", {}, "sha512-/Nf7TyzTx6S3yRJObOAV7956r8cr2+Oj8AC5dt8wSP3BQAoeX58NoHyCU8P8zGkNXStjTSi6fzO6F0pBdcYbEg=="],
@ -185,6 +197,8 @@
"eastasianwidth": ["eastasianwidth@0.2.0", "", {}, "sha512-I88TYZWc9XiYHRQ4/3c5rjjfgkjhLyW2luGIheGERbNQ6OY7yTybanSpDXZa8y7VUP9YmDcYa+eyq4ca7iLqWA=="],
"ecdsa-sig-formatter": ["ecdsa-sig-formatter@1.0.11", "", { "dependencies": { "safe-buffer": "^5.0.1" } }, "sha512-nagl3RYrbNv6kQkeJIpt6NJZy8twLB/2vtz6yN9Z4vRKHN4/QZJIEbqohALSgwKdnksuY3k5Addp5lg8sVoVcQ=="],
"ee-first": ["ee-first@1.1.1", "", {}, "sha512-WMwm9LhRUo+WUaRN+vRuETqG89IgZphVSNkdFgeb6sS/E4OrDIN7t48CAewSHXc6C8lefD8KKfr5vY61brQlow=="],
"emoji-regex": ["emoji-regex@9.2.2", "", {}, "sha512-L18DaJsXSUk2+42pv8mLs5jJT2hqFkFE4j21wOmgbUqsZ2hL72NsUU785g9RXgo3s0ZNgVl42TiHp3ZtOv/Vyg=="],
@ -261,8 +275,14 @@
"json-schema-traverse": ["json-schema-traverse@1.0.0", "", {}, "sha512-NM8/P9n3XjXhIZn1lLhkFaACTOURQXjWhV4BA/RnOv8xvgqtqpAX9IO4mRQxSx1Rlo4tqzeqb0sOlruaOy3dug=="],
"jsonwebtoken": ["jsonwebtoken@9.0.2", "", { "dependencies": { "jws": "^3.2.2", "lodash.includes": "^4.3.0", "lodash.isboolean": "^3.0.3", "lodash.isinteger": "^4.0.4", "lodash.isnumber": "^3.0.3", "lodash.isplainobject": "^4.0.6", "lodash.isstring": "^4.0.1", "lodash.once": "^4.0.0", "ms": "^2.1.1", "semver": "^7.5.4" } }, "sha512-PRp66vJ865SSqOlgqS8hujT5U4AOgMfhrwYIuIhfKaoSCZcirrmASQr8CX7cUg+RMih+hgznrjp99o+W4pJLHQ=="],
"jszip": ["jszip@3.10.1", "", { "dependencies": { "lie": "~3.3.0", "pako": "~1.0.2", "readable-stream": "~2.3.6", "setimmediate": "^1.0.5" } }, "sha512-xXDvecyTpGLrqFrvkrUSoxxfJI5AH7U8zxxtVclpsUtMCq4JQ290LY8AW5c7Ggnr/Y/oK+bQMbqK2qmtk3pN4g=="],
"jwa": ["jwa@1.4.2", "", { "dependencies": { "buffer-equal-constant-time": "^1.0.1", "ecdsa-sig-formatter": "1.0.11", "safe-buffer": "^5.0.1" } }, "sha512-eeH5JO+21J78qMvTIDdBXidBd6nG2kZjg5Ohz/1fpa28Z4CcsWUzJ1ZZyFq/3z3N17aZy+ZuBoHljASbL1WfOw=="],
"jws": ["jws@3.2.2", "", { "dependencies": { "jwa": "^1.4.1", "safe-buffer": "^5.0.1" } }, "sha512-YHlZCB6lMTllWDtSPHz/ZXTsi8S00usEV6v1tjq8tOUZzw7DpSDWVXjXDre6ed1w/pd495ODpHZYSdkRTsa0HA=="],
"lie": ["lie@3.3.0", "", { "dependencies": { "immediate": "~3.0.5" } }, "sha512-UaiMJzeWRlEujzAuw5LokY1L5ecNQYZKfmyZ9L7wDHb/p5etKaxXhohBcrw0EYby+G/NA52vRSN4N39dxHAIwQ=="],
"lilconfig": ["lilconfig@3.1.3", "", {}, "sha512-/vlFKAoH5Cgt3Ie+JLhRbwOsCQePABiU3tJ1egGvyQ+33R/vcwM2Zl2QR/LzjsBeItPt3oSVXapn+m4nQDvpzw=="],
@ -271,6 +291,20 @@
"load-tsconfig": ["load-tsconfig@0.2.5", "", {}, "sha512-IXO6OCs9yg8tMKzfPZ1YmheJbZCiEsnBdcB03l0OcfK9prKnJb96siuHCr5Fl37/yo9DnKU+TLpxzTUspw9shg=="],
"lodash.includes": ["lodash.includes@4.3.0", "", {}, "sha512-W3Bx6mdkRTGtlJISOvVD/lbqjTlPPUDTMnlXZFnVwi9NKJ6tiAk6LVdlhZMm17VZisqhKcgzpO5Wz91PCt5b0w=="],
"lodash.isboolean": ["lodash.isboolean@3.0.3", "", {}, "sha512-Bz5mupy2SVbPHURB98VAcw+aHh4vRV5IPNhILUCsOzRmsTmSQ17jIuqopAentWoehktxGd9e/hbIXq980/1QJg=="],
"lodash.isinteger": ["lodash.isinteger@4.0.4", "", {}, "sha512-DBwtEWN2caHQ9/imiNeEA5ys1JoRtRfY3d7V9wkqtbycnAmTvRRmbHKDV4a0EYc678/dia0jrte4tjYwVBaZUA=="],
"lodash.isnumber": ["lodash.isnumber@3.0.3", "", {}, "sha512-QYqzpfwO3/CWf3XP+Z+tkQsfaLL/EnUlXWVkIk5FUPc4sBdTehEqZONuyRt2P67PXAk+NXmTBcc97zw9t1FQrw=="],
"lodash.isplainobject": ["lodash.isplainobject@4.0.6", "", {}, "sha512-oSXzaWypCMHkPC3NvBEaPHf0KsA5mvPrOPgQWDsbg8n7orZ290M0BmC/jgRZ4vcJ6DTAhjrsSYgdsW/F+MFOBA=="],
"lodash.isstring": ["lodash.isstring@4.0.1", "", {}, "sha512-0wJxfxH1wgO3GrbuP+dTTk7op+6L41QCXbGINEmD+ny/G/eCqGzxyCsh7159S+mgDDcoarnBw6PC1PS5+wUGgw=="],
"lodash.once": ["lodash.once@4.1.1", "", {}, "sha512-Sb487aTOCr9drQVL8pIxOzVhafOjZN9UU54hiN8PU3uAiSV7lx1yYNpbNmex2PK6dSJoNTSJUUswT651yww3Mg=="],
"lodash.sortby": ["lodash.sortby@4.7.0", "", {}, "sha512-HDWXG8isMntAyRF5vZ7xKuEvOhT4AhlRt/3czTSjvGUxjYCBVRQY48ViDHyfYz9VIoBkW4TMGQNapx+l3RUwdA=="],
"lru-cache": ["lru-cache@11.1.0", "", {}, "sha512-QIXZUBJUx+2zHUdQujWejBkcD9+cs94tLn0+YL8UrCh+D5sCXZ4c7LaEH48pNwRY3MLDgqUFyhlCyjJPf1WP0A=="],
@ -291,7 +325,7 @@
"minipass": ["minipass@7.1.2", "", {}, "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw=="],
"ms": ["ms@2.1.2", "", {}, "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w=="],
"ms": ["ms@2.1.3", "", {}, "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA=="],
"mz": ["mz@2.7.0", "", { "dependencies": { "any-promise": "^1.0.0", "object-assign": "^4.0.1", "thenify-all": "^1.0.0" } }, "sha512-z81GNO7nnYMEhrGh9LeymoE4+Yr0Wn5McHIZMK5cfQCl+NDX08sCZgUc9/6MHni9IWuFLm1Z3HTCXu2z9fN62Q=="],
@ -357,6 +391,8 @@
"safer-buffer": ["safer-buffer@2.1.2", "", {}, "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg=="],
"semver": ["semver@7.7.2", "", { "bin": { "semver": "bin/semver.js" } }, "sha512-RF0Fw+rO5AMf9MAyaRXI4AV0Ulj5lMHqVxxdSgiVbixSCXoEmmX/jk0CuJw4+3SqroYO9VoUh+HcuJivvtJemA=="],
"send": ["send@1.2.0", "", { "dependencies": { "debug": "^4.3.5", "encodeurl": "^2.0.0", "escape-html": "^1.0.3", "etag": "^1.8.1", "fresh": "^2.0.0", "http-errors": "^2.0.0", "mime-types": "^3.0.1", "ms": "^2.1.3", "on-finished": "^2.4.1", "range-parser": "^1.2.1", "statuses": "^2.0.1" } }, "sha512-uaW0WwXKpL9blXE2o0bRhoL2EGXIrZxQ2ZQ4mgcfoBxdFmQold+qWsD2jLrfZ0trjKL6vOw0j//eAwcALFjKSw=="],
"serve-static": ["serve-static@2.2.0", "", { "dependencies": { "encodeurl": "^2.0.0", "escape-html": "^1.0.3", "parseurl": "^1.3.3", "send": "^1.2.0" } }, "sha512-61g9pCh0Vnh7IutZjtLGGpTA355+OPn2TyDv/6ivP2h/AdAVX9azsoxmg2/M6nZeQZNYBEwIcsne1mJd9oQItQ=="],
@ -419,6 +455,8 @@
"typescript": ["typescript@5.5.4", "", { "bin": { "tsc": "bin/tsc", "tsserver": "bin/tsserver" } }, "sha512-Mtq29sKDAEYP7aljRgtPOpTvOfbwRWlS6dPRzwjdE+C0R4brX/GUyhHSecbHMFLNBLcJIPt9nl9yG5TZ1weH+Q=="],
"undici-types": ["undici-types@6.21.0", "", {}, "sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ=="],
"unpipe": ["unpipe@1.0.0", "", {}, "sha512-pjy2bYhSsufwWlKwPc+l3cN7+wuJlK6uz0YdJEOlQDbl6jo/YlPi4mb8agUkVC8BF7V8NuzeyPNqRksA3hztKQ=="],
"util-deprecate": ["util-deprecate@1.0.2", "", {}, "sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw=="],
@ -449,14 +487,14 @@
"body-parser/qs": ["qs@6.14.0", "", { "dependencies": { "side-channel": "^1.1.0" } }, "sha512-YWWTjgABSKcvs/nWBi9PycY/JiPJqOD4JA6o9Sej2AtvSGarXxKC3OQSk4pAarbdQlKAh5D4FCQkJNkW+GAn3w=="],
"debug/ms": ["ms@2.1.2", "", {}, "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w=="],
"finalhandler/debug": ["debug@4.4.1", "", { "dependencies": { "ms": "^2.1.3" } }, "sha512-KcKCqiftBJcZr++7ykoDIEwSa3XWowTfNPo92BYxjXiyYEVrUQh2aLyhxBCwww+heortUFxEJYcRzosstTEBYQ=="],
"readable-stream/safe-buffer": ["safe-buffer@5.1.2", "", {}, "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g=="],
"router/debug": ["debug@4.4.1", "", { "dependencies": { "ms": "^2.1.3" } }, "sha512-KcKCqiftBJcZr++7ykoDIEwSa3XWowTfNPo92BYxjXiyYEVrUQh2aLyhxBCwww+heortUFxEJYcRzosstTEBYQ=="],
"send/ms": ["ms@2.1.3", "", {}, "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA=="],
"string-width-cjs/emoji-regex": ["emoji-regex@8.0.0", "", {}, "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A=="],
"string-width-cjs/strip-ansi": ["strip-ansi@6.0.1", "", { "dependencies": { "ansi-regex": "^5.0.1" } }, "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A=="],
@ -477,12 +515,6 @@
"wrap-ansi-cjs/strip-ansi": ["strip-ansi@6.0.1", "", { "dependencies": { "ansi-regex": "^5.0.1" } }, "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A=="],
"body-parser/debug/ms": ["ms@2.1.3", "", {}, "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA=="],
"finalhandler/debug/ms": ["ms@2.1.3", "", {}, "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA=="],
"router/debug/ms": ["ms@2.1.3", "", {}, "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA=="],
"string-width-cjs/strip-ansi/ansi-regex": ["ansi-regex@5.0.1", "", {}, "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ=="],
"sucrase/glob/jackspeak": ["jackspeak@3.4.3", "", { "dependencies": { "@isaacs/cliui": "^8.0.2" }, "optionalDependencies": { "@pkgjs/parseargs": "^0.11.0" } }, "sha512-OGlZQpz2yfahA/Rd1Y8Cd9SIEsqvXkLVoSw/cgwhnhFMDbsQFeZYoJJ7bIZBS9BcamUW96asq/npPWugM+RQBw=="],
@ -491,8 +523,6 @@
"sucrase/glob/path-scurry": ["path-scurry@1.11.1", "", { "dependencies": { "lru-cache": "^10.2.0", "minipass": "^5.0.0 || ^6.0.2 || ^7.0.0" } }, "sha512-Xa4Nw17FS9ApQFJ9umLiJS4orGjm7ZzwUrwamcGQuHSzDyth9boKDaycYdDcZDuqYATXw4HFXgaqWTctW/v1HA=="],
"tsup/debug/ms": ["ms@2.1.3", "", {}, "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA=="],
"wrap-ansi-cjs/string-width/emoji-regex": ["emoji-regex@8.0.0", "", {}, "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A=="],
"wrap-ansi-cjs/strip-ansi/ansi-regex": ["ansi-regex@5.0.1", "", {}, "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ=="],

6
package.json
View file

@ -1,5 +1,5 @@
{
"name": "caido-oauth",
"name": "caido-oauth-dev",
"version": "0.0.0",
"private": true,
"scripts": {
@ -11,5 +11,9 @@
"@caido-community/dev": "^0.1.3",
"@caido/sdk-backend": "^0.48.1",
"typescript": "5.5.4"
},
"dependencies": {
"@types/jsonwebtoken": "^9.0.9",
"jsonwebtoken": "^9.0.2"
}
}

104
packages/backend/src/controller/PKCECheck.ts
View file

@ -1,6 +1,5 @@
import type { SDK } from "caido:plugin";
import type { Request } from "caido:utils";
import { fetch, Request as FetchRequest } from "caido:http";
import { Body, RequestSpec, type Request } from "caido:utils";
export class PKCECheck {
async test(sdk: SDK, req: Request): Promise<boolean> {
@ -11,18 +10,20 @@ export class PKCECheck {
}
const query = req.getQuery();
const requiredParams = ["client_id=", "response_type=code", "code_challenge=", "code_challenge_method="];
if (!requiredParams.every(param => query.includes(param))) {
const searchParams = new URLSearchParams(query);
const requiredKeys = ["client_id", "response_type", "code_challenge", "code_challenge_method"];
if (!requiredKeys.every((key) => searchParams.has(key))) {
sdk.console.log("[PKCEDowngradeCheck] Required PKCE parameters missing. Skipping.");
return false;
}
const url = req.getUrl();
const isOpenID = query.includes("scope=openid") || query.includes("id_token");
const methodMatch = query.match(/code_challenge_method=([^&]*)/);
const challengeMatch = query.match(/code_challenge=([^&]*)/);
const isOpenID = searchParams.get("scope")?.includes("openid") || url.includes("id_token");
const methodVal = searchParams.get("code_challenge_method");
const challengeVal = searchParams.get("code_challenge");
if (!methodMatch || !challengeMatch) {
if (!methodVal || !challengeVal) {
sdk.console.log("[PKCEDowngradeCheck] code_challenge or method missing. Skipping.");
await sdk.findings.create({
title: isOpenID
@ -30,12 +31,11 @@ export class PKCECheck {
: "[WARN] OAuth2 Flow PKCE Parameters Missing",
description: `PKCE parameters are missing or incomplete for ${url}. This may indicate a misconfiguration.`,
request: req,
reporter: "",
reporter: "PKCE Checker",
});
return false;
}
const methodVal = decodeURIComponent(methodMatch[1]!);
if (methodVal === "plain") {
sdk.console.log("[PKCEDowngradeCheck] code_challenge_method is 'plain'. Skipping.");
await sdk.findings.create({
@ -44,34 +44,80 @@ export class PKCECheck {
: "[WARN] OAuth2 Flow PKCE Method is 'plain'",
description: `PKCE method is set to 'plain' for ${url}. This may indicate a downgrade vulnerability.`,
request: req,
reporter: "",
reporter: "PKCE Checker",
});
return false;
}
const downgradedQuery = query
.replace(/code_challenge_method=[^&]*&?/, "")
.replace(/code_challenge=[^&]*&?/, "")
.replace(/[?&]$/, "");
// Remove PKCE parameters to simulate a downgraded request
searchParams.delete("code_challenge");
searchParams.delete("code_challenge_method");
const downgradedQuery = searchParams.toString();
const scheme = req.getUrl().startsWith("https") ? "https" : "http";
const downgradedUrl = `${scheme}://${req.getHost()}:${req.getPort()}${req.getPath()}?${downgradedQuery}`;
const downgradedUrl = `${req.getUrl().split("://")[0]}://${req.getHost()}:${req.getPort()}${req.getPath()}?${downgradedQuery}`;
sdk.console.log(`${req.getHost()} Original URL: ` + url);
sdk.console.log(`${req.getHost()} Downgraded URL: ` + downgradedUrl);
try {
const [resOriginal, resDowngraded] = await Promise.all([
fetch(new FetchRequest(url, { method: "GET" })),
fetch(new FetchRequest(downgradedUrl, { method: "GET" }))
]);
// Use Caido Replay SDK to replay the original request
const spec = new RequestSpec(downgradedUrl);
spec.setBody(req.getBody() as Body);
for (const [key, value] of Object.entries(req.getHeaders())) {
if (Array.isArray(value)) {
spec.setHeader(key, value.join(', ')); // or another suitable delimiter
} else {
spec.setHeader(key, value);
}
}
spec.setHost(req.getHost());
spec.setMethod(req.getMethod());
spec.setPath(req.getPath());
spec.setQuery(downgradedQuery);
spec.setTls(req.getTls());
spec.setPort(req.getPort());
const [bodyOriginal, bodyDowngraded] = await Promise.all([
resOriginal.text(),
resDowngraded.text()
]);
let sendDowngradedRequest = await sdk.requests.send(spec);
if (sendDowngradedRequest.response) {
let domain = spec.getHost();
let port = spec.getPort();
let path = spec.getPath();
let query = spec.getQuery();
let id = sendDowngradedRequest.response.getId();
let code = sendDowngradedRequest.response.getCode();
sdk.console.log(`REQ ${id}: ${domain}:${port}${path}${query} received a status code of ${code}`);
}
if (sendDowngradedRequest.response?.getCode() === 302) {
await sdk.findings.create({
title: isOpenID
? "[CRITICAL] OpenID Flow PKCE Downgrade Vulnerability"
: "[CRITICAL] OAuth2 Flow PKCE Downgrade Vulnerability",
description: `The request to ${url} is vulnerable to a PKCE downgrade attack. This may indicate a configuration error.`,
request: req,
reporter: "PKCE Checker",
});
}
/*
sdk.console.log(`${req.getHost()} Original Status: ` + resOriginal.status);
sdk.console.log(`${req.getHost()} Downgraded Status: ` + resDowngraded.status);
sdk.console.log(`${req.getHost()} Original Headers: ` + JSON.stringify(resOriginal.headers));
sdk.console.log(`${req.getHost()} Downgraded Headers: ` + JSON.stringify(resDowngraded.headers));
// Caido Dev Docs 기준으로, 리다이렉트된 URL은 Response 객체의 url 속성에 저장되어 있음
const locationOriginal = resOriginal.url ?? "";
const locationDowngraded = resDowngraded.url ?? "";
sdk.console.log(`${req.getHost()} Original Location: ` + locationOriginal);
sdk.console.log(`${req.getHost()} Downgraded Location: ` + locationDowngraded);
const statusEqual = resOriginal.status === resDowngraded.status;
const codeInBoth = bodyOriginal.includes("code=") && bodyDowngraded.includes("code=");
const codeInRedirects = locationOriginal.includes("code=") && locationDowngraded.includes("code=");
if (statusEqual && codeInBoth) {
if (statusEqual && codeInRedirects) {
const title = isOpenID
? "[CRITICAL] OpenID Flow PKCE Downgraded to Plaintext"
: "[CRITICAL] OAuth2 Flow PKCE Downgraded to Plaintext";
@ -81,13 +127,13 @@ export class PKCECheck {
await sdk.findings.create({
title,
description: `PKCE downgrade detected for ${url}.\n\nDowngraded URL: ${downgradedUrl}\n\nReference: ${reference}`,
description: `PKCE downgrade detected for ${url}.\n\nDowngraded URL: ${downgradedUrl}\n\nRedirect contained code=.\n\nReference: ${reference}`,
request: req,
reporter: "",
});
return true;
}
}*/
} catch (err) {
sdk.console.error(`PKCE downgrade check failed for ${url}: ${String(err)}`);
}

170
packages/backend/src/controller/accessTokenDetector.ts Normal file
View file

@ -0,0 +1,170 @@
import type { Request, Response } from "caido:utils";
import type { SDK, DefineAPI } from "caido:plugin";
// 토큰 누출 검사 결과를 담는 구조
export interface TokenLeakResult {
found: boolean; // 토큰이 발견되었는지 여부 (true/false)
location: 'url' | 'body' | 'header'; // 토큰이 발견된 위치 (url, body, header 중 하나)
title: string; // 경고 제목
description: string; // 상세 설명
value?: string; // 실제 발견된 값 (선택적)
}
// 액세스 토큰 누출 검사 클래스
export class AccessTokenLeakController {
async testReq(sdk: SDK<DefineAPI<{}>>, request: Request): Promise<void> {
const result = await this._scanRequest(request);
if (result) {
await sdk.findings.create({
title: result.title,
description: result.description,
request,
reporter: "",
});
}
}
async testResp(sdk: SDK<DefineAPI<{}>>, response: Response, request: Request): Promise<void> {
const result = await this._scanResponse(response);
if (result) {
await sdk.findings.create({
title: result.title,
description: result.description,
request,
reporter: "",
});
}
}
/**
* @param request - HTTP
* @returns , null
*/
async _scanRequest(request: Request): Promise<TokenLeakResult | null> {
// === 1. URL에서 토큰 검사 ===
const url = request.getUrl();
const extractedTokenFromUrl = this.extractTokenFromText(url);
if (extractedTokenFromUrl) {
return {
found: true,
location: 'url',
title: "Access Token Leak in URL",
description: `요청 URL에 토큰이 포함되어 있습니다. (토큰: ${extractedTokenFromUrl.substring(0, 20)}...)`,
value: url
};
}
// === 2. 요청 본문(Body)에서 토큰 검사 ===
const body = request.getBody();
if (body) {
const bodyText = await body.toText();
const extractedTokenFromBody = this.extractTokenFromText(bodyText);
if (extractedTokenFromBody) {
return {
found: true,
location: 'body',
title: "Access Token Leak in Request Body",
description: `요청 Body에 토큰이이 포함되어 있습니다. (토큰: ${extractedTokenFromBody.substring(0, 20)}...)`,
value: bodyText
};
}
}
return null;
}
/**
* HTTP
* @param response - HTTP
* @returns , null
*/
async _scanResponse(response: Response): Promise<TokenLeakResult | null> {
// === 1. Location 헤더에서 토큰 검사 ===
const locationHeader = response.getHeader("Location");
const locationHeaderStr = Array.isArray(locationHeader) ? locationHeader.join(', ') : locationHeader;
if (locationHeaderStr) {
const extractedTokenFromHeader = this.extractTokenFromText(locationHeaderStr);
if (extractedTokenFromHeader) {
return {
found: true,
location: 'header',
title: "Access Token Leak in Redirect URL",
description: `Location 헤더에 토큰이 노출되었습니다: ${locationHeaderStr} (토큰: ${extractedTokenFromHeader.substring(0, 20)}...)`,
value: locationHeaderStr
};
}
}
// === 2. 응답 본문에서 토큰 검사 ===
const bodyBytes = response.getBody();
if (bodyBytes) {
const bodyText = await bodyBytes.toText();
const extractedTokenFromBody = this.extractTokenFromText(bodyText);
if (extractedTokenFromBody) {
return {
found: true,
location: 'body',
title: "Access Token Leak in Response Body",
description: `HTTP 응답 본문에 토큰이 노출되었습니다. (토큰: ${extractedTokenFromBody.substring(0, 20)}...)`,
value: bodyText
};
}
}
return null;
}
/**
*
* @param text -
* @returns , null
*/
private extractTokenFromText(text: string): string | null {
// 토큰 관련 키워드 리스트
const tokenKeys = [
'access_token',
'id_token',
'auth_token',
'token',
'jwt',
'session_token'
];
// 정규표현식 패턴 리스트 생성
const tokenPatterns: RegExp[] = [];
for (const key of tokenKeys) {
// 1. key=token 또는 key: token
tokenPatterns.push(new RegExp(`${key}[=:]\\s*([a-zA-Z0-9\\-._~+/]+=*)`, 'i'));
// 2. JSON 형태의 "key": "token"
tokenPatterns.push(new RegExp(`"${key}"\\s*:\\s*"([^"]+)"`, 'i'));
}
// 3. Authorization: Bearer <token> 형태
tokenPatterns.push(/bearer\s+([a-zA-Z0-9\-._~+/]+=*)/i);
// 모든 패턴에 대해 검사
for (const pattern of tokenPatterns) {
const match = pattern.exec(text);
if (match && match[1]) {
return match[1];
}
}
return null;
}
}

181
packages/backend/src/controller/csrfCheck.ts Normal file
View file

@ -0,0 +1,181 @@
import type { Request, Response } from "caido:utils";
import type { SDK, DefineAPI } from "caido:plugin";
import { HttpUtils } from "../utils/http";
const httpUtils = new HttpUtils();
export class CsrfCheck {
private isOauthUri(request: Request): boolean {
const query = request.getQuery() || "";
// Check if the request is an OAuth authorization request
if (
query.includes("client_id=") &&
(query.includes("response_type=") ||
query.includes("grant_type=") ||
query.includes("redirect_uri=") ||
query.includes("scope=") ||
query.includes("state="))
) {
return true;
}
return false;
}
private isOauthRedirectResponse(response: Response): boolean {
const status = response.getCode();
const locationHeader = httpUtils.getHeaderValue(
response.getHeaders(),
"location"
);
if (
status >= 300 &&
status < 400 &&
locationHeader &&
(locationHeader.includes("client_id=") ||
locationHeader.includes("response_type=") ||
locationHeader.includes("grant_type=") ||
locationHeader.includes("redirect_uri=") ||
locationHeader.includes("scope=") ||
locationHeader.includes("state=") ||
locationHeader.includes("code=")) // code is also common in OAuth redirects
) {
return true;
}
return false;
}
private isStateInQuery(request: Request): boolean {
const query = request.getQuery();
const stateValue = httpUtils.getQueryParam(query || "", "state");
if (!stateValue) {
return false;
}
return true;
}
private checkStateAtResponseLocationHeader(
request: Request,
response: Response
): string[] | 0 {
if (
!(
this.isOauthUri(request) &&
this.isStateInQuery(request) &&
this.isOauthRedirectResponse(response)
)
) {
return 0; // Not a target, no CSRF risk
}
// 요청에서 보낸 state 추출
const query = request.getQuery() || "";
const originalState = httpUtils.getQueryParam(query, "state");
// 리다이렉트 URL에서 쿼리 부분만 추출
const locationHeader = httpUtils.getHeaderValue(
response.getHeaders(),
"location"
);
const responseState = httpUtils.getQueryParamFromURI(
locationHeader || "",
"state"
);
// state가 없거나, 요청값과 다르면 CSRF 위험
if (!responseState) {
// missing state
return ["state parameter is missing in the response location header"];
}
if (originalState !== responseState) {
// mismatch
return ["state parameter mismatch between request and response"];
}
return 0; // no CSRF risk detected
}
// private async checkStateReuse(
// request: Request,
// originResponse: Response
// ): Promise<string[] | 0> {
// // uri에 oauth 관련 파라미터가 없지만, 응답이 oauth 리다이렉트 응답인지 확인
// // 즉, 처음으로 state를 발급한 요청인지 확인
// if (
// !(
// !this.isOauthUri(request) &&
// this.isOauthRedirectResponse(originResponse)
// )
// ) {
// return 0; // Not a target, no CSRF risk
// }
// const originResponseLocationHeader = httpUtils.getHeaderValue(
// originResponse.getHeaders(),
// "location"
// );
// const originState = httpUtils.getQueryParamFromURI(
// originResponseLocationHeader || "",
// "state"
// );
// const requestHeaders = request.getHeaders();
// const noCookieHeaders = httpUtils.removeHeaders(requestHeaders, ["cookie"]);
// const newResponse = await httpUtils.resend(request, {
// headers: noCookieHeaders,
// });
// const newLocationHeader = httpUtils.getHeaderValue(
// newResponse.getHeaders(),
// "location"
// );
// const newState = httpUtils.getQueryParamFromURI(
// newLocationHeader || "",
// "state"
// );
// if (originState === newState) {
// return [
// "State parameter reused in the response location header, indicating a potential CSRF risk",
// ];
// }
// return 0; // no CSRF risk detected
// }
async checker(
sdk: SDK<DefineAPI<{}>, {}>,
request: Request,
response: Response
): Promise<void> {
let result = ``;
// 쿼리에 state 파라미터가 없으면 CSRF 위험
if (this.isOauthUri(request) && !this.isStateInQuery(request)) {
result += "CSRF risk: missing state parameter"; // CSRF risk: missing state parameter
}
// location 헤더에 state 파라미터가 없거나, 요청에서 보낸 state와 다르면 CSRF 위험
const stateAtResponseLocationHeaderCheck =
this.checkStateAtResponseLocationHeader(request, response);
if (stateAtResponseLocationHeaderCheck !== 0) {
result += `, ${stateAtResponseLocationHeaderCheck.join(", ")}`;
}
// // 처음으로 state를 발급한 요청에서 state 파라미터를 바꿔서 보내기
// const reusedStateCheck = await this.checkStateReuse(request, response);
// if (reusedStateCheck !== 0) {
// result += `, ${reusedStateCheck.join(", ")}`;
// }
if (result) {
await sdk.findings.create({
title: "csrf vuln",
description: `SSO-related parameters detected in response:\n\n${request.getMethod()} ${request.getUrl()} : ${result}`,
request,
reporter: "csrf reporter",
});
}
}
}

14
packages/backend/src/controller/nonceCheck.ts
View file

@ -1,4 +1,4 @@
import type { Request } from "caido:utils";
import type { Request, Response } from "caido:utils";
import { TokenLeakCheck } from "./tokenLeakCheck";
export class NonceCheckController{
@ -6,8 +6,8 @@ export class NonceCheckController{
* OIDC(OpenID Connect)
*/
public static isOidcFlow(req: Request): boolean {
if(TokenLeakCheck.extractIdToken(req)) {
public static isOidcFlow(req: Request, res:Response): boolean {
if(TokenLeakCheck.extractIdToken(req, res)) {
return true;
}
return false;
@ -15,10 +15,10 @@ export class NonceCheckController{
public static isNonceCheckRequest(req: Request): boolean {
const id_token = decodeIdToken(req);
const id_token = TokenLeakCheck.decodeIdToken(req);
// 1. nonce 파라미터가 포함된 요청인지 확인
if (id_token.includes("nonce=")) {
if (id_token && id_token.includes("nonce=")) {
return true;
}
@ -26,8 +26,4 @@ export class NonceCheckController{
}
}
function decodeIdToken(req: Request): string {
// Implement actual decoding logic here. For now, return an empty string or mock value.
return "";
}

83
packages/backend/src/controller/scopeDetection.ts Normal file
View file

@ -0,0 +1,83 @@
import type { SDK } from "caido:plugin";
import { RequestSpec } from "caido:utils";
export class ScopeDetection {
async scan(
sdk: SDK,
url: string
): Promise<{ data: string }> {
sdk.console.log(`들어온 url : ${url}`); // url이 잘 들어왔는지 확인함요
// url이 string이 아니고 , 값이 없거나 그럴 때 유효한 값 넣으라고 출력.
if (!url || typeof url !== "string") {
sdk.console.log("이상한 url 입력함.");
return { data: "알맞은 URL을 입력하세요." };
}
try {
const spec = new RequestSpec(url); // url에 GET 요청 보낼거긔.
spec.setMethod("GET");
spec.setHeader("User-Agent", "Caido Scanner");
spec.setHeader("Accept", "*/*");
sdk.console.log(`요청 URL: ${url}`);
const res = await sdk.requests.send(spec); // 요청 보내고 응답 받음.
sdk.console.log('[SCAN] 응답 :', res);
sdk.console.log(`[SCAN] 요청 성공:${(res as any).status}`);
sdk.console.log(`[SCAN] body: ${(res as any).body ? (res as any).body.toString().substring(0, 100) : "없음"}`);
const html = (res as any).body ? (res as any).body.toString() : "";
// <a href= 형태 링크 찾을거임.
const anchorRegex = /<a\s+[^>]*href="([^"]+)"[^>]*>/gi;
const anchors: string[] = [];
let match;
while ((match = anchorRegex.exec(html)) !== null) { // html에서 a href 찾아 배열에 저장함.
if (typeof match[1] === "string") {
anchors.push(match[1]);
}
}
sdk.console.log(`찾아진 a href 개수: ${anchors.length}`);
// 5. scope 탐지
const results: string[] = [];
anchors.forEach((href) => { // 추출한 a href 링크 하나씩 검사드감.
try {
const absHref = new URL(href, url).href; // 상대경로라면 url 기준으로 절대 URL 바꿔줌줌
sdk.console.log(`[SCAN] 절대 URL 변환: ${href} -> ${absHref}`); //
if (/oauth|authorize|login|accounts|auth/i.test(absHref)) { // url에 이런 OAuth 키워드가 있는지 필터링.
let u: URL;
try {
u = new URL(absHref); // 필터링된 url을 url 객체로 파싱. 정식 url인 경우 변수 u에 저장.
} catch (err) { // 파싱 실패하면
sdk.console.log(
`URL 파싱 실패 : ${absHref} (${err instanceof Error ? err.message : err})`
);
return;
}
try {
const scope = u.searchParams.get("scope"); // url에 scope있긔?scope값 가져와.
if (scope && /all|\*/i.test(scope)) { // scope가 존재하고 all, *있다면.
results.push(`위험한 scope 발견: ${scope}\n -> ${absHref}`); // results에 경고 메시지 전달.
}
} catch (err) {
sdk.console.log(`searchParams.get 실패`);
}
}
} catch (e) {
sdk.console.log(
`URL 파싱 실패 (absHref 단계): ${href} (${e instanceof Error ? e.message : e})`
);
}
});
const resultStr = results.join("\n") || "위험한 scope가 발견되지 않았습니다.";
return { data: resultStr }; // 성공했는지 실패했는지 App.vue한테 전달할 메시지.
} catch (e) {
sdk.console.log(`백엔드 에러: ${e instanceof Error ? e.message : e}`);
return { data: "백엔드 에러: " + (e instanceof Error ? e.message : String(e)) }; // App.vue에 전달할 메시지.
}
};
}

14
packages/backend/src/controller/tokenLeakCheck.ts
View file

@ -1,8 +1,8 @@
import type { Request } from "caido:utils";
import type { Request,Response } from "caido:utils";
import jwt from "jsonwebtoken";
export class TokenLeakCheck {
public static extractIdToken(req: Request): string | null {
public static extractIdToken(req: Request, res?: Response): string | null {
// 1. Authorization 헤더 확인\\
const header = req.getHeaders() as Record<string, string | string[] | undefined>;
const authHeader = header["authorization"] || header["Authorization"];
@ -16,19 +16,21 @@ export class TokenLeakCheck {
return (query as Record<string, any>).id_token;
}
// 3. POST 바디 안에 id_token이 있을 경우
const rawBody = req.getRaw();
// 3. response 안에 id_token이 있을 경우
if (res) {
const rawBody = res.getRaw();
const body = rawBody ? rawBody.toString() : "";
const match = body.match(/id_token=([^&\s]+)/);
if (match && typeof match[1] === "string" ) {
return decodeURIComponent(match[1]);
}
}
return null;
}
public static decodeIdToken(req: Request): Record<string, any> | null {
const token = this.extractIdToken(req);
public static decodeIdToken(req: Request, res?: Response): Record<string, any> | null {
const token = this.extractIdToken(req, res);
if (!token) return null;
const decoded = jwt.decode(token, { complete: true });

65
packages/backend/src/index.ts
View file

@ -1,43 +1,52 @@
import type { SDK, DefineAPI } from "caido:plugin";
import type { Request } from "caido:utils";
import { ImplicitGrantController } from "./controller/implictGrant";
import { AuthZCodeGrantController } from "./controller/authZCodeGrant";
import type { Request, Response } from "caido:utils";
// import { ImplicitGrantController } from "./controller/implictGrant";
// import { AuthZCodeGrantController } from "./controller/authZCodeGrant";
import { CsrfCheck } from "./controller/csrfCheck";
import { PKCECheck } from "./controller/PKCECheck";
import { AccessTokenLeakController } from "./controller/accessTokenDetector";
import { ScopeDetection } from "./controller/scopeDetection";
import { NonceCheckController } from "./controller/nonceCheck";
import { ClientSecretController } from "./controller/clientsecretCheck";
export type API = DefineAPI<{}>;
const implicitGrantController = new ImplicitGrantController();
const authZCodeGrantController = new AuthZCodeGrantController();
const pkceCheck = new PKCECheck();
const csrfCheck = new CsrfCheck();
// const implicitGrantController = new ImplicitGrantController();
// const authZCodeGrantController = new AuthZCodeGrantController();
const pkceCheckController = new PKCECheck();
const tokenCheck = new AccessTokenLeakController();
const ScopeDetectionController = new ScopeDetection();
const nonceCheckController = new NonceCheckController();
const clientSecretController = new ClientSecretController();
// function matchSSORequest(req: Request): boolean {
// const raw = req.getRaw().toString();
// // 조건 3: Raw request에 SAMLRequest 또는 SAMLResponse 포함
// if (raw.includes("SAMLRequest=") || raw.includes("SAMLResponse=")) {
// return true;
// }
// return false;
// }
// function matchAccessTokenResponse(resp: Response): boolean {
// const raw = resp.getRaw().toString();
// const match = /"access_token"\s*:\s*"([^"]+)"/.exec(raw);
// return !!match;
// }
export function init(sdk: SDK<API>) {
sdk.events.onInterceptResponse(async (sdk, req: Request, res: Response) => {
await csrfCheck.checker(sdk, req, res);
await pkceCheckController.test(sdk, req);
await tokenCheck.testReq(sdk, req);
await tokenCheck.testResp(sdk, res, req);
await ScopeDetectionController.scan(sdk, req.getUrl());
await clientSecretController.report(sdk,req);
if (NonceCheckController.isOidcFlow(req, res)) {
await sdk.findings.create({
title: "OIDC Flow Detected",
description: "The request appears to be part of an OIDC flow.",
request: req,
reporter: "",
});
}
});
/*
sdk.events.onInterceptRequest(async (sdk, req: Request) => {
const result =
authZCodeGrantController.testReq(req) ||
implicitGrantController.testReq(req);
if (result) {
await pkceCheck.test(sdk, req);
await pkceCheckController.test(sdk, req);
await sdk.findings.create({
title: "Possible SSO Request Detected",
@ -46,10 +55,6 @@ export function init(sdk: SDK<API>) {
reporter: "",
});
}
if (clientSecretController.test(req)) {
await clientSecretController.report(sdk,req);
}
});
*/
}

210
packages/backend/src/utils/http.ts Normal file
View file

@ -0,0 +1,210 @@
let instance: HttpUtils | null = null;
export class HttpUtils {
/**
* .
*/
public constructor() {
if (instance) {
return instance;
}
instance = this;
return instance;
}
/**
* URI
* @param value -
* @returns
*/
decodeAndLower(value: string): string {
try {
return decodeURIComponent(value).toLowerCase();
} catch {
return value.toLowerCase();
}
}
/**
* .
* @param headers - Record<string, string | string[]>
* @returns -
*/
lowerCaseAllHeaders(
headers: Record<string, string | string[]>
): Record<string, string | string[]> {
const result: Record<string, string | string[]> = {};
for (const [rawKey, rawValue] of Object.entries(headers)) {
const key = this.decodeAndLower(rawKey);
if (Array.isArray(rawValue)) {
result[key] = rawValue.map((v) => this.decodeAndLower(v));
} else {
result[key] = this.decodeAndLower(rawValue);
}
}
return result;
}
getQueryParamFromURI(uri: string, key: string): string | null {
uri = uri.toLowerCase();
key = key.toLowerCase();
try {
const urlObj = new URL(uri);
return urlObj.searchParams.get(key);
} catch (e) {
return null;
}
}
// Query
/**
* (query) key에 .
* @param query - "a=1&b=2..." ( ? )
* @param key -
* @returns - , null
*/
getQueryParam(query: string, key: string): string | null {
query = query.toLowerCase();
key = key.toLowerCase();
const params = new URLSearchParams(query);
return params.get(key);
}
/**
* (query) key=value를 , .
* - key가 (set), .
* @param query - "a=1&b=2..." ( ? )
* @param key -
* @param value -
* @returns - "a=1&b=2&c=3..."
*/
setQueryParam(query: string, key: string, value: string): string {
query = query.toLowerCase();
key = key.toLowerCase();
value = value.toLowerCase();
const params = new URLSearchParams(query);
params.set(key, value);
return params.toString();
}
/**
* (query) key에 (delete),
* .
* @param query - "a=1&b=2..." ( ? )
* @param key -
* @returns -
*/
removeQueryParam(query: string, key: string): string {
query = query.toLowerCase();
key = key.toLowerCase();
const params = new URLSearchParams(query);
params.delete(key);
return params.toString();
}
// Headers
/**
* name에 .
* @param headers - Response.getHeaders()
* @param name - (: "location", "Content-Type")
* @returns - , null
*/
getHeaderValue(
headers: Record<string, string | string[]>,
name: string
): string | null {
const normalized = this.lowerCaseAllHeaders(headers);
const target = name.toLowerCase();
for (const [key, value] of Object.entries(normalized)) {
if (key === target) {
let rawValue: string | null = null;
if (Array.isArray(value)) {
rawValue = value.length > 0 && value[0] ? value[0] : null;
} else {
rawValue = value.length > 0 ? value : null;
}
if (rawValue !== null) {
try {
return decodeURIComponent(rawValue);
} catch {
return rawValue;
}
}
}
}
return null;
}
/**
* name에 value로 .
* - .
* - value가 string인 [value] , string[] .
* - .
*
* @param headers - ,
* @param name - (: "Authorization", "X-Custom-Header")
* @param value - (string string[])
* @returns -
*/
setHeaderValue(
headers: Record<string, string | string[]>,
name: string,
value: string | string[]
): Record<string, string[]> {
headers = this.lowerCaseAllHeaders(headers);
const lowerName = name.toLowerCase();
const newHeaders: Record<string, string[]> = {};
// 1) 기존 헤더 복사하되, name과 일치하는 항목은 value로 대체
for (const [key, vals] of Object.entries(headers)) {
if (key.toLowerCase() === lowerName) {
newHeaders[key] = Array.isArray(value) ? value : [value];
} else {
newHeaders[key] = Array.isArray(vals) ? vals : [vals];
}
}
// 2) 해당 헤더가 원래 없었다면 새로 추가
const exists = Object.keys(newHeaders).some(
(k) => k.toLowerCase() === lowerName
);
if (!exists) {
newHeaders[name] = Array.isArray(value) ? value : [value];
}
return newHeaders;
}
/**
* () .
* @param headers - ,
* @param namesToRemove - ( ). .
* @returns -
*/
removeHeaders(
headers: Record<string, string | string[]>,
namesToRemove: string | string[]
): Record<string, string[]> {
headers = this.lowerCaseAllHeaders(headers);
const toRemove = Array.isArray(namesToRemove)
? namesToRemove.map((n) => n.toLowerCase())
: [namesToRemove.toLowerCase()];
const filtered: Record<string, string[]> = {};
for (const [key, vals] of Object.entries(headers)) {
if (!toRemove.includes(key.toLowerCase())) {
filtered[key] = Array.isArray(vals) ? vals : [vals];
}
}
return filtered;
}
}

34
playground/.gitignore vendored
View file

@ -1,34 +0,0 @@
# dependencies (bun install)
node_modules
# output
out
dist
*.tgz
# code coverage
coverage
*.lcov
# logs
logs
_.log
report.[0-9]_.[0-9]_.[0-9]_.[0-9]_.json
# dotenv environment variable files
.env
.env.development.local
.env.test.local
.env.production.local
.env.local
# caches
.eslintcache
.cache
*.tsbuildinfo
# IntelliJ based IDEs
.idea
# Finder (MacOS) folder config
.DS_Store

2
playground/PKCEDowngrade/.env.example Normal file
View file

@ -0,0 +1,2 @@
GITHUB_CLIENT_ID=
GITHUB_CLIENT_SECRET=

2
playground/PKCEDowngrade/.gitignore vendored Normal file
View file

@ -0,0 +1,2 @@
# deps
node_modules/

11
playground/PKCEDowngrade/README.md Normal file
View file

@ -0,0 +1,11 @@
To install dependencies:
```sh
bun install
```
To run:
```sh
bun run dev
```
open http://localhost:3000

10
playground/bun.lock → playground/PKCEDowngrade/bun.lock
View file

@ -2,13 +2,13 @@
"lockfileVersion": 1,
"workspaces": {
"": {
"name": "playground",
"name": "PKCEDowngrade",
"dependencies": {
"hono": "^4.7.10",
},
"devDependencies": {
"@types/bun": "latest",
},
"peerDependencies": {
"typescript": "^5",
},
},
},
"packages": {
@ -18,7 +18,7 @@
"bun-types": ["bun-types@1.2.14", "", { "dependencies": { "@types/node": "*" } }, "sha512-Kuh4Ub28ucMRWeiUUWMHsT9Wcbr4H3kLIO72RZZElSDxSu7vpetRvxIUDUaW6QtaIeixIpm7OXtNnZPf82EzwA=="],
"typescript": ["typescript@5.8.3", "", { "bin": { "tsc": "bin/tsc", "tsserver": "bin/tsserver" } }, "sha512-p1diW6TqL9L07nNxvRMM7hMMw4c5XOo/1ibL4aAIGmSAt9slTE1Xgw5KWuof2uTOvCg9BY7ZRi+GaF+7sfgPeQ=="],
"hono": ["hono@4.7.10", "", {}, "sha512-QkACju9MiN59CKSY5JsGZCYmPZkA6sIW6OFCUp7qDjZu6S6KHtJHhAc9Uy9mV9F8PJ1/HQ3ybZF2yjCa/73fvQ=="],
"undici-types": ["undici-types@6.21.0", "", {}, "sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ=="],
}

12
playground/PKCEDowngrade/package.json Normal file
View file

@ -0,0 +1,12 @@
{
"name": "PKCEDowngrade",
"scripts": {
"dev": "bun run --hot src/index.ts"
},
"dependencies": {
"hono": "^4.7.10"
},
"devDependencies": {
"@types/bun": "latest"
}
}

94
playground/PKCEDowngrade/src/index.ts Normal file
View file

@ -0,0 +1,94 @@
import { Hono } from 'hono'
import { randomBytes, createHash } from 'crypto'
import { Buffer } from 'buffer'
const app = new Hono()
// In-memory PKCE store (should use Redis or similar in production)
const pkceStore = new Map<string, string>()
const generateCodeVerifier = () => {
return randomBytes(32).toString('hex')
}
const generateCodeChallenge = (verifier: string) => {
const hash = createHash('sha256').update(verifier).digest()
return hash.toString('base64url')
}
// Step 1: Redirect to GitHub with PKCE
app.get('/login', (c) => {
const codeVerifier = generateCodeVerifier()
const codeChallenge = generateCodeChallenge(codeVerifier)
const state = randomBytes(8).toString('hex')
pkceStore.set(state, codeVerifier)
const params = new URLSearchParams({
client_id: process.env.GITHUB_CLIENT_ID!,
redirect_uri: 'http://localhost:8787/callback',
scope: 'read:user',
state,
response_type: 'code',
code_challenge: codeChallenge,
code_challenge_method: 'S256',
})
return c.redirect(`https://github.com/login/oauth/authorize?${params}`)
})
// Step 2: GitHub redirects back here
app.get('/callback', async (c) => {
const url = new URL(c.req.url)
const code = url.searchParams.get('code')
const state = url.searchParams.get('state')
if (!code || !state) {
return c.text('Missing code or state', 400)
}
const codeVerifier = pkceStore.get(state)
if (!codeVerifier) {
return c.text('Invalid or expired state', 400)
}
// Step 3: Exchange code + verifier for token
const tokenRes = await fetch('https://github.com/login/oauth/access_token', {
method: 'POST',
headers: {
Accept: 'application/json',
'Content-Type': 'application/json',
},
body: JSON.stringify({
client_id: process.env.GITHUB_CLIENT_ID,
client_secret: process.env.GITHUB_CLIENT_SECRET,
code,
redirect_uri: 'http://localhost:8787/callback',
code_verifier: codeVerifier,
}),
})
const tokenData = await tokenRes.json()
if (!tokenData.access_token) {
return c.text('Failed to get access token', 500)
}
// Step 4: Use token to fetch user profile
const userRes = await fetch('https://api.github.com/user', {
headers: {
Authorization: `Bearer ${tokenData.access_token}`,
'User-Agent': 'hono-app',
},
})
const user = await userRes.json()
return c.json({
message: 'GitHub login successful!',
user,
})
})
export default {
port: 8787,
fetch: app.fetch,
}

7
playground/PKCEDowngrade/tsconfig.json Normal file
View file

@ -0,0 +1,7 @@
{
"compilerOptions": {
"strict": true,
"jsx": "react-jsx",
"jsxImportSource": "hono/jsx"
}
}

15
playground/README.md
View file

@ -1,15 +0,0 @@
# playground
To install dependencies:
```bash
bun install
```
To run:
```bash
bun run
```
This project was created using `bun init` in bun v1.2.14. [Bun](https://bun.sh) is a fast all-in-one JavaScript runtime.

65
playground/csrf/index.js Normal file
View file

@ -0,0 +1,65 @@
// app.js
const express = require("express");
const app = express();
const port = 8000;
// 콜백 엔드포인트 (정상 동작 시뮬레이션)
app.get("/callback", (req, res) => {
res.send(`
<h1>Callback Received</h1>
<p>Query Params:</p>
<pre>${JSON.stringify(req.query, null, 2)}</pre>
`);
});
/**
* 1) state 파라미터를 무시하는 취약한 /authorize 엔드포인트
* - 클라이언트가 state를 보내도 무시
* - 리디렉트 state를 포함하지 않음
*/
app.get("/authorize/no-state", (req, res) => {
const clientId = req.query.client_id || "unknown-client";
const redirectUri = encodeURIComponent(
req.query.redirect_uri || `http://localhost:${port}/callback`
);
const code = "authcode-12345";
// state를 전혀 포함하지 않은 채로 리디렉트
const location = `${redirectUri}?code=${code}&client_id=${clientId}`;
res.set("Location", location);
res.status(302).send(`Redirecting to ${location}`);
});
/**
* 2) 클라이언트가 보낸 state와 다른 값을 넣는 취약한 /authorize 엔드포인트
* - 클라이언트가 보낸 state를 로그로 확인만 하고,
* 응답 Location에는 'wrong-state' 삽입
*/
app.get("/authorize/mismatch-state", (req, res) => {
const clientId = req.query.client_id || "unknown-client";
const originalState = req.query.state;
const redirectUri = encodeURIComponent(
req.query.redirect_uri || `http://localhost:${port}/callback`
);
const code = "authcode-67890";
console.log(`[VULN] original state from client:`, originalState);
// 클라이언트 state와 다르게 'wrong-state'를 삽입
const wrongState = "wrong-state";
const location = `${redirectUri}?code=${code}&state=${wrongState}&client_id=${clientId}`;
res.set("Location", location);
res.status(302).send(`Redirecting to ${location}`);
});
app.listen(port, () => {
console.log(
`Vulnerable OAuth test server listening at http://localhost:${port}`
);
console.log(
`1) No-State: http://localhost:${port}/authorize/no-state?client_id=abc&redirect_uri=http://localhost:${port}/callback`
);
console.log(
`2) Mismatch-State: http://localhost:${port}/authorize/mismatch-state?client_id=abc&state=xyz&redirect_uri=http://localhost:${port}/callback`
);
});

1167
playground/csrf/package-lock.json generated Normal file
View file

File diff suppressed because it is too large Load diff

19
playground/csrf/package.json Normal file
View file

@ -0,0 +1,19 @@
{
"name": "csrf",
"version": "1.0.0",
"main": "index.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1",
"start": "nodemon index.js"
},
"author": "",
"license": "ISC",
"dependencies": {
"express": "^5.1.0"
},
"keywords": [],
"description": "",
"devDependencies": {
"nodemon": "^3.1.10"
}
}

10
playground/package.json
View file

@ -1,10 +0,0 @@
{
"name": "playground",
"private": true,
"devDependencies": {
"@types/bun": "latest"
},
"peerDependencies": {
"typescript": "^5"
}
}

31
playground/src/PKCEDowngradeExpress.js
View file

@ -1,31 +0,0 @@
const express = require("express");
const app = express();
app.get("/auth", (req, res) => {
const {
client_id,
response_type,
code_challenge,
code_challenge_method,
scope
} = req.query;
console.log("Incoming request:", req.query);
if (!client_id || response_type !== "code") {
return res.status(400).send("Missing required parameters");
}
// Simulate issuing an authorization code
const code = "dummy-auth-code";
// Simulate PKCE check (normally you'd validate here)
// We deliberately allow the downgrade here to simulate the vulnerability
const responseBody = `Authorization successful. code=${code}`;
return res.status(200).send(responseBody);
});
const PORT = 5050;
app.listen(PORT, () => {
console.log(`Test PKCE server running on http://localhost:${PORT}`);
});

29
playground/tsconfig.json
View file

@ -1,29 +0,0 @@
{
"compilerOptions": {
// Environment setup & latest features
"lib": ["ESNext"],
"target": "ESNext",
"module": "Preserve",
"moduleDetection": "force",
"jsx": "react-jsx",
"allowJs": true,
// Bundler mode
"moduleResolution": "bundler",
"allowImportingTsExtensions": true,
"verbatimModuleSyntax": true,
"noEmit": true,
// Best practices
"strict": true,
"skipLibCheck": true,
"noFallthroughCasesInSwitch": true,
"noUncheckedIndexedAccess": true,
"noImplicitOverride": true,
// Some stricter flags (disabled by default)
"noUnusedLocals": false,
"noUnusedParameters": false,
"noPropertyAccessFromIndexSignature": false
}
}

16
pnpm-lock.yaml generated
View file

@ -11,6 +11,9 @@ importers:
'@caido-community/dev':
specifier: ^0.1.3
version: 0.1.5(postcss@8.5.3)(typescript@5.5.4)
'@caido/sdk-backend':
specifier: ^0.48.1
version: 0.48.1
typescript:
specifier: 5.5.4
version: 5.5.4
@ -34,9 +37,15 @@ packages:
'@caido/quickjs-types@0.17.2':
resolution: {integrity: sha512-5kcucGORMNEbcdU91yKLYZG/TFDqsO6XmCZ1TnU6V48E61mmqrJg6kjrfOFP1WOugDm+ZcGd/Su3p3XkFXfaPg==}
'@caido/quickjs-types@0.18.0':
resolution: {integrity: sha512-hRXUVdDvlhEhvkBoWWytoVS2j1KDVZa8dx2Q/KvWUQTR57U8EMSYE9iFgvPhu78gS8z+RF42Zcb7moNx4SDMlw==}
'@caido/sdk-backend@0.46.0':
resolution: {integrity: sha512-peUKW/4Nrw9WVxIahc+6KrVtxA7vsbpuJqOoBxudxq7tQJ+cV9IEqzvYoFFo8KlnrTkeUQUJvd0W4WsM3HgxEg==}
'@caido/sdk-backend@0.48.1':
resolution: {integrity: sha512-JvFeOlSqAKbj3OenBn0LPtCNaOV0x6YtaAQijpvYfBJK32Nvbf924Z10bFVCu+Clc5A1qr7HcAvJ/8B/aRikWA==}
'@caido/sdk-shared@0.1.1':
resolution: {integrity: sha512-JAV5ajUqxZdXYPTmDEvIKBZon8I5uHq44ATj0Nj3BVpllRDUGY9kcBd+PXMD50+3lv1CvhR3/f6q24T0+4aVJQ==}
@ -1095,11 +1104,18 @@ snapshots:
'@caido/quickjs-types@0.17.2': {}
'@caido/quickjs-types@0.18.0': {}
'@caido/sdk-backend@0.46.0':
dependencies:
'@caido/quickjs-types': 0.17.2
'@caido/sdk-shared': 0.1.1
'@caido/sdk-backend@0.48.1':
dependencies:
'@caido/quickjs-types': 0.18.0
'@caido/sdk-shared': 0.1.1
'@caido/sdk-shared@0.1.1': {}
'@esbuild/aix-ppc64@0.24.2':