From cc81947bd81eabf0877dec42ef1f4d07691b7351 Mon Sep 17 00:00:00 2001 From: sultanofdisco Date: Sat, 31 May 2025 11:55:06 +0900 Subject: [PATCH 01/20] =?UTF-8?q?nonceCheck=20=EC=88=98=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- dist/plugin_package.zip | Bin 2892 -> 138874 bytes .../backend/src/controller/tokenLeakCheck.ts | 22 ++++++++++-------- packages/backend/src/index.ts | 12 +++++++++- 3 files changed, 23 insertions(+), 11 deletions(-) diff --git a/dist/plugin_package.zip b/dist/plugin_package.zip index 31ab81ad9d2c3ea5abed9c5c5d2b92488e7cd63a..1b3f2de848388ebb64e74f2d20219127856b5c5f 100644 GIT binary patch literal 138874 zcmWIWW@h1H00B3#{ZSwqhB+7*7?Ki`vs3d@^dYK1BIv3FkW^*nrKDEqWfhkt7AeHX zCl{qAmZU1!D)=X5r6!l?LHO2O5ZRQ}w1A@g0)%u*YFcJqDo8A~sH766EIqZvzdR2l z>XKTVj8Kgb2dM_h6=fEb?pl7c;4#tNo1peVnhQUOz8UTV1lSWcrtN1>WaK_NZ0#7aRU zQAZ&OY?B5FRwZgiC&hBrYARSMRA_3XmF6XvWaj6AoD4EJGfjbjVVVj>sU@XFc`(=O zB^DIqRBDuDWESfvBo?KY=BDPA6l+>@DJYa=6y=vIxE2-V7ip-wROTh-W+ub5DdeXq zD5)!GD^w_GE2t|eWELyr<(DWFmlhP{7nP)@sB2nt)oQ{5J2^i$H$TrSSix37BRNS& zAvZq->~Wa$72@Ne!EB_V2@WBsBXjdp6l!V|Gz@eUl9Qt2;}Pi$oK!TDlQg3ZVq-Nm zG(akC6{;0dD?kn?wo<6BRjAd}gK{BOf=QT=HCHXdc?FfAG!06Z8YTHU3TZ|8xjG7| z70IauB{~Wzsl~})=fXl5B(0#P28(tu*A|pK^1)e43FKsGlp^F{epP~aP(dLrzeqtN zC$&T&JGBxNoS41?Y1Y)_QUC)`)GEfuBT}d{sP$(ot;`4tD}&bSDKqzl$ey0YNep40rI(mtpc*kKzUmOq(KMd zZcR;)UqQzWFJsItnF; zMd_&}U?*un*b26ww4$JBtB_ZklcQh{FUK^%ZUUDD{%N4d*97H=>RKI;ihO8vYH%qi z=<6$ZrYV$Uq$*_Qf>K6m5h$%@<|*Xmr=%(*=jRqAmSiSn=46&sf~-na$S+a=Wd@Kc zP>N2>Q*aITg&35UnUktel95=Vkdaudkd&I5r;wbVSC$G&@CqgQ3W*BNu!Ig)T3Vc$ zm#&bg;FOq@nxhLb17;)0q@u*U;6yVl_(o$JsPHCzYDEv@UP)Si~ssgyIf<&hdmjXx;m!_sQ z7ni<1I1b_=t}WItPE1SHO)5=GOD)oeRbAlP30gG7gA~L=6o3;YtW?neJv1!qkKTaXNx2{9a! z!C)k)bbwfGqzB5KpyB|=Pt3{5PsR`k%>#ue4&mUO{BndVATb0>PjJ6N+)=BLnp2z# zF0?`A6vC^J009-FpnM0ZQa~!8u>cJz1zUyS#I#h1TcIX`OFVesA*3}Di_$>}EIB_V zGcVo0$UiNuIJHDaAtyC2y(9zSUTEb3G1G{EE@V3qR_Vdp4~QlOq{XBGH5Q=)nj8>5 zhpNy)@)=YOk_F&cvQ>b2lYlGX;R}jrXx)-nl&%1-cJfMdlTwS|6$>bkA$2#X;So|< zkP4~8l^mhfyFzYhaS6D-PD)isRDfxRgaj-_!3%GwZwNRLqPZ4AA$b#$_>lZroLQBs zqmY)FlY@v#MARX952O&%n1VSF9tg0u310u<^&2R|C6$6&mN4&utb@jqf&$1HASZ(D zFU!wNQ7}Nb5h4wZgw#ApYJ|iDs1(UdM~MjqP|2VNGE4(RAbA=RR-o8I%R?Zcq|!8m zCb+v0k%OTHuE7AV8dL*=%!1~Jq|!8ql{jJvS|Xsu6~f=3K!N%i6jZ~RAwm*7RN&hKRu9}ApXz*1sODEz}~0@w~sMu!L0IP{hZ7s{glL#MBU<&qSVA( zy{uxCdJrTP50N5N4`Mfs#F`M|0Z<(Wtq758Vhv4bK@Le;pnMe!b~V^(Pz@SN5a%M- zoTVk1IjCwtA}|%OVo|{*u_O^+4^m}<8huDEgE$J>i9v)kdLV!d zfEf&xLkjJ*#GK+(gmghsesXGYv0h$kMM+3zayFvNifjSYnAF_N5)Gx)yc8uJ1&}RB zo`R}CiaIolpb8*HB))Bu5)5(~8+B?v*`j~Wf&VoL!j zM{Uq3OMw^-ud+dz0AwVhR|<9%l3!qH1}qMVMl2}-Nfs@V!7?E8pjjIw zeSjsgCmyJ`FdDgt$N;$vM{%8+oKl>qTb!A$3+l)vmXxFx=@%Cz>lY*zCFbfTRhFa{ zgJg6QbJEd^aj=qju#)(+{G#~8oOEz`h^Jdanr$Q$^YFBlo>~$Ba(ZxPRjNjIY9)w9 zWK>Y;UX)r~no|PmzeA-J^c5@=YCsJnZ3UPX1yuzLaA{(oV6R}HV5MLPPh!w42QdZ| zvamJ{$Z&9&IDtaVEx*VS93Y_19ViF81{;~0S%HQv5DqjlHPZz3DIxO47A9!&#ug?> z@}`DHX!52;hLH3KO#>LgfaDa7#GG{0kU%(A!Bzpmfw(+6F(*A1;yp-v5upHK3cT7t zNW!#0$_-GC1P#K08oH21yn1L}c3ysYo*5ppf)};|n$KYCuys$TDBYhTwUT3 zT41ai1yn0)6wuvcW21m%JhDj;Yd|J}Son0pGf`4vajKa~Xi<&^goQ}=&@uobtXGs; zkdv64s-bVIpRS{zq@;-uiO~iN>7t0~gT>-eYgo9g#hK}Oi6x~)sgA{vIM;xSARGXy zjUci{dYPE&5DMWr6mAG4^c57K9Wandpw?|>Ub+&v#Dlh{;OeoM1+y7k1H%>SC@4V! z1m-bV!H8T4Aob>5on3+*72w(-oqBMm*9jc(;32KNbkKliBDB(nnG7i$;6av>S`?D+ zm0z5S2r3;=`GRmd!WLVEjaUL07C4|x0L~-eaz?=xUTlN;kP;GHpdxF?O{{PQ^`=u( zz$Ls7cvJ_aXjRZwFhtgonO9I+0#^rjq#mSoi>xvqJXD0pZ;&z>t|J;EudN*m?$shE z{9xBWL^vQv1++YN&M(bL0S~66W#*-T<{u#KL#5)>LM2#fjEG85$P}j*Vmcb(1em)) zNefA-t*wFvqF|{}Fw{hL7m`9m3}KoHiFt_ckwZ^c0TKcVHVSZ)kc~&QhN0dDdrzUb zAT>ENEi*L*ItB-t#{f?Y!3_aV59ui6=jBvFDk=?Z)@p*4DHNsVCT8Yk=A~nX8#pjv zSsURmjOg<83&HDdoY9q;R{|L+S1Q60ZAHXJ8a5v)=qeZ~*eF2F!0SY%A|>1b3pD^7 zUIc>`WGOUg6U!1ab3iR)>_Lk??@`^oxrr6PQ%bFQ#Kf|7jD3}JC;ZmL3RUI}Qu0c0pi zMeQT25kXD=d_^V25RC$^C+nNgPLTmpsfv2fERJyp*P@Y9T%rRtSw{g@9%w80CYEIAqhO$ktO8nw!kr6o2ucvb z5&(FT9uzqFh(rUmQ^7_dA1N59?ju-YMfMRaHX%Mjs6dYZNK~d2m*|z`2bUCO=A~<3 zG%g`(AWcqCBONp=3G+6zfu2%a0uh140KCDNoL`z(0*y(Hq|!7Uh2oOLq7o35Ux0{E zP`DMq(Bf=XB3c9*Dtb&FUiY!`KW#t#AhUB}X z77c9U8lHE+EpX6mGORI$)>;My0-9n_(TCKU*HSP-4je?&5YahN2UjStF$qM2v>4t? z0V_Z?6kI7OfXh4`h2q3=Nco877Et?uU{Q#YKH&!FC>ZDh^oFS+iq<~x$!$hFP z0J65?jQk=*7YSyF4QAp8IR{cCV5TrIi45HYsJ$?q(9Sq)tPrwn0^$ycjqtp#P=n|~Vk(0gtDvS}WNHdG z9K0R@Q!%nHJpDpo$}yY@iDQ^F$dj<7pkMKtvP{x_Cd5PJg02pves zC=f6V=1Q!Y22#qA9Vloi6%;7&EJ%Eyz_T`%pg?3Oc;dte2jcW2Rq_aYt zF4*uH04kC}i>%?r0K7Gt32q)MWGdJwz-+Kq$kf(GHaS_L##SLQIx|)wP9Z5e6FwOM za~{;@WJt>j5>ya5SUBlrf>K!yXqp}thS24?pcw{Oh{0D%>4DQ4Xh9b|0+DA3K?xUS zju0fE0a{Lp>}sg1U`_zf*n*ZmCYB)b9@MQ63KU5BMVaYNrD?7p6BTTsgPlg`mZPeN zF3o`HfpXJQi?C~hIY_T4wYVf7yl|YPFhO=A#32d_xa|aWHi|OSp$fomglNK7LS&UE zVlN7^$`ipk3D3+TvR<+?H#Dabm|00Ksw^l0b*GTZ0*DxFcp4O?km*!c(DW+OybE|L z2z6EodENyy%?|b{)Fm29AQ5C^eS_WOJ^jKQeLP*_9ev#WgFHh#K#P&pl~jx2tJo72 z$`W%jQ$R!DkSR93m^=lAVA$Grgm|$+Vo|CUNK(lIG(D-LqoCvwY;0iyVVD{kffzwB zsUVnCP%u;~045axlL~-If#*9x+FfB%u3#yJ#Jm&*rM&#SR3$xiNTL9R7qZ8KU7dr# zb5BaesmVpDCGbXfBGQ}yBtauBcttiL%r(f<&C@j~-rF@&!B#;Dv^EvIXb?QV09oY* znOMMUOt7cBAAUo06cRz}7rT}*V)JO#dWKGaO2Pw}lQb@#5 z4Jle-u2M+ONKMZ6EQUK8G;@w{4al{y@)bTm1zP5hPy(Bof`k;J_Y2Yr4IWUefftBE zA`E4f5u}{OrdbhRFu^83KsG>T0+7Q1IoTkJYjD#BGUWi$mY)XNIRLH@m7uYW>?=rj z5~PqK^YuU`KrF%HdumydSX`N#n+jSw?wwi*>i*K)M#$=Eh&8apgc7l2dJRYNEXpiP zEJ^iFtsFe*6BMz~Gz3oESke&o#Emax5G55f-C_@qU~qXlV8H>(I8@HEkYWq!X`H19 zXatDV%!qv=jlFyoXG*({*`6Nj{3DrA0Z2 z!V@x*gS2)H<%c1RcuHPs&1sE7UNI)&f{jO%2%h`Dvhb6{KARtqmcui)K$=eo<~>PG(iACum^> zsPC1BwB`+z5ERjzQj(FGmk!^f2x=XGw!GOYcm@0W=|QZ@OapH(%}a;+4Ia5*y;$7= z*=ggEo0tq5!cQ&INXjfJ#_%#cfdAr~0$N0l z&HD&tpxDpIO$7DGQ5v2gcWNjVXC#8w0fSr$cLl26;!IGo(Eu5tS6YygSdt2Hw5E;% zSS%$oJ+-(5F;N2#FL;O{l{v+ki0}k=3SoH&oYqqq~|TzEP~Bo7r+~%$dL%^NWmpFkklc(M?xM4 z6(^}hpqU`>NCmWe2?|6FrJ!I(-Cz$#SWZXEqM$4W&EXIO(DOJ{6ht985oy&Ql3~!u z00la1$0K8BeRDEEi3{d%&nU@DG+(75^pcNZ1 z;O#BgavL25L^g+c1>TT^=!FU63q!yByi{nKLR8b}K?3q5N-}{eP=fco30VOTdfb-a z2zP`AxbHyDfhJJUX*t*(fiam2kKnBGM9`iA$dnAicu*z+nVeeWmY7_UUz7q;IiiUf!U3SFK8_U4S7hK z0f%8GaXx@W3Bn!}KVV9u`vOx1nm@n_Qi~84pnC+YATzZHn^$rZOOi7bY!Q=WdSDR^ z{Wy)F;F^Ho8rR?&k6=v=BU7^)V+)fSQ$r(7m6|vWkR6&T`kC+wI95}yB;O~$JhjLIaD{zsD6px^7fcdeI@e4$Ff}^|AN&!qGM?11|)W8KN z7aU7NV7vTF@*yKG=zH;C;^3)KypzC?vj<@6DcNO*G`S1u9V?+86o5OM!&j_=N3dYw z3rY>p;obbCER>-vMDl>fNq$lmEZ(tcgC1D{ihfw{7Cy%YvJ;zmh*BS(KB1POjdXzw zfLKmUjDgY&j#C~$QY4=80MddmjmFdXi0#oxV<(^;-cU!wG7%^XK^7oDC*|WovJ93?k!=Ev!J--k5`hg2!>bbbc((>5#~_``0&jXl;}@1h zKz(sc)rfQfZw(-Zs;RP{F{`{dI5oMnC^ZE#D4UU*n37rqT9a3qlb@J^&E<$QX%yhh zni>VA(vma_c%=&pda!J2iU-(8&`N3W#=+7e(6MsRv1W*MnxH0cW?o`ZB`hc*^%m5C zfJCrcu$xc-k<>(TDI|ly+XbK~f{vtXD5)0fsTM0i6~o*H=R$3QCLgrnYfw;Srsrwo z7a)%ogFFiH1!z@GK}oS5ga>m3NFM4&m;xvlSp{U!*uMz8zCZzFgC0Z(RE&VRh#oGo zK5z&@#>By@V0>gX(25C^FCb3S1MM|OR#A+U0u*c&KpsUB(SYc}mL^aPfi*#)wX+_m zywE^48a6Bl_9irp@y8OHZkP>Fy=d_RYCb`7JC-PdhNdlnu!RSAc4{Sx=fIPQ5Ys_J z`Kjed2UUPPS(J)cL56-B1jY$5kN|}x2M7;l8(1?e8evLcd=y1+FM+in(g$eRDPc`1e_Nxl5M)o&cy~RD`$- zl0U)cjDYsrfp%bkC1A&8AnHSyEuc&Ww;1cuDqsVkP9)7akU*oRYapo*T*$zWU_m5B zv?Ev$5=iR+K^Xv;5H1L z5+OcH1s!Dzs#?&U0+EK~7q}cG*??Pd3JOTc0^}@c8JwA(2XPxlYZjp%q<}!X9o!A5 zM6}#cPWysLLK{`!rVSA-c!(y1iKA`7%%W7x)u3MC!SO+^?yeCEwhH=j(TTcMj=E6> zx|T7z@v++WF?yIH8fZeA_A2_I7*>FnvI?2SkadcXksri31vFJdB#{aiSj!f&?f^V0 ztO@DgL_?M~K~LK>dGci&rTL+R%lT1ZZwX zZt>u9IWzN z0|wGig)^~s8lWa(i44tXL-d$H345qctf3CG6MLX%7KedWWP6ntL%U!Y*$SSO^-4gC zC?MTB@Tu5}im1s9DrJo=L1vW~gU7Zip@|V`C<(P~3=cL?4pRg*;K64xA)Ezi2c#B( z=8-`QeISc`lzcObA%{Z4Pj3S6Q%WsKEdn3YoK;>7ori=a5Kz6GT2!Q$3_7pcRzbI83&{W8VsPOJG}FY)XqSS4v2oVq@Pt@?2-x!Hh5%$ z8qSC)0`Z{jcTlgQ8d}vWKwE5hLJJ(}NNExpm>5MXXzdroX^;?xBt!*U1qcI2D1l9f zs32$}G)sZ^nu7b_c+7+t30imwsb0LoL%>JXgTg^Ct2jRoVH?6&q_Q6>r~~Ptp=DTj zHxbdyh1iE^*TVFJGae|p!V?)}*c6=h(A*DI3ym7I2!>=;NY4qaM+x#1*0=>#Dv*{k zxRVQ21MN70k^xAk9(;-hE<#3k6KnxI$AH_RNX=A?J|`&Ag9{Ouo8SVlBm_1B7Va=r zFg}VRhz~(27}U>1_{J8};~>!SgvSext|wd`)pHO_N$l;x>N^rTe2~U1Y}8Ld0e1%! z?objP1s+SFu8SZ^7qt_LoPN=|p~zB5ZAFOJK|Ll|R}>GnHGab zf52G|)@6jG4S1>p?Ye^uQa}~JV;fSKfrsHiWhJzb1*c9#h(kvGp@zT`DUuOj<&cgS zw5JJnrw(YPDh_3kt|nL+b`@lGGr{J;au4J^@v6avak;O;eg zUcyj7Qntcn1&O%~ny$FUyNILAU=biJppw(9upvIiy%4>SUyjcHh#L$wMu!GShVfeQP?66kdk&{Tw~ z2Tu~hbQXGY!eta%T0&I@N+95C&PsDqq1#YFH6x}XVp9>MfU79TEJ{s*Bzv?AVK5Ys zoR%<5pks2vup4WNN`?5}5$WbM%=p7oV1kPtShB*f5;bMP?E;ljFnb}<3Qc1e22hmD z@R){{(lAs)T!m3;VO57Cz2z2TKQ$&7lxp#I=8$xfSSf;xHcT~!xE@rd3RWNc=tX9PXS4I_}?wQyNt z4tb4QP-_x2$OdWPl_kR4rJ(8=A_-dP3~gY7+Ja??InYC(6zovXeuFoMK+||-i8=5B z5qfGFs*$iYjB08MnZ<6Id6^}t8X!%GCIoyy7SL^uPXKkOz~v6;K214G0Nj3t1PEwjFv!i&CL+|s&>RMf9MFM{po8g4iV$8aE&_Me9z-i>Y2;?+ znmCX+MuQY%uE5g}b%0$XK`;!8!agAqXji*0Ov1D$~i zp1pO;$xkfN0PBo4L|pm<@;@Z8DnKQTz-yzGa*LHf^P*VRMHiQ6f>wEh?;1vSL~>$r zs)7>OQ%Y9QcvVn9h++yB6=M;@6hab#c~v1#K}!L?1`K8kIAoDjL+l2LVhSROpcq_>mn3H=oj-CM3A`p2yTLo;RD_~7U`K5U&8o9*^`XDvh3Q8&P1`@1mh++`Z-K%gPpc|9{ zIxbcz1HVDJ$b|`{w1%ALjpU+SutB-_4MGYMoGvN`8&r&85Y*n>Vg+plP#Fk`FNnwC z)lwR?8l`IB7vz){CFW@4g1SYZNYqhC0o}Bmh_vb&;tWVt2aiZ>;g4xnhK_;~xPXDz zBv=i@76+Jy#d!);+*nhY}wOxv&U>NW&up)66^_ z1yF+@k)%MGBeOUF9LS(?3Q!O$*x746;f` zAu|!FTLubckZ^HHVr~IwZYr?^G>Z-{57Kh-^NT?DAExT%<(F${D(EX1rW(T&5U5ZA zwM6pMK!=V%FUf>77Ey*vK~^A@(V)UEw^##YDcmSX4uKkmsut8FFU?CyP0P$nO+hgi z7Wa@i1T}Rbi44Sora~ldfb4^KQdwckAr$%LUwq#*zGrQ*+C}H>{VW7Ud=8=!3`q67x!m(UTusf>8RyXCjIH!eCe5FxQ~? z-~dMcS{j*} zn41__T0*a$f;j+ejkCXRfWM!sUr0RMJ%-qv;}q)Yr%_BOzz``)%}GrxPE`W?9y+Ut z(QSq$J%k@%&H{;G4HXOp$iaaj35`0KI7*nn1hFI(n3S83Bj}7*XP;0P*Z6=SSEzm~ z1w#}SKK}l}u2u?0V84=*VNz0)N--|;1PhXyQNWr=FQmcR5W^188+IXcS@}s>smUcu zprHn+xL#^r85&p5&)>y0-o@1^)Ey+FACm;h!ZAtunULj^NP3YJYbw|)Xz1zbfeuX5 zRIs%J-))l*8s!8ntk+P2M2eD*0$h!if(BS2B+Y6b|0-wi> zcdQEHL;cJ=Xt4)2gT&Ga;tK`v-3gSXb4cEYBt4{IcX*MDJlqZr9VA6yK1@MsMFD6! zAJm%3PeC1UhRwf%$}4dAK-KDjInmJU4Uz>dmkt8W@xWBT1yEEKflfYyD*^LRo&*B}?iU=P1gUng*Bu7p^CuM1ldkMKi! zYDEy_Hp$%7yb@5m0Jf+jS}7(5w5`xE7FG&?L_il!gGwz(d?2LIE!IKAIdahz3ywjg zkjzcYP6eH?7L=NvS^?T?UY3|snu?SKpeH7RBU&LEybwS~Avdui7IZBdB-qjXfM~vg zrlE66LGc7O6}qlGL8TgOOs!S|ba6Rcq}o77r8+mUqP8|c6J517rfNfkYEWhbHF{vp zA4nquG>BJ=w4n(PrLT0ghPJU8i4oVO}d=K(1DBU6l8E6!; zG!@>6gD3>A7gDfQ2-4PuxeJm9AU1)ep%%h*mPCUjLAOYOrD6Jti;|0?N8VwCfO?Ry*fH)T6M+JKYrF2j)0MdDfy9H!Y5OxzlQiKeEmYPVR ztfAx=>gyWh>Fnv^>K6h&s2g-pxIs;{p{`|YOiYRvtP_P_6SxWl>5Pd<(Z;UD-w&Hr z2_QS58BsS@r5ZiEfYKr)>`)xw>*(nRZPh91C?sg8RDhm7(JNhu&dG3(j??Xu%lpB+T*notdtmwp$c)@4z3(fqY+E) z(8d}$V7*ZH#>8mD9Sjynn2GL83~8K>a|`wH3Gi|B^aEK^W)BNsq+A(W3ll_ydTcFR zCD^LiT6?U{2bm5sI1Xk6NC0eIY^@4b9pJzOs{rYXF0+k^DUQ{GX-9GvSRppIK_!TD zAXqWTCb$d1B47vLa-w^PPY9@h)X=cEvZ=Atw70d_#9B~B1UdS-yCPxe`Vl_2lVp6INb(CsVszFU=tR0|Qc%p$Q z#;;TpJkuJZ2Q`_HVysyN;$nznA*~6B2-pwcvQh=+0X+IaWff=_dr@+9i5{{63fc7N!2)Gm8#6}5VP3&0!wAMPYD6u5J z2qR`yj8u%VMXpC=fQPFexa|P;E-2r@0}R#9n3!U1T@Zm=UJHAWB3S~C1H3kYRe(D^ zc&tNGgu~9@5XT^JkppctfjkxygS}ts9^z^MQX2iTsMKZdu^-^eyEWwiTP)Slpdcm5JOeS&QF(*I2IMpA#$pWzu zI;|)*wJKGkS^+F;1+G05U}w32#$~`uviu9c!(h-;Ct!Mzm4V#`F&s2t2HNog+1+7l z2jBMsnwV3B`W<;d3OX(Xw+YheM=T%%>4VO}L3M*~2f%if4AdyFXCSUYHw>x*Y7j&g zIyizcNrCJskV+y`KxPW)n)bBJ)FO=OFeE8bV;@N?>7)I5rMam^nV_Lp{kUiYUCUT) z*oh;cIEIutsh$XTgNEP|brh1YjJPG{m4en;LQRB>^d~|a917sU{1SyEENYVAYC!P` zHbqShtP(jbfbJO7P6P!uXyi~qAxXhjK|2Y?M;l2@1W#8aDcCC*C|D`Lj8p{MZm*zg zs9*&)A2dCo2$r>10Es0k*eHNBffYdK;p%zImc*qtsoeZ0yfanJebOxnbDHNsZD3qXRD1sli3Q~!jZ;?y|3&RRuRFg3y z2gP`#yoanWI5js6a_lxJ8WiH8d_;`r6_-HvifELj78Pga=V4hPtN=O*0aR9kk6$Q) z7171;A{3VRA&U{91}T7VRn1EV?Fob0i=2&6)arqYLvUVEgq6QgF*P;N@v$J6>1F06 z=ai6bb$7Rf?R^46Pyu1 z8lX!SKxGHCE`S*T+9juiWqk)|7f4ZlxdLdc9dScaf@dChuQuFP1>e%*5(T6yDfJZG z^Gm=t9w{iPRHIr}tE30(0D>I_cOJ-HPzNCv4ug8Qko1lkR)`hR2zS9v0-2itH43yk z8nog%wMd~PBQZ|_(z%5gS*wtokyw06LsOIjT6#iLg^^?wY>{+e$Rc!u^S=V9nt=v{UP)1Au7)P` z6lkdHplR4%p(r)FL=V!OQ~;F@(ItAIc0FQoG9)`FqAW@ykUYX58P-Zcr5fsnTI?|o z4zHp_(Eb6aLWDoSa^O`LplU1^>0~32?U}`T-~|^DImDsRP&x3*3W%IBbaoJwHb5y2 z$y_^dsR|xPft947`?^3Uc0epfy9ga*IA*R;g5?T`9;ioPO=gg_u&Nglln@7i)`lqH za{yQYi4FkkA0IB>`fX!Hg15g2@5Cn%J ziUyFO&`DO%>0Wxdi3J)OnJFmEFpy!8SU|MpAkDDM6qIYlAqpXR3DO|b&O};54v_{W zCy=C_t%3olp#);vV5BKjk3w`pThe)@NDH$eGKjPS;-m7Qx=q($02M145X=V;+ zzfNwnX{>_10*FEiAO$OwFb3;@+@=SsrxB$fOdP2m0;`8cwSuhzXwDm+accEcs=@N$ zJPPN5lSgd=B9DUt5UdUnkkhH1@ zF&bOD1vQ+&;R)Fb1vUrV41v|}pcIM_MfMP?A#guK*MWc%79u5pcu-TotpjKS3gSXk z&tR=hK~4nghc#KiZp7^xXuKi01r}X!cY-xTBf&Q@GY{exP0*TGWT}9nRHzIrbYUi8 z(F<#bk{AJCpFt08A~j^7K7~34sY40gEUpKxU7+a$!U6jbr*cqT09Ov;;8hOJnlR;H z4m|eILJ1L!NQD6?R*6oflmrsUB5JhA^2{fQ}q1{(dibiT7 zL(gP}S4B`G;JJrL(@8d*B)4PD4mqhM3Xof1;Z53%Wa@=21Oralo2NbGF;1U4BC#ocZGzLIM z5up_+9^joRkXB?@;II`rfnd>_gsv?)Kd&S+54JuF$@SvJSp*%AuMKs#iw=F#?6m23_lkoP$A`1gb@^xFoTtq&PgYBtrwV(q9R! zYXDNJh%gmYh#`0&bHODV_>4Ma8$ekfF?<2p(5;jS9a726OD;+Ut(jGTU3_hY zFaUWJ1Y%%D@C(wWs!e(?=B6qMM;gbLlANT+}XjlPZ1j@()$YNNLh{{HY z!gfwW;~Lcoklm-CbPY;uO33>{L2g6oqrw^nwhBnKG00YMFhUY2b~#8+z##{+7_rV4 zWFFLJP?`p(M&wkC%m$@Ac&iPfF{vmuF&nu8MtBgEacSy7I(Pyc$dq^j5~h%CI7r!z zK&XNv7@`&2pF^ZZ0va)*LtkIPGYwpVWr8kz2W4}}X%0v&DwK|*LSk}BF<1k*$V)7S z7I>iOhLp(QFoBhWAYpivLsL9jc!4r1*h2^_;VIkJ7WIe>kZ~xfk<^ewWJ8cqU~8!o zju1am&x5d0K4>8XjRFPes6$a=c`YcaAct=t!VP(l6XZWEzC|d82Qqr`fssfco&)#) zaK#;@L;)492B6{=9I)Vo0G{nd62s`$*y4#}u$Ac97>lPMwqq~PAg;h62X~EvEy`FF zDDZFv1D0|Nk%U3%kuooXj3>g&)b!4$`BLl$xBM zn+lQ8HBcze$V|=viNK32*nUWP!=LTd8q;&(jQx3k}R0B~c zgX={F$ow^0RgFkF@W6oQOMF2LR}D(IAbU}|&!Em4#(*`*ov{89B!9vUfm(@NPlHrL z`+K^&nV>!LDCg*aq(K<$e#n3ynwim=vEWvy5|$m#Ae|75sR=#dK-7VT6?Bcz9f;Zh z1*t?W93X>dnP7M58ltweK&qkg@Rl7|A)1pA*L9H6%!ZgwZeu$!2XxeQr9x^&W^qX| zYLgpcGP*yZl_F9`EhsI{&;X?jv=$k9n4y{kicdts#SAe}0zy~3aupq?+#(R z8$c+1B7_~_(1Fahf|;;M9Yn~0k{?(KJg@>SmQaHlEDbUQG!3H-Z4g0}6F&n3vk~Gp z@LC-#yOJR@?jW`J7xKVPASu=duTnu@$paQ7av=|vra)B~?) zU~#WtuTTb`WV2F0gg>sZ1-pZkuuaZM#XK|zEJ$+Lf_2d#Y{BLd8MdH22Z+67y8NwOx#R~Qc;5(#13$hf533#w0NeTGOykztwotXz(p-RjN z42UugVhr_5IEY&i#R#-of`=G#0|1!~YMh{?c~HRuT|@>QmISw5U^CjtJhwI2?|+I@uz?^!h>yf7TgL2$Yc~uAF;(I(ohUE0bv%>piBu_9fg!Np{ikPT0w4w zx&>~eCTNWzQA64=bK$PXUS>l}2}G#?E0b}R4w-q$AR~z_cT+Oc($Lc=NQ~r?0i=lr z1p~-fq;kO!zOK&*B?UrDT|@L@*H8ysprY)=g3X(j8KJ8-!lN3}WX>$k2b~gHW(Zp* zqETi9FVR8S09hG&&lG1|!d+zOk(r(WS#F!3TaZ`;w$2VQ@&xf_MrL{jbnTvktwI@0 zlf6P2Xz6zuy#EJLos(aVU9pjZl|mVO-W8%4WVAxRBr_m!mkM5+0&)t}=UDqbP{%`+Ko>cpxd}YNgX$(ESAj;bkX!}J*B}=n zRDq2^QU!B6jE01LK~ZX2Cg>OykgFj92s&eU_`)475Ij zD#2A?f=U=rQYN;<1Sco-A`>h~a+wL%MS7tLY5pTMRWUm+V3R@RW}*&c+Y`97MCv=h z#UTj*6aZMdc3@*bazqCXD1I>l2P8;(;DB_|CU8I|6B#%lrJw-77C10DVgm=9V9^5y zEJ$+TfOXL%aKI)L7dT+0I06SQM|9x8M}ROw2rff-D4k2ivFT^Me9gv`e7ye*XDWKt02n(|&Rj`Mg`ksO$MO04) z;dGFl#6}UcengKSs4&Tq1Jy@*%n(ujLCpq53}~$u!9ozKUIVFwOoC~Gw(oM$&y9oX zAteN1+u+cH5GGD?7{WA?9*9uaBPDRC2yzmK8ILU-Vah=p17Sf03JWYHCCnI*G>M5# z7rYGzJ-ncH$AcwF4m7B4xX~o`tfAWRha6Oq4`@R&EcC!d0#rf+k}Q!$A~i!S02Pq&Pt>#?|74#sOFl z$W~&rL~(vm33^TdiIE(QAWfvl95mlUZDX9EBjh9!OFH6jPA> z*T`mrMPVACL5Yz$K>A4uyCRSV^uPlPk{o(qU9=BAur*|bA99I|EBwHwlM;aG7)dW3 zbSNolBbi`BXi?mP-GY*EK!pV~RiTQ*hf^@pRC)<10g{6eAUUK52-px>1PItIs2&HO zLkt>KN<|g7fsHR=1V|1^0g_sXp1)EHNzPngLue5oV7H)p99MvV*II#+0+yysY9UC1 z*b+Mr>>ZQ}I1lU)(y|T27+Qo1#5KeP3wYTY$oE)+C6BalNiV@TnK~VG_o@PE;Q}#+ z7U2SM4RPTD+E$7qSkfU^E)ttuaxjA>hm2r>7(j5se zVRAVr`XGUikVDZ22@p`swE=?eJ{xQ{<>0r;2CGduIBmkRiVL#91vCH@Qdt1Gh*$%Dl1hF-D)_)U z(59CB0;GjokYtXtrGE1B?Zw&dOroyiAL(+Va_gq$0Lzc zfceNpT(ttR=NLg;3F_uRyVUU22jI~XSlI&vCwstkO@f0U=LIX+rC1u zE>I+a?1!5L;-DD?RtQ%B<{?xd#}_D}f~7%moLT|ydx6A27?yxRY&4(dBo>!==B1>9 z=6^xf!>s~wq7C8R(pCTq7{LS(A&D>?kI{%-)-dIuv%nc#{{a43S$0U;I>VM+aJYS4rLK7$2x zatYXP(WbGr3E&IsVBrOEA9w_mI0MZV*X%HfO*LKyv|-A&`)RSOA&`1)B!pqIn2ZxF|woz*C@L zH$#f%{LB>e?T#STV6$=)3-pRJt5QKbai9Vfs38t3JJK?Xic7pxK^LGy6&C1ar&bng zXzGE=NexXsu$72l0tFygCB#)4FazKX0+0e&5P;ZV#b5{FiV=irq|k-g2$956u@W`GfYKINA#|%f zXmk+mOh8cc0-^-tz&~)#M<~aTN3{!HAb?GS1PmxC;n=ALO*NoC3&iCbV10T;iRFmE zK`{lsP!*E8KxV`Jha3>j;N^#)Bf3!?2u{D0c}GeqzV8Rp0LWZIJG3&05g#w1rNwTRL?4A7WcL*rkV(edoDFW@#13L-D70_CkC~u+MSC8fPZEaLTA+esRV29o|02v9^j&PW^t%6cb4Rl>7NFIb?-UG2=jRepHB51n_ zSU)J4qMpA6jdYM(vlT$Y-3r+XHsEuPilLd!S|JBx)l{faK-CSdKR_83tOI<$4pO0m zuo}{)ggZi8LCFeq6*@`~z|$9~TLY>DAw4Zn4+5moJGBzYXi&}q%cmgw6<$q3q+o%I zoH8J8g1Fljl7(PF0Tx8)fvC(VQm}=r7FK|c1)<-F0Ux44l0Yhpz4^|gu z6zM2rR2F2U=0UH#K@C@oS{Au1haMmX(XIeBQAr0<{vd@BcALS6CL=CN0o`m8s{_uT z7}t*=nFX~Ilz$+~6hM_bX_kVo+=1Fxf_CE%rd41SWY_|}ss?Hc`b{~Qwt!XOvISIz zfdkPevl!HN1G8aG5(QX`1QaIVwgxyCA{vPrAPLaE*vw*B%S;n`$ttMb12qTS+=sSp zKpMa%LF3dt#MJ<+DTqW0$_LK^5Dm#M z#i$VkiZ`Uz8Yn_g6~K$KXpk95FtdVhv3s z&w$HmPzz22TEy!pK=dLx9h$Bn;;_($*$5sgyX>lC8%;GsWSr#EKop#y0@S-0ZRVSnX&NAuW0T@4re3>f)rF*T#swy5j+|IF&4D2+$Sg$)Z$AmEX^!RjfYJRz{b%*D!>IFH28gjLXoAw z%?Rii9g-TKjfAI$(n zP(rdFD61n1aRmibgNX7!B&);AV2HOMrbF{TD1O2D5#bS73?tlw9JP>)rUZ&BcvBkM z?S!{*$&Fvf5WG+lrK2_q^piz7h654|r%F*60U1R*m;uO#0mzdW_bIk7lZ z1F~UVsX_@N2g%)9Nck1o=Yj+n$T*Ny*kcpPEzr>;Y@Io9(ndB_BN<^FQb!QOJIH$Q zI|N!VAWgYLI&aXC3UG%TToA&?D8NGS1~{@uptfoh=_qK#>nQl@DCFuW6zC`vKt|kQ z#Xh{72u?N7xYkiX(*f}lC@(?^HKcVLplUp`I6}i0t>Ik+o*qFS^+XzK25HE}sv*J7 zR;Ajv7F0?r*r-%%`zmNF7=pRF21vKHpqW*G*DRIl+*&;Yka51Cl?K|mP&09v2nr%Z z_`pL58lvD7rBG0$1P)6?$bbtN(1F%aAAoIDsV=D11ubf*CC++eYat;B3lO+*gbV^# zw4kVhmMY+gRe&T7P`5j^1YWj)om^U!2a<((1XkE06^&4jLy9o`DHvi6xb;kARsx$! zVpam{!S4{L=fSNIc&bJ(cM0S-@X!-#egg}^^BY8e6;gi180Z6?QK4&qdPD_sAVI^H z=xmDWp}~+%RjRANiJQ!<3MxN*A;q_W5_0ncl!UQl0RxzQc=9r+XM^R?Q+%f3ay?3q z2XZJQ$i?`J2uS+GRz!gG;`A*@G8b1+fb%L5#Y--@h${dWaVP~GC_JIXCUPkQ62=lR zL>F8j{je4mm<~bX+g6mu#PuuNE$TL1g&wP%W9zQILKY@s1*xD3|_M! z`wto<;3}dhwM0iDy(FiEh!$N1xQ!1FLL6FQ^*+qi6~3SY>%a{<3@Ok}o)x~}7I$%k zMlMo@gVcl-pdtH;T$q9a3@YkAkyB8zvxRo3ATEW5 z8iwTx3ZOItDPs_62BHU)WKiq|31c`2M~MdU7opy? zq=Zz}AUn}h6eOj>`W^;)2Jk)%B%1N|$SP1a-@)C4+%H0y2X-JNh-&o=P+BaAfPvOX zkP?j=RT6mE0)O!iwG&$Uf;GU)QfRRbFW-=hYe-c9Ul{+^3mPg0Itpn; z`MEj@X}&rNX&|~lMV0j0W9zg>HX{bXA zAQKgAk*WY_mV+xt9Z-NO2Pfe)$bf=MHQ15JT{1*=KsOC_NCDk6mFhImm;$jTrlIy1 zP)sYz&&6;BEGQJf;RtK>gS6G+w-Qm4L@mN(zcF!VBzQNCHFz9n=t1Gqg)E zx<*iEU}yx{o{wY|G;E=HJwc@!93P;Ic=Br#praia*&8%o9Sj}{(=6& zVP$L+X`pFm918+LzE*^+*n?ag4K*BdFbp)tgEo~1D_mhT$S|mWq?6X5(*mGI8GH*K zMhgqM6-A;KV1sK=UqGg(;KeGadIPx&MHbvpL=4pHIr>E+I{>5y>+P4&=mW`Pn2E*5 zSk_oV8o7x%Ir-(_Roy7gg2X(?bPxvF096P%d=l(xSolJ=g@KxP5VN31tAb{H;Yz@J z!;qAK_eY_a0v18{I=Hq4MK}7yC~7kS7VF5O(1eYWPGIVwatK4gH5hT5GC=(#$lRq~ z7Pf=BKr8S`+@67AB#C=8KvVy=3c;1RN%=V%O3)cnN54qe3J}m_5F&YjI(XpySn)_= zu%e>4B(WqjSpl?I*wHT%+saT!zerfZfCVKu6+t(2f&76~6u`_y-YN^8mx4|oYe1`R zqznQ|XdqKi7Q!H$ikduNilN<6PM3^E45cGC;xQk(mkUWF5Mg^QK6+k^{sLh}&uZp251v+qnSZ0bkc!3ay z4`6^|H?Oz^+%W~k7Hk0_+%=HSq#{~p65Dbu_yGkVb0Dz}+Nc5IAsteHT#`Y306ES8 zw09PE-6v!pj)J{HE=a@*sWAz04w^>LFaUa&5lsn-5wH-37^avTZ4`@|p}?9Uk*Ht` zT7-m1XIQcns%p^MMM!C-0WuhMc?=|;kOCLx6c|l#Av!qS!JGrvg=3);G?gLB8F2eU z3CG$U499`WAr#Nqf&&9IZUn9WuxBQWS_o9^z}yN6^dY;53hKAy+yab+Taa`Njc`cn zfpVaw8$8}&VS%)$4wOx>RxzMRPz0B0xatn{v|E&44&FnI*hQt3sDMZVplkE+FQ)`q z366Joxdy6&l+Z>w;Htn$5}XpymB1?|M1usB6p+gRxDrsl0gr@&{R&%83kx}L!UZqR zgvh{y5?(@soC69(J%Ww~tD?4}!Qllq6cLLMM}w_{BnM@3RR3{P(V!$ zx=94=2uO6mmr;STEZ7~`BuVOrK(a6HP6nt8f)r0E_hLhwqXa&+6yX}IO2}{%I0j&m zk76ij){17sy(0%L2(hFdsIv22ucN0wJk@qy=Op;L;vR zMG{nTPTv@R=Lg2)~#b|Xpbvf}X&&*u^aKQoH&6??mc$#_6ck`S(@V=Q za!pLm(9kFYCn=bxAdME7L!mhwt(668LMwuNUQ?q03c4`Ff%A}cyqGsKgH+opl)>B$ za=QXVFDNWh;hS7?6DtsbjjS5c%7L+9D;wcuQf^`eL{%1K_M3$Oz0^e zq!lgYXXcTg@-y>5$yq@GXUa#8Wsp*$Q$Do3&_gfrGxOr1QY04lnR&WUjWjvu6Wrdx z-dKc`^>|J>&dtn&UXBN<1ByU}HSA6YS@0gXJcb+FPIJk$)WcOlz*ax?SFz;`2p zYI{gcrJ)4gvjm%-Kq_w`g)Kx2N{I_?k3nQWu?H$XVZ|Us6zUulD|8KLUSO%oLb@w&OgY-3}`GGbSD64 zqNx~Bk0H!NtI$B|L1Wh-1sJgb5`?$}+6#sCn&I&X3T)Up)JUpfT~lPwfs{fHEJi(g z7$gp=G(prCHafXHg zioZZ=VF?Mu24R?ukfWktJlJU|s1DHAQb=3@(V*CaDh6#y1m|ebVhIh1AWGcfEzh8mhzyUXPJ@=# zAXgDpp@FX<*F&qyz=EKAb%{BezX;^9Vtue4((5m9Z2>Cqpj(f@ra?wBAe9r?T$n0Y zwE`a%v$cbF^3l2ska0m!B?H!st`l;|1E|e{v{;qYz5}j!K)9Lcc*rj;Db7s6IN1>@ zOj?5is)_W-fYg;pv4J`Agy_X1DFc;=kX(oybJd{fKk$ZTgeFjUK;jh~D@bNwL_DPT zoS6z5Er1QB!Nrj6!P9&JAL#+pOu{`3crSN=1}~^V1Z}p#`@|WUIr)etD{>17suHzP z0u@B)fCLZpkQAs|a6q9aUzkEriy*xuEl)=wrz90Zfk;q<=qRLuD40rEeGPIVa)AaZ z>QO6akckSm3Xq$WK;wFgDeKE2Czd}a}0J5 zSQvHHHCpunaS>|e19cIqEie~B?`Hv748l+sp}HRCBGgsTa2MI&brF_Y3QLbmE4Rjgmrs5opc5I=s1oTu~rWHat;)a|9x7AV(Us zM!+%vj&ztE(peQ?qd?6`=xR4>1&Z3BpbM%&sS~N?3u)Zv+UTSoz8IGh8kw~*r!WCutQw7~|^j_d$vgBD~7C~0G}BqzU| zpdBC|fDYJ)^%GF6fHzXn8%ZFSq0S3~;s#W2V#12iCEsSN6W#B3<8CIhrm0YwT??Y8uiB0aQLTY3p-Z4(JiHi#J{j<7);id1t$ zMNq3`kW&!xR0L`xB8oCl#R$^{4{4|xCD0@zET4da1Iuh)dPxyThNytb!3?MzQUeNN z1}y>#;uP`%3N%+tAfR$c2q?sg8a=dxg^(ew9g5ILdQ%kK>Oo3mMW7UfoWu}@gBoH* zhB^vGMyM$aHhy1Z2(25yW@>Kt(h(Cl?taAMJu{B}5^v z{EcufNF7lrw>UGmASW}eQV%UUVB(}j222;}Q2}q7AVmjU3^__brF3FZDv~m&2uu;i z%o{A>;YZm)&jg#}9@ z@YWi5Y!7M*Y)1*mVJ zMj&)R^eBP@0ab^B0$5PN7B;zstO-^(!RtdK%BAln1796Ui`YYUopL_WwZ;ar3mvv8D7g1Y-~X{ z)l^_J1vyn9I~a7gO=e!Lg02D3+UT4*C20PX)M z*eJlPfr;2FAXI^_umTwk$u;02owyRaGzpYU(aUSFD2b&tSP$uCHMojHDuBVk0V{q% zi;ECLF-WQ)#WZO009h&i@fhGY(04A~fn;dp8Vkh6-x{sqfOUXZ_ksgS18fo04tRn|$p`IcMzjQw z9RgPbs$q%~%l-26K$jON*n$T9i@|rHf-<*%Xozc&l>$G+!d(w?BZ}*hI5jm2 z5R*Z7-+>BPNDcsLfmAkNS!B0^q+pxT6u@3b)&eUB5U~I;24N+tS_>T5r8HJp;ZMaIii{Z zx>o{+J|)=Mz#v`l@P{;2ASnzb1%Wy~uyU2WR1DPxE44tAWZ<)qi%XM0_t8PRs^C7e zBkHa}kVa5~f=oh!Re&|7gA=98wFW7DD#aV!PoCbe=3cJA(?N z^b*kcFU&}!;skt!NpWcsazubUn2Z>10i_`5Ngx=ape4`9Q2-uk2aWrr7P*ILfNVuN zAP{CfN+Sl{NE`5xBN(FS7JX;FM+xZ z6l-uMG|?fs7h)t-JH~EZEbc=IdW6Ncwh9Iyhk-1Hk9mPgc+l}DprO2+5=43ci-V34 zLG}c^3_uPI%m777d8vh<8Vnq|$Ob{Y1agcbqOp)#r~_-hrI%l2i zAG^spWSflSD{y{7YjQxW#%^gcPT#=&gI3oe0u`ABjceo*7&$FMvLt9>PB~(_ACyQl z5{q5(bA3W|6d)}35Lj{r$>yb|rhugbz@2tz=t0vVW@!$JwH#Q|#j;?-UI8wvV1?Qy zLbA<01Y#Q`ui)Pe1J5W}ZG+3A+XhNxD1K8@Q$XfpF%47-f~!O1tN;=O&D-GC9&Hc{ zu1QhWsUTa0-Z+HC8i6zgi!B9Pc*KG7DSEjHIlu`+6nQQSVvmtpAz zlFHLjy2=nSsCU8fikf2~^00y!DbztJ35zhSQ3Kj#11%Pjjut?+2P%xB5PX~fD9TV3 zf`yS4f)5n{#~O-4urRv&6=3NG>^tP%0o>}0jcDJ z=SX;YPOSnEf8qnHp*->7 z%;V?*2X1(QX8J*AQR8cXfzlBul%X1IZ56;N55ff{JoG37X&^b_VHU}dGxU%W9=zhA zNy1Y^%EqA8VmT$CA{3OV)YQO76@uD<;9G4`>H%C;Jgg3Y(V!57)Q0fF8kDUd)iJyk z2MSIUbygWEO$_4 zg*FP0-f>n;#A06(tg?ay1Eebj8h}D-eJ4Vz799o9Kuj)pH6^so18;jn9SPQHr(mF9 zuaKx<1zsPZU<2kRDOf2aAsWq)@(^;eBf6+9XrvOPJ`v(PB>#dl3b<|_Jl=))5AI!v z??KK-_pS|A@7mz-F2>XkWW)~?B>0C`GxJhXEA-HZR8v9m2AZ@ZX1W_@1c?*4;3>Pj z#GD}Hu}joDJ-`VJbVCQyAShf6c@UI{m35gZsd*)tX_=`-pot6EqBSH@Wb?qARFNzN z^N|&Rmmnf30P~R*B>0nA5HP?TB(AJ&7}Qver4Rtn0-c;_WSgLg%k zs$fD`%<{?4FGfxlP|fk+{SH{vJC$bUq#$_*ralQIj;y{ozX*JBA9Oh^h>I*;1QI|p z2h2xS03M=&1xI=bvJ`kw1tx{M7&5gG$;{M3WL^b{440g)EgqaycYa(dRM1!~ICAia=94$Y#MuB9Iip#gG-E zY!pROjJop{SqIAgIwT#a+e1-wAn!{;)`7CC4owGixEoD5bix=}Ew~s!4-l}R5wbGq z;v6LNpd!eMAnT1_2`as$2w4)cumvWWgDMFwS;2SUA=!WsL^cOJrk zBofS8NF4)Hf>8y*1`ff6C+xN-aA3eV;6f3`$;?ZJF+t@Wj14Z^;2cmn2IGLsEI0>V zG{Hn5sWlbGg_SliK2#c9(x8cfOB0wFs6>FV!NmcLlMcV$DhJL=EriMDA(-hUa7W}I zn8~>XFtw2E2jd~K9!vxrIWP`9=fDI|at%xnC1bz^k<&hsAT)WyM8HvmVkb0p!W5*J z6v3D|2qq$d!6adc2*oT&qJb%aRNOFLQL2>!*cfoLK(7cMZpB5(C^E%G@U&8rpPial zj3Ntc^w1iAcoh?xW+&Nd5*v-h;Fc*; zu?7)|Fi;H2K?sPzhlpC7rnd=!q7K#uXrbWex0ma2cgeOjg zB!?wVlSp6400|bVhohOEC8^;EE^QJ^QXP@gD0-U2s)*$9!)glYVdoee>Fetn66EO| z@9i2H@8TNb=;;$29~>GG;2#v?>Vg!ic=Hmh;siD3f`T361A>DI8i+FqAR7ifH`XyH zJ-;ZkBqO)jEx*V+wG!0tfz`=MsmV%K3eifg!A7QLN;(QkuEE9@CJ=_Hp^;K7tbkG~ zDozBe41%c)fH8t#S^{8sWT#dlMnyoQN{Vnv&}fY!SROL80qS>y2IIh;Rggx|E*1q_5K9jw zO@PE4U1pVYkck__;k%QHoI`W{P`_RIsQ8yqs7!+EN99XQ7lCO}LU!stknp&a&y7L;^1NgoJ{foq{p#e2HvjN`7iF)qM;rCL!U0mh@qg z5SpaseF5&qJdza2%_Stgq&Jdi(ZGx|(=#;EGXP}=J6j9T4WGm}*~?Oku{dC z5G|w!h*xobUU+I!2&lUXuIG@Ni5POotvSE^5~tL({GwEJU8oYsS|FBG6l4~qrl9M> zkVDp(lA4^Kf;=(^5kOW_l9`)YT!1pR4HH6E1}$cA;( zG`CUP-H`eLqy<#df%+G4Jw#aJ5gZR!?g4A3d%&9K9*|Z!#0pSliX6s>auwNs;Pdp8 zQ#DY;Af>U6f&sXt5A8spwdOS;wkRkddjn<~iWmu|LCQwljrFYZl3?)e1<>Ilpa}La zg2yX--J6a=a$-(SQetv8!poq*05x#)(-fd{mEeUQO0aGKcrH#6Qy-|k0x=8Q{Qz*I z6sp1HIjG!+cmY!P!B%G>+<|;=1EwB?d62}cmsnh!nVzRnT?_XdJlH`?!cy|{;LGMg zKE&pJkQ&hJEi_1Au?Ah30_$=qC_vT00z@OVs7Oa4C9wo$q8Q?>)S@Cy1xPzGwFtbE z6y$LbhIEd=+F%yJPY^>i4?s?ZdQ~quCqFqm1XSddB<2=?X4z4r30(oG4WX1*nwykb zgmNf2%;x;OR1MHtbIcM~3C${4*CJ5?W*j_hk>e2N(7gP-uZ zSdyxjmtU@-si3c5m}(3+9F$HK;YAK|CMF`PvdT-~5d}TcB1H*%^gu%zZWA~nU@3?K zYZGy&3P^YrBo>u`s#Unn;PSgfLrD)-9YQiZSRHJE7bpj!G}4I;jKmz!iC?MMLIGTu zftw~N;N}ag@IXD22+~%8s8Fy~fN(Y7j@MDB1}`zmNi9jWQUEQGQ9zu=fOIrb5w0Kw zm1{7Yk&6IDh)ocSacRa;=ww2>W8krREb$MCh>X<46!3CIWSjILqA(YM!YDnp1k$j9 z34)R+H2D;RTRcb=BBYFg73e6L5~K}lZ3ka-1*#5k6{L_BGCXyIYMs;+g~Z~@yyT3c z{Ji|qVuj2!1&Dh4=gg+zE&jTAJ9ib4T&aT3JC;Pb-JYJ6BA zVAN&sU;-`rE6qy=T~wn12~8td%fT61AtJ{o-1iW-!<1-%R_(*|Aq6nJpukecK{Ey1 zB~a^i6kzcIsbC=%A(?4}>>f}wff6O^=2ytcT=*g=wWuh+NFg&1dmMn`3)DKYQczOR zR!A)>(#uUPE>28OMU+m+Q23NAIrQo&h;1VI)C>BcnY~tL3TXI9q7(b#2@HHxdUPZTH=OPR9K38 zbT?sy4XmlC2OoPYMotODI7+<$vP-YHAT>ENtx`cLFF!9;36u;#gE!Eb0wsl#e9)$L zkb=@YP*A3(D1Zy6Vs-5C4+=tvcaf8+f}*VgC|iJ9Y>FCK%BZk{ z0&3|FYCmEz#}?Y5gSYdsSca4lL0fpBC(y^E1|T;36rec-#b+=ZAq9_jY9*|hhs|}U z8>*d3)6!Cl^g!1>VsoZ~6&CwY9FOdLwA=v-A84t9FNa__5_IVfXlM`IAqN-2xrrsI zMVW~?C}l3lcvz)}%0`HSk^;em3Q~mO2qQgEEd{BOAd)Ec5y(PVLmQC+6l@is{asi| z4^js$?LpQ=gD0L#DxHudF@e*<> z!n6$H`P5|MJdQM;fW=Nkw+$2`SVIoELyuwte8e3!UNH^P1F!q^Pt(BCC;^2K_Ji4p zNTRSd5j>_*5+bUzAhkBgI+S~LJc5xfXn&FX%^Y> z2nT~B0qi7Hk0a|O&_e;W1;EWJ9JvwF4lGEl%*js#EyYFgB2*X=Tp$O5a$OUxf}@<>#apC4xqcYHAb=FzOogsDXPNJfN?k1ZwJn>g~kj zlFYJHB^?EjA3$Rj8pr{v1s<_LE^d%rjhaBv;v==9fQa~T1|`iZ3}nW=fnsi;8= z$#F0_&_Io2QBh*0US=_vhNm`|3QYxj_=p!wOuG?v<0Z?09$!bl2`<~qu5pf zY%<&iSV~JQO#vB>#08m)#KmG{F6el9&>=)%qxFjOb5k|oonMH3j##}7&$%!^fKD1i z)(jIz4K0v&pm_?W0QuU=pwx8NiUQD1B&em3$`{=sRtj*>WEo;`36lpZ zt`xx`fbK}B6Y(|SK{+4p3TR_VPaze0fIFny4wEm2E`I@aMU^y(D+gfdA+xx+G!O26)~elzyPP z6$tnQs*E(RWR;g>rr`ESR!JtfUV(W8i*lm90oF^%6JSN8c>z3;g4+vVX%tU@MNl;m z?Fq16LY@FCBFz)Ii4~6NXmtiCMWNO6nTaJ}uV9-t1C?Avlt>^WpcCdP3gAu;#BR{o z0%W);6J=ZEYh3?RV_T9)GL7!e=r=;j*l=@;Va?i!?E zt6*thU~Xt>X=G|*Zen0*X^5&Aq0Z3U(%j6_*wEO-!pz9n(9}HD$kGU**w4{V0d$lS zigk%a>BS+5>7Z*3qVvI3q=I8ndMS9}VJ!6e1CX;oO-D3!ZqTV6WM%28d1$KKQ}ZC# zqhnJJ$;fCrAWKY;O)aj>P0G(fR|XbDR#uc6Qj`fg08u|KrdYcsrdV4=KON!!qEydf zr^FPG)CvV#1^u{aUF}$dif98}%S7F@SZx*kOf;pLd5J}pV5J60(FTTCl=vr?fDiiA zk2A=RHqbT4q9imk540f`Jo02v6K$w#85@(LrKzHiuq>@8H8miy2)u9>b{Dv3UI|12 zDBMB4KZQh4-@`YtKm*JGEhGg6YbsLx1Bxba%2u#d&^6S7E$Xy|XazOBK}Nvlk*z?> zi;7Z=1!g7_LD1^0VWVsWZlW?qUXXfr*;Xz&TXDVfQMC8;_JpaFld z9E2H^nVx}k*a|3IAU*>v>P89!sJlS3ltuZuU;`Ai6*NGmfsIhGS1?qtQqVPoI~f`x z$SS~I)74e50^Laga-RaWZ~|4F1x2Y42Sa>-J#df%7v91F+W`p~P^k(D9Yiq+4M1IJ z!2pp)2|Tdh{L>&7>wqrxC`Ar7gry*Nf;;};CJUH_kc7JjYkYtNJ&XMk{UDJ5wh|t2 z5H~^A_kn$b66m@L7|9iyOktje20Xr`2y!|&Z$JYUT=8M}0PY8{D`3VW!V>0CBEl5p zR}C}^pxVHqh#-Vm12GyUUcgnn26$OGB;Ozc8G4iRV|4sXT?nmmLd zAm4&=I6O!Y85C?bM*KkC53vlVv%?Z|N>ht9AoT?(C*~I*O_xH=0LKNWz$z%pFDOQu zc?a*~K}?}Ql|u{z?W%zfX27d%Cc-pm zBo?J3Btbz^Qd*P;UJ0N9*9}&L2o7YggJJ^Wx`3kml6(bQ1?cj?0uUF}+J~qHsmn+# z_Ak#1C<3kcF9B5^NE-D}B@vn+YC`fM6(4A&Be)_4+oo3n6-Forg=cC}Nu_78YhGz? zYEfcR4roa+#1x1oY)TLYd&>Q1d|P1L`p(QHY-)UPrP8%`NbOCQ#^RCJP!+faPU+XfSQBQ5*KU}#0+?zR#XIwf*b;_TtIb#5+wA%l?q5JSPT{+ zu;u6&(FAb?Qgp&23K}FxR)I{-PlE;oD0HAULL7%-G_=?OyOeN9Lk5z-u2+O6GFaHC zsVTtH3bI4h)bJ%3TU+Sj{g6cH2ok0P!Q)RbTVOE&^*4rRAwyVT2a@L+ux+?pQ(m~pn+h}El;5SB&hOIum`nQtQ4Rl8KA)qXn=xMYJqbH zbifnl07%4O@fE~X_E2}geFjkvOWH`)Fjzgpg&_CA+pcHnQv4oyvP^))pLAPwNr zXJqvX_6o>j$&iSE9>8Fvse`c4UcpGgO2GmYt{{UTgW_l=fo2P=6p+0M2|swo0gV*E zx@_=N2zM%YKp9-#LW+4%)PP5XKw`*UM$k#LiN%mX1E^AnztOA%2Q6&O36UzH7D99? z*eifql4!$I$PNX08Fr}}!~%@nuCOJ{AXgBWPb!A)h{HFbMDUbX*o+c}VI)o|f!qRW z$=E6=!De!tAR7Xa=SUy{1@2kl9ms;HgEgk`j!D5&L}oG6LP*NPh$L_nf^!mRJ`&W= zLx_M6at8^)ax^HNz|0|7S3~^{iZWQmh2$zoxrA&WT5U~YD+M#jz&s9e0HHJkI)E=d zwMZXSdtjUl3`q>e#Lhw%qZ>wInt|2J*ry?(6)i}TjG0A9iw7-5Lh2Ue1PLh|!P9Jm zV$u$|1jU$*16O3=E*-6M5Nu2UoHHA)thf)EYy|FoU=Uf!vNkuc1JGMCpw{lIv hMLvZ4_{`+ZNh{ zhMcXg3z`!hZJ;ZRHqb{K=-`P-c%N!;G|;iMPN0*%p$RE z0@01uet`6Sk=qZDhAOS9V@M@Qy{02ls}$lD^!gXtpTVe}AfZ8i^#sw6HhzR9sX$ys zOiC%pNzBZHgg(CHVoG#!!Db+dX$ImPv@`>WLs*(YiUE)O;u44?dMtoiLC|p+wCiy} z!z|zy5opu^wgVeEw%`-?AO(ndE<{rfb0aj|CPhVvL%_oq&~_WB)rEay8l?XU>+irz zA&6<97=%f|y$qY{2MN$?LVumAkG8@Hzev{Dk0H=O&!QQq;4sQ3)Tb= zcZ89slR9X9SX4=bCWt#gQ<9JoXwdv!XFgC16K` z5)Mc)bVUoqSUqG}|1`AK7$6UW7X)JKD8m|W&{71cnGUiErM(OBCv=4;Bq<>o9RSMQ z5a&RWBqIHSa)2T>%kfWlDcZuu+Y{3v{d|nln8CvWkjR0hW=O*nJo~F)3p$|$ z9+FU(!jyv?3RMQ3fyZJ2Xe0ur0TK!j^Fav!a_Jz_dLBsRgUtlZ3+Cq)m%!H=sHuUD zRw>Cxp8tj!42=$G96*f5HVKZrVG68DO${-?#(FblS&~z>gOA>=PlyK?-9p;8FWtkJ1vQW$+F;%&R`Z>qD1_k*C z#fP{?fG%xQa)s{kQ%D47J5VtTEg(S&VRWzzV}<*G4wfZ>Pi+OQo&{B0h_W3NSICVZ z$h;P`@C7Nw(=y9|ozMg(uLK?Jo9=a+L?f`@nAO_|s*w~`p0j>Z}#-RDA{LB=@ z%r3GLIvpSc?I@6a&Q;C~igv z9Ft3sD-VKm9*_Y`v>qKixX~u8;gtrcQ8c^VntnYF}flE z)KP_%8IS@AEz2W{4M-CkJUI^vNu*^{upvdzJO-lkJh~zPniN4TD^NH?%iTdb;0UTH zKrY46!$7&i3N*ohz7rE9MyLUZ%@7hBfUw=qNT;U5gpf}+M?SS4@75o}6P^Al6#13A6jG@dJ)ilVEAciUvR8>g5 zOAMu^s7fKd1PoPX$f`hT2t$QAvI?S3oiEBPODq8`E+KsEJp6ts#1ZefPJ{>F=L9{M z9egDc0ji0S(-xw5M0E-HP~hZL4P&AXgom`cK=BL8Me)#$ z{qe=g8L7F63byce0OS;%V$VD)g=&S&;;_V=%oHnda}nHF1rKo|Tm&DFfhQVhfdm=J zfkY@w2)5c4R0Mzut6Cie=n1D*3hGL5iz(jcudYxF+g6?jyTgIrzJXgzP2a!{mm$?N zsL_CN+zTX5vBwI`N+sm8_Q2x^pz{{M3%8Jh8-8*iiVID|&q$U-P8mS8xfrSRL9qj(7|DV>=qMzTfvI`P`6-!s>1akm zLKDR_m`Wt`piV_H4swPKVZ$Km@EQd@9)_@4P=$C610T~u*eI|vyawgvgSX;=E(}03 z4!ZmcCCrdiBby3Zv6Y&bhZJtvsgl0mtpC5a`e0g#jO zh;Si_dSsI^-3UD@zc@9yvqms(Lk*u>O|0^&`~ zOG+bbVqQ`jVH1%92;SEQ2XSIass^N%)q&g@7@7yZ+)oEu;D8R*fnK=hmzaxmYy+qr z0NQYgG~)sp*hkrN3AyhBbOs@0R7xE_R;i?}ppCdn3}m)~wt_nNplR?4I^bzls3Y{$ zp@TDsjv8dxS`T@VtX^7vk!xad26(Us+#CRHn1nYSVCM-zy$#+22=O_}?rlgP5H!}1 znF6}g9Jw_Cl>=uBXgHxtW8SQ$4)!N#pC{ONnUL$lz$T=ofOhMG<>8ka!ovaKV{lsp z9DyJftVsi_4-p{(bsXG#deG((bg?tolPGb6=~#qbXv+s4>~4o@P4zDTg?usW zltD!BK>L0$bsAXOc{&Q?P!g{B7VkR5oOqg#rrU;xc3 zgN~Mf8la<~1ZAOG3@TfoE{ZS7kB6#3YMv^=8zfc=AU6C4QYC1$X{7*SA%tNyAm|Fx z(jjND1Pd&_VDW==o-MqigB0nYjfK_MH|o`EKFPyw5n0yPP7pA__x5xARSF|3f5n3+>rlnT100y$1V5r`SB zAa6i(C`=Np5nI^?sYsA6j)D{g&_WM>_BK2{ftD7-`~YvUgO4_WTyTKwI;b09Zb#Hs zpbLYGQcL`c0ubhcuWQIiECZeL2JV_59sY~#CM-_Ee)$2yXo8m?pr0m<#SUB8#RqU> z5og-Nh2Zgqd~pDBh+r=ELAvt*ZVc#xFw|@Fz^khBVYj%Tgd1p^9c;Ujg1rJH@uS^& z05=)5-v!fiNX|xfIL3_!B*iDRMh4eQ;DgL@+;aenTcny0nk_(y8nX0c3zr_UgY6s}G zzu=QFOA89}i%KA^K|jzvn}(*^(4>Ve*I_kC4_xV%Lifol*eDnom{=f38Hu5vkyxyd zsF0hPmzi6d3(gkBnN^_6w7~`|B!TV&1|5fj=l%ky7hw4YlxCoHI7-!s{p?Mg835KW z1BD#yY*FMA7*d&oEQ3wsKx<~?z(6lY!I>Y?`NpV{kxCozB}vF;VFWBh1-3d2_!cf>1bgRiMaTq*!o0S!r{#Dl$Phk6;RTn}_uJGj_J_!yMa zp{k$(15%Y)lv?bWhaNh}p$ZLCOn<67C8ogpJ_xgvV7>xfwGDNTLSjx)YGO(y=qhrB z#5@I1>t6}9q^|&U)|MX90kW`k0*VQ!YoTUQ1Nd=$m3rlsGiO|DB zLB(roPH`&e{yz;o#Ws>gP(KTH{VP0Lp*0Rt0!KIqdRaEUq>COwFzZ0qd|)|r8lHr8 zAV)ZZf(}RgAO`}r*g@6?^#r72gC(DW+tG-!2d~kH7M42F5CF{&s)nU27>y-D;L~a7 z5rR~fLc<@t^BQ)}3$k}{#TTfA#u8s}E9n?fkhui14;F{T z6O2X~TZIgPAPskE5;@Ka9(hMq4^c806k?OM?H!rXgY}oTZqvd zLDhzl`;f8-N~H@LoraIvLY$?i5R#Fq0JROH-UVp@y8tqbjjgrw3 z;$g7&5#a;V0vmaS4P?Wn^$=mK2N$ZTQBW!^Nwa{i14aoi*jNiBW5I@QQ2J^JCGe|O zK^YUYxJ6=HBnK>^w~^iHiry4Mh1!=b2z%!MHf z!8{1Jp;l85>?$R2U9E(4i#t>tbmfH-WQ8YaWEwo~48E`mHDQ3tDD+AlvzLhIB;&e< z4R+fptZ{3jU}S2BY85;U!a@>!V=iQV1Y1v-^1c|NVGBxj2y4NI;e!U^ApwGv+V z3LMxlHIU2=p1UMw-5J)?H;@;Vk+c8}W*P}A(7@vish~bdKI9f~Sbr08u^Z?dsKV0B zqSSZ@Uqcg?dm-09Bjh1`gghu@5V9a1Le8r=KQBBr339U*sLhU0h#`g0g?cp_LJO)m zLOsNI$TeNy+=$SEA*G=Sj#;#LD@aVvPE1cN)(1^rq~@jQ7Z)Y#C+Fvt6oF3kEYi=+ zEy&4CE^#kP%q!6=DdqxA=6Hg|G9iM_aJ8VZ)ttoQV(?T}W-*GYpwvQ*qSQiIsRC)f z7nY`ikNq!7Ed=ev3j}dt>&`&g3M>!507644IVUqUuOvP*#TIfzB)WW2YH>k+UU6zX zs10fhzUx;BY5EYFo)P=dAPE^N44%gWC2^2wW^r(89^`_KkbGybwV2K?NG!>KESv+m zJ|M9q1Lk=0yqB1qoLXEQ4|X>W9~OhwTY%(hY7{`$BL$8cy7rnH1$`7TRsBrJ$y4BP zBQIb|Qj1H_;t~{7pp6rHIHDXD=kPj22~#1o&IbiOwBFCiEY`yn3)oD=h%Xc)G2^(_ znu|+cUx85aPb@9Th;q(PNkz#3jwqryasW6HKsGHxccg&4mst$fj24DqwF=;PL8K@u z=ZEC{lvIkc11K2imm5IN1*LQ~HAuK1C3Sqc0HzI;`oV14r+SnK#g;Z<3Q&?HQnmr5 zU5voRW)QkU6az8SxPpSdzCvcPBe+}v*9XvKXQdDXEh-_l=<6%gauJy$z{QhKYGSr? zMrv|4tV+nt1x*OVV^r%U`L4mfprR98!6Hj*XzD0{uKNI0C}6k2%|xk3KyjU!tdLq! zQk0ln;t45}K?Z`hfxxdqfaD)Y!yS=-=Qj3aFOJz`whDd-m9fMUwD}e;_i!!Ug z*MBO-f~KS)hD9rZA`eLlR6{_ED9C0CkXD#^pnfx?V+)=)M@XT}usNkB7Nr&`V9ATf z8gep|Q#H&r^-78|b74LJ6(9-<5YG}-Sb%y!pvo{m4U&l<{U@ZUeWlD4NQI*WTG#_N z6OtrAt!`+F0*mUw6hZ<3;u26AE=q;R0?cVeiRDiDDWE$Uic*U~bz@LsIm`<%HAzqf zP^I)9`8v(i#j6@^sG6Ey&MH%`4G>X@#2)2?huW4K2_~6`(Kz2|^Pu z#3cM_7o4p?LxiA;4_9gjnF~pLieUAc3TT$XLKk8q=<;GL8B;GMH7&6;r$i5;N&{?^ zjzYBp>>@KO1yCCa-pc_6q9R0X3Mgkl6BJAYJPHp@Qdk@Wbs?D#$GM&rC^n%gHYX6<@Ff2MS!&;!h7V_Q`9j!RSu(TnbZ$R2hTA*%nJ-21-Ma1PjUv@N9+D&aSoQf(_+B(*v@t z;BEvo^?=HOTHFmbNT(3mJAw3Au=P$rJ!h0&2_hYUiYHJ_1S)|M?LCCNf-U$~YEWf> zO&X*f?iJAa&>F=l*^nqMPRZ6wElbTSDb~x+18sLKN=_{RwV}Zgkyu=rm#hF%Z3L>& z3N;mM?Z6&~PHTAW;z2_BZUQb-66_SY>+%}E5UAAqkSEmlZ@>H}3oplR~d;u0$^E|qF%@6b23 zBqKjXL$g)^E)-gn1L9kOML@f`YZG7v2`IUNlRCIVj4TRjr=%8vj;V(_4>m>#Nu{7L zLF5-i0?r2UNeMJ^3k?T_#Dap<#G+z_l6=rzodtaqQ2f7Ce z+*-2Y;wnx|OVv#(O-n;MYt@QNK|w=HQ2|L#Pr=tSM8PLBIW@01RZqb!wJ5*1SivzV zzcf1|F(orAHABHBqokyu*h*hN4J@gbUzDz&UyzztoL^d$oNA|_rOBnG&lTX!&LOnX z@WW1NCI%1=@MdP=V&Gt4U~m)LAH{$Kco`TNauf41(^88|^gyjoP#RXsOi{7|T{e-K zlCPT&%2(j9Q_4%sO$A9fCuXMPEBJ%*Iz*x@wWv5VKMy2lpl6_G01-t>)F7FFoYM5n zJO$7S6C|x5)ANgztiU0vpa8cc+#^^aI590%A+%T_BsDP?v|tvz$4V(DGcUUsqyfS$ z02>PufGm~;c>t8Bpq_w^+JIdI7S7Jh1N#m`0_HmmiPXH3qRN8&%)AniH=xq+BSR1- z7nSCL=37CEvJ%S@Avqf4Zpct=ELSZkUNl34dSe+G7(h6{n~_O`feRcT=rIF|EwBWG z0EA+I*$mSKQUTJ19Mdqh5G`s93~*hLDj=&ET{p6OK&b(u6GY0&FrlW60B=?{kOVUW QGsAiY28OM&ObiSR0NrCIr~m)} delta 163 zcmeyhhvSSGZ-6&53l{?jEaBTckyn`+L>Vhi=NDsA-d@Sg#KyK=PJ+pkX?l`0lca2b zH#^6i1IwGcIT#o~7^0hlfq`KO-{$RFGECDMK?Y1eBFkjVzl3jd6q4fUY;sKciXcJF e(4gK}Mg|5D<^@>|$L~29riaNf$+5MA-2?#d)g-+D diff --git a/packages/backend/src/controller/tokenLeakCheck.ts b/packages/backend/src/controller/tokenLeakCheck.ts index 2248b49..5a05ce9 100644 --- a/packages/backend/src/controller/tokenLeakCheck.ts +++ b/packages/backend/src/controller/tokenLeakCheck.ts @@ -1,8 +1,8 @@ -import type { Request } from "caido:utils"; +import type { Request,Response } from "caido:utils"; import jwt from "jsonwebtoken"; export class TokenLeakCheck { - public static extractIdToken(req: Request): string | null { + public static extractIdToken(req: Request, res?: Response): string | null { // 1. Authorization 헤더 확인\\ const header = req.getHeaders() as Record; const authHeader = header["authorization"] || header["Authorization"]; @@ -16,19 +16,21 @@ export class TokenLeakCheck { return (query as Record).id_token; } - // 3. POST 바디 안에 id_token이 있을 경우 - const rawBody = req.getRaw(); - const body = rawBody ? rawBody.toString() : ""; - const match = body.match(/id_token=([^&\s]+)/); - if (match && typeof match[1] === "string") { - return decodeURIComponent(match[1]); + // 3. response 안에 id_token이 있을 경우 + if (res) { + const rawBody = res.getRaw(); + const body = rawBody ? rawBody.toString() : ""; + const match = body.match(/id_token=([^&\s]+)/); + if (match && typeof match[1] === "string" ) { + return decodeURIComponent(match[1]); + } } return null; } - public static decodeIdToken(req: Request): Record | null { - const token = this.extractIdToken(req); + public static decodeIdToken(req: Request, res?: Response): Record | null { + const token = this.extractIdToken(req, res); if (!token) return null; const decoded = jwt.decode(token, { complete: true }); diff --git a/packages/backend/src/index.ts b/packages/backend/src/index.ts index 8ba813f..0ad8c01 100644 --- a/packages/backend/src/index.ts +++ b/packages/backend/src/index.ts @@ -2,6 +2,7 @@ import type { SDK, DefineAPI } from "caido:plugin"; import type { Request } from "caido:utils"; import { ImplicitGrantController } from "./controller/implictGrant"; import { AuthZCodeGrantController } from "./controller/authZCodeGrant"; +import { NonceCheckController } from "./controller/nonceCheck"; export type API = DefineAPI<{}>; @@ -40,5 +41,14 @@ export function init(sdk: SDK) { reporter: "", }); } + + if(NonceCheckController.isOidcFlow(req)) { + await sdk.findings.create({ + title: "OIDC Flow Detected", + description: "The request appears to be part of an OIDC flow.", + request: req, + reporter: "", + }); + } }); -} +} \ No newline at end of file From 858dfd16dc24600d4bb604ce9e6f457e66129be8 Mon Sep 17 00:00:00 2001 From: KMINGON Date: Sun, 25 May 2025 21:43:21 +0900 Subject: [PATCH 02/20] =?UTF-8?q?FEAT=20:=20AccessToken=20=EB=B0=8F=20?= =?UTF-8?q?=EA=B0=81=EC=A2=85=20=ED=86=A0=ED=81=B0=20=EC=A1=B4=EC=9E=AC=20?= =?UTF-8?q?=EC=97=AC=EB=B6=80=20=ED=99=95=EC=9D=B8=ED=95=98=EB=8A=94=20con?= =?UTF-8?q?troller=20=EC=9E=91=EC=84=B1,=20=ED=85=8C=EC=8A=A4=ED=8A=B8=20?= =?UTF-8?q?=ED=95=84=EC=9A=94?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../src/controller/accessTokenDetector.ts | 146 ++++++++++++++++++ 1 file changed, 146 insertions(+) create mode 100644 packages/backend/src/controller/accessTokenDetector.ts diff --git a/packages/backend/src/controller/accessTokenDetector.ts b/packages/backend/src/controller/accessTokenDetector.ts new file mode 100644 index 0000000..fb3d03f --- /dev/null +++ b/packages/backend/src/controller/accessTokenDetector.ts @@ -0,0 +1,146 @@ +import type { Request, Response } from "caido:utils"; + +// 토큰 누출 검사 결과를 담는 구조 +export interface TokenLeakResult { + found: boolean; // 토큰이 발견되었는지 여부 (true/false) + location: 'url' | 'body' | 'header'; // 토큰이 발견된 위치 (url, body, header 중 하나) + title: string; // 경고 제목 + description: string; // 상세 설명 + value?: string; // 실제 발견된 값 (선택적) +} + +// 액세스 토큰 누출 검사 클래스 +export class AccessTokenLeakController { + + /** + * @param request - 검사할 HTTP 요청 객체 + * @returns 토큰이 발견되면 결과 객체, 없으면 null + */ + async testReq(request: Request): Promise { + + // === 1. URL에서 토큰 검사 === + const url = request.getUrl(); + + const extractedTokenFromUrl = this.extractTokenFromText(url); + + if (extractedTokenFromUrl) { + return { + found: true, + location: 'url', + title: "Access Token Leak in URL", + description: `요청 URL에 액세스 토큰 파라미터가 포함되어 있습니다. (토큰: ${extractedTokenFromUrl.substring(0, 20)}...)`, + value: url + }; + } + + // === 2. 요청 본문(Body)에서 토큰 검사 === + const body = request.getBody(); + + if (body) { + const bodyText = await body.toText(); + + const extractedTokenFromBody = this.extractTokenFromText(bodyText); + + if (extractedTokenFromBody) { + return { + found: true, + location: 'body', + title: "Access Token Leak in Request Body", + description: `요청 Body에 access_token 파라미터가 포함되어 있습니다. (토큰: ${extractedTokenFromBody.substring(0, 20)}...)`, + value: bodyText + }; + } + } + + return null; + } + + /** + * HTTP 응답에서 액세스 토큰 누출 검사 + * @param response - 검사할 HTTP 응답 객체 + * @returns 토큰이 발견되면 결과 객체, 없으면 null + */ + async testResp(response: Response): Promise { + + // === 1. Location 헤더에서 토큰 검사 === + const locationHeader = response.getHeader("Location"); + + const locationHeaderStr = Array.isArray(locationHeader) ? locationHeader.join(', ') : locationHeader; + + if (locationHeaderStr) { + const extractedTokenFromHeader = this.extractTokenFromText(locationHeaderStr); + + if (extractedTokenFromHeader) { + return { + found: true, + location: 'header', + title: "Access Token Leak in Redirect URL", + description: `Location 헤더에 액세스 토큰이 노출되었습니다: ${locationHeaderStr} (토큰: ${extractedTokenFromHeader.substring(0, 20)}...)`, + value: locationHeaderStr + }; + } + } + + // === 2. 응답 본문에서 토큰 검사 === + const bodyBytes = response.getBody(); + + if (bodyBytes) { + const bodyText = await bodyBytes.toText(); + + const extractedTokenFromBody = this.extractTokenFromText(bodyText); + + if (extractedTokenFromBody) { + return { + found: true, + location: 'body', + title: "Access Token Leak in Response Body", + description: `HTTP 응답 본문에 'access_token' 토큰이 노출되었습니다. (토큰: ${extractedTokenFromBody.substring(0, 20)}...)`, + value: bodyText + }; + } + } + + return null; + } + + /** + * 텍스트에서 실제 토큰 값을 추출 + * @param text - 검사할 텍스트 + * @returns 토큰 값이 있으면 해당 값, 없으면 null + */ +private extractTokenFromText(text: string): string | null { + // 토큰 관련 키워드 리스트 + const tokenKeys = [ + 'access_token', + 'id_token', + 'auth_token', + 'token', + 'jwt', + 'session_token' + ]; + + // 정규표현식 패턴 리스트 생성 + const tokenPatterns: RegExp[] = []; + + for (const key of tokenKeys) { + // 1. key=token 또는 key: token + tokenPatterns.push(new RegExp(`${key}[=:]\\s*([a-zA-Z0-9\\-._~+/]+=*)`, 'i')); + + // 2. JSON 형태의 "key": "token" + tokenPatterns.push(new RegExp(`"${key}"\\s*:\\s*"([^"]+)"`, 'i')); + } + + // 3. Authorization: Bearer 형태 + tokenPatterns.push(/bearer\s+([a-zA-Z0-9\-._~+/]+=*)/i); + + // 모든 패턴에 대해 검사 + for (const pattern of tokenPatterns) { + const match = pattern.exec(text); + if (match && match[1]) { + return match[1]; + } + } + + return null; + } +} \ No newline at end of file From 7b704cacf499a68cbc7a4d2cae058bca19d579af Mon Sep 17 00:00:00 2001 From: KMINGON Date: Sat, 31 May 2025 11:55:44 +0900 Subject: [PATCH 03/20] =?UTF-8?q?STYLE=20:=20=EB=A1=9C=EA=B7=B8=20?= =?UTF-8?q?=EC=88=98=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../src/controller/accessTokenDetector.ts | 32 +++++++++---------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/packages/backend/src/controller/accessTokenDetector.ts b/packages/backend/src/controller/accessTokenDetector.ts index fb3d03f..22be16e 100644 --- a/packages/backend/src/controller/accessTokenDetector.ts +++ b/packages/backend/src/controller/accessTokenDetector.ts @@ -2,21 +2,21 @@ import type { Request, Response } from "caido:utils"; // 토큰 누출 검사 결과를 담는 구조 export interface TokenLeakResult { - found: boolean; // 토큰이 발견되었는지 여부 (true/false) - location: 'url' | 'body' | 'header'; // 토큰이 발견된 위치 (url, body, header 중 하나) - title: string; // 경고 제목 - description: string; // 상세 설명 - value?: string; // 실제 발견된 값 (선택적) + found: boolean; // 토큰이 발견되었는지 여부 (true/false) + location: 'url' | 'body' | 'header'; // 토큰이 발견된 위치 (url, body, header 중 하나) + title: string; // 경고 제목 + description: string; // 상세 설명 + value?: string; // 실제 발견된 값 (선택적) } // 액세스 토큰 누출 검사 클래스 export class AccessTokenLeakController { - - /** - * @param request - 검사할 HTTP 요청 객체 - * @returns 토큰이 발견되면 결과 객체, 없으면 null - */ - async testReq(request: Request): Promise { + + /** + * @param request - 검사할 HTTP 요청 객체 + * @returns 토큰이 발견되면 결과 객체, 없으면 null + */ + async testReq(request: Request): Promise { // === 1. URL에서 토큰 검사 === const url = request.getUrl(); @@ -28,7 +28,7 @@ export class AccessTokenLeakController { found: true, location: 'url', title: "Access Token Leak in URL", - description: `요청 URL에 액세스 토큰 파라미터가 포함되어 있습니다. (토큰: ${extractedTokenFromUrl.substring(0, 20)}...)`, + description: `요청 URL에 토큰이 포함되어 있습니다. (토큰: ${extractedTokenFromUrl.substring(0, 20)}...)`, value: url }; } @@ -46,7 +46,7 @@ export class AccessTokenLeakController { found: true, location: 'body', title: "Access Token Leak in Request Body", - description: `요청 Body에 access_token 파라미터가 포함되어 있습니다. (토큰: ${extractedTokenFromBody.substring(0, 20)}...)`, + description: `요청 Body에 토큰이이 포함되어 있습니다. (토큰: ${extractedTokenFromBody.substring(0, 20)}...)`, value: bodyText }; } @@ -75,7 +75,7 @@ export class AccessTokenLeakController { found: true, location: 'header', title: "Access Token Leak in Redirect URL", - description: `Location 헤더에 액세스 토큰이 노출되었습니다: ${locationHeaderStr} (토큰: ${extractedTokenFromHeader.substring(0, 20)}...)`, + description: `Location 헤더에 토큰이 노출되었습니다: ${locationHeaderStr} (토큰: ${extractedTokenFromHeader.substring(0, 20)}...)`, value: locationHeaderStr }; } @@ -88,13 +88,13 @@ export class AccessTokenLeakController { const bodyText = await bodyBytes.toText(); const extractedTokenFromBody = this.extractTokenFromText(bodyText); - + if (extractedTokenFromBody) { return { found: true, location: 'body', title: "Access Token Leak in Response Body", - description: `HTTP 응답 본문에 'access_token' 토큰이 노출되었습니다. (토큰: ${extractedTokenFromBody.substring(0, 20)}...)`, + description: `HTTP 응답 본문에 토큰이 노출되었습니다. (토큰: ${extractedTokenFromBody.substring(0, 20)}...)`, value: bodyText }; } From d9353220e64867cdb1006fd37a77a8dac467365b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=EC=95=94=EB=83=A5=20=28imnyang=29?= Date: Sat, 31 May 2025 12:03:49 +0900 Subject: [PATCH 04/20] Update README.md --- README.md | 21 ++++----------------- 1 file changed, 4 insertions(+), 17 deletions(-) diff --git a/README.md b/README.md index c5497cc..90fb3a9 100644 --- a/README.md +++ b/README.md @@ -1,19 +1,6 @@ # caido-plugin-test -## To-Do -- [ ] PKCE 다운그래이드 https에서 작동 안하는 이슈 고치기 - -```log -2025-05-25T15:52:40.757475Z INFO actix-rt|system:0|arbiter:6 proxy|connect: Client connection (29e74afd-9006-445e-88a9-3fc5d4796af9) -2025-05-25T15:52:40.757530Z INFO actix-rt|system:0|arbiter:6 proxy|connect: Client connected for http://localhost:8787 (29e74afd-9006-445e-88a9-3fc5d4796af9) -2025-05-25T15:52:40.757562Z INFO actix-rt|system:0|arbiter:6 proxy|http1|logger: GET http://localhost/login (29e74afd-9006-445e-88a9-3fc5d4796af9) -2025-05-25T15:52:40.767186Z INFO actix-rt|system:0|arbiter:6 proxy|http1|logger: GET http://localhost:8787/login -> 302 361 (29e74afd-9006-445e-88a9-3fc5d4796af9) -2025-05-25T15:52:40.768696Z INFO actix-rt|system:0|arbiter:9 proxy|http1|logger: GET https://github.com/login/oauth/authorize?client_id=Ov23lixietSCQOHxPvcr&redirect_uri=http%3A%2F%2Flocalhost%3A8787%2Fcallback&scope=read%3Auser&state=bc11db571a4737d0&response_type=code&code_challenge=FtSdQsWI342PKH6BGgKYR6AOzW95LaS0jeVcwTmHaro&code_challenge_method=S256 (90f314dc-9480-4bd8-b7b6-5acba6b8bc7b) -2025-05-25T15:52:41.103596Z INFO actix-rt|system:0|arbiter:9 proxy|http1|logger: GET https://github.com/login/oauth/authorize?client_id=Ov23lixietSCQOHxPvcr&redirect_uri=http%3A%2F%2Flocalhost%3A8787%2Fcallback&scope=read%3Auser&state=bc11db571a4737d0&response_type=code&code_challenge=FtSdQsWI342PKH6BGgKYR6AOzW95LaS0jeVcwTmHaro&code_challenge_method=S256 -> 302 4927 (90f314dc-9480-4bd8-b7b6-5acba6b8bc7b) -2025-05-25T15:52:41.105944Z INFO actix-rt|system:0|arbiter:7 proxy|connect: Client connection (34585a00-9f9f-4c72-b087-2e9e92418dad) -2025-05-25T15:52:41.105993Z INFO actix-rt|system:0|arbiter:7 proxy|connect: Client connected for http://localhost:8787 (34585a00-9f9f-4c72-b087-2e9e92418dad) -2025-05-25T15:52:41.106023Z INFO actix-rt|system:0|arbiter:7 proxy|http1|logger: GET http://localhost/callback?code=10c34dcc4d3f7302e707&state=bc11db571a4737d0 (34585a00-9f9f-4c72-b087-2e9e92418dad) -2025-05-25T15:52:41.108270Z INFO plugin:65ad3a87-0257-4408-a9c7-e0885e04c162 js|sdk: [PKCEDowngradeCheck] Required PKCE parameters missing. Skipping. -2025-05-25T15:52:41.277387Z INFO plugin:65ad3a87-0257-4408-a9c7-e0885e04c162 js|sdk: [PKCEDowngradeCheck] No PKCE downgrade detected. -2025-05-25T15:52:41.686109Z INFO actix-rt|system:0|arbiter:7 proxy|http1|logger: GET http://localhost:8787/callback?code=10c34dcc4d3f7302e707&state=bc11db571a4737d0 -> 200 1582 (34585a00-9f9f-4c72-b087-2e9e92418dad) -``` \ No newline at end of file +```bash +pnpm install +pnpm run watch +``` From f1b5ef5f9b668d57a2c9999b34e142531bc8afac Mon Sep 17 00:00:00 2001 From: KMINGON Date: Sat, 31 May 2025 12:37:54 +0900 Subject: [PATCH 05/20] =?UTF-8?q?REFACTOR=20:=20findings=EB=A5=BCindex?= =?UTF-8?q?=EA=B0=80=20=EC=95=84=EB=8B=8C=20=EB=AA=A8=EB=93=88=EC=95=A0?= =?UTF-8?q?=EC=84=9C=20=EB=A7=8C=EB=93=A4=EB=8F=84=EB=A1=9D=20=EC=88=98?= =?UTF-8?q?=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../src/controller/accessTokenDetector.ts | 48 ++++++++++++++----- packages/backend/src/index.ts | 4 ++ 2 files changed, 40 insertions(+), 12 deletions(-) diff --git a/packages/backend/src/controller/accessTokenDetector.ts b/packages/backend/src/controller/accessTokenDetector.ts index 22be16e..8093a54 100644 --- a/packages/backend/src/controller/accessTokenDetector.ts +++ b/packages/backend/src/controller/accessTokenDetector.ts @@ -1,22 +1,46 @@ import type { Request, Response } from "caido:utils"; +import type { SDK, DefineAPI } from "caido:plugin"; // 토큰 누출 검사 결과를 담는 구조 export interface TokenLeakResult { - found: boolean; // 토큰이 발견되었는지 여부 (true/false) - location: 'url' | 'body' | 'header'; // 토큰이 발견된 위치 (url, body, header 중 하나) - title: string; // 경고 제목 - description: string; // 상세 설명 - value?: string; // 실제 발견된 값 (선택적) + found: boolean; // 토큰이 발견되었는지 여부 (true/false) + location: 'url' | 'body' | 'header'; // 토큰이 발견된 위치 (url, body, header 중 하나) + title: string; // 경고 제목 + description: string; // 상세 설명 + value?: string; // 실제 발견된 값 (선택적) } // 액세스 토큰 누출 검사 클래스 export class AccessTokenLeakController { - - /** - * @param request - 검사할 HTTP 요청 객체 - * @returns 토큰이 발견되면 결과 객체, 없으면 null - */ - async testReq(request: Request): Promise { + async testReq(sdk: SDK>, request: Request): Promise { + const result = await this._scanRequest(request); + if (result) { + await sdk.findings.create({ + title: result.title, + description: result.description, + request, + reporter: "", + }); + } + } + + async testResp(sdk: SDK>, response: Response, request: Request): Promise { + const result = await this._scanResponse(response); + if (result) { + await sdk.findings.create({ + title: result.title, + description: result.description, + request, + reporter: "", + }); + } + } + + /** + * @param request - 검사할 HTTP 요청 객체 + * @returns 토큰이 발견되면 결과 객체, 없으면 null + */ + async _scanRequest(request: Request): Promise { // === 1. URL에서 토큰 검사 === const url = request.getUrl(); @@ -60,7 +84,7 @@ export class AccessTokenLeakController { * @param response - 검사할 HTTP 응답 객체 * @returns 토큰이 발견되면 결과 객체, 없으면 null */ - async testResp(response: Response): Promise { + async _scanResponse(response: Response): Promise { // === 1. Location 헤더에서 토큰 검사 === const locationHeader = response.getHeader("Location"); diff --git a/packages/backend/src/index.ts b/packages/backend/src/index.ts index a24d2c7..9cf32b2 100644 --- a/packages/backend/src/index.ts +++ b/packages/backend/src/index.ts @@ -4,6 +4,7 @@ import type { Request, Response } from "caido:utils"; // import { AuthZCodeGrantController } from "./controller/authZCodeGrant"; import { CsrfCheck } from "./controller/csrfCheck"; import { PKCECheck } from "./controller/PKCECheck"; +import { AccessTokenLeakController } from "./controller/accessTokenDetector"; export type API = DefineAPI<{}>; @@ -11,6 +12,7 @@ const csrfCheck = new CsrfCheck(); // const implicitGrantController = new ImplicitGrantController(); // const authZCodeGrantController = new AuthZCodeGrantController(); const pkceCheckController = new PKCECheck(); +const tokenCheck = new AccessTokenLeakController(); export function init(sdk: SDK) { // sdk.events.onInterceptRequest(async (sdk, req: Request) => { @@ -30,6 +32,8 @@ export function init(sdk: SDK) { async (sdk: SDK, {}>, req: Request, resp: Response) => { await csrfCheck.checker(sdk, req, resp); await pkceCheckController.test(sdk, req); + await tokenCheck.testReq(sdk, req); + await tokenCheck.testResp(sdk, resp, req); // sdk.events.onInterceptRequest(async (sdk, req: Request) => { // const result = // authZCodeGrantController.testReq(req) || From 252400a911a7c94bc5cd1590138d9d34ce925710 Mon Sep 17 00:00:00 2001 From: sultanofdisco Date: Sat, 31 May 2025 14:39:20 +0900 Subject: [PATCH 06/20] =?UTF-8?q?nonceCheck=20=EC=88=98=EC=A0=952?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- dist/plugin_package.zip | Bin 138874 -> 138993 bytes packages/backend/src/controller/nonceCheck.ts | 14 +++++--------- packages/backend/src/index.ts | 12 +++++++++--- 3 files changed, 14 insertions(+), 12 deletions(-) diff --git a/dist/plugin_package.zip b/dist/plugin_package.zip index 1b3f2de848388ebb64e74f2d20219127856b5c5f..fe3427f734b31f302e79d45cdff5ded749d6d010 100644 GIT binary patch delta 334 zcmeyhhvVa34xRvSW)?065D<`=$fLp}Ak%2nYQ(tJh-tnUtByiZYVq`oVobWzM48y8 zFA`@mo^B-0WXT_rpPicLlbV?AoRONGtv5YeoJoa6K}}6zdb>DN;Pf;>Cduh?5=^a{ zWr;-!dHH$CsbGc9`FSNp`8heMMGCeGd8y?JesHPnQze)#F*?+0T5~BV6sKhCrIw}U zl@#mc=XvIpq!uNo7L){~78m5_6{l(>7FXsaD`*s_WE+88SO_ADH5F{_6so7ENHOU^ z+`WB*6jLLk#KF~{))>ezF@P|{vm6Wz3<5ISHD#D)Ffs|qOg}8kWWpyPvp))~TeTz7gr%qaFUUErhex5=~YI1%`s%J__es*e}Mp0@ZNS}g2 zQEEwPQJ#X5k~LTDbY3wgsp(=8Os(55NiZE@oPJY^Nt01?dY>ed`F4A0CQn8Qp^b(g zc1klbfH1^u91IK$ZerUP$S}=dWO5UmZY9TL!sjNoKMJ9AdW{^D0Z4A09Fq*A?DW%e NObTpUWtkWl7yzJvJx>4t diff --git a/packages/backend/src/controller/nonceCheck.ts b/packages/backend/src/controller/nonceCheck.ts index 383ca90..a27a4d6 100644 --- a/packages/backend/src/controller/nonceCheck.ts +++ b/packages/backend/src/controller/nonceCheck.ts @@ -1,4 +1,4 @@ -import type { Request } from "caido:utils"; +import type { Request, Response } from "caido:utils"; import { TokenLeakCheck } from "./tokenLeakCheck"; export class NonceCheckController{ @@ -6,8 +6,8 @@ export class NonceCheckController{ * 응답이 OIDC(OpenID Connect) 플로우인지 확인하는 메서드 */ - public static isOidcFlow(req: Request): boolean { - if(TokenLeakCheck.extractIdToken(req)) { + public static isOidcFlow(req: Request, res:Response): boolean { + if(TokenLeakCheck.extractIdToken(req, res)) { return true; } return false; @@ -15,10 +15,10 @@ export class NonceCheckController{ public static isNonceCheckRequest(req: Request): boolean { - const id_token = decodeIdToken(req); + const id_token = TokenLeakCheck.decodeIdToken(req); // 1. nonce 파라미터가 포함된 요청인지 확인 - if (id_token.includes("nonce=")) { + if (id_token && id_token.includes("nonce=")) { return true; } @@ -26,8 +26,4 @@ export class NonceCheckController{ } } -function decodeIdToken(req: Request): string { - // Implement actual decoding logic here. For now, return an empty string or mock value. - return ""; -} diff --git a/packages/backend/src/index.ts b/packages/backend/src/index.ts index 0ad8c01..00fdd51 100644 --- a/packages/backend/src/index.ts +++ b/packages/backend/src/index.ts @@ -1,5 +1,5 @@ import type { SDK, DefineAPI } from "caido:plugin"; -import type { Request } from "caido:utils"; +import type { Request, Response } from "caido:utils"; import { ImplicitGrantController } from "./controller/implictGrant"; import { AuthZCodeGrantController } from "./controller/authZCodeGrant"; import { NonceCheckController } from "./controller/nonceCheck"; @@ -8,6 +8,7 @@ export type API = DefineAPI<{}>; const implicitGrantController = new ImplicitGrantController(); const authZCodeGrantController = new AuthZCodeGrantController(); +const nonceCheckController = new NonceCheckController(); // function matchSSORequest(req: Request): boolean { // const raw = req.getRaw().toString(); @@ -28,7 +29,8 @@ const authZCodeGrantController = new AuthZCodeGrantController(); // } export function init(sdk: SDK) { - sdk.events.onInterceptRequest(async (sdk, req: Request) => { + // 요청 이벤트 + sdk.events.onInterceptRequest(async (sdk, req) => { const result = authZCodeGrantController.testReq(req) || implicitGrantController.testReq(req); @@ -41,8 +43,12 @@ export function init(sdk: SDK) { reporter: "", }); } + }); - if(NonceCheckController.isOidcFlow(req)) { + // 응답 이벤트 + sdk.events.onInterceptResponse(async (sdk, req, res) => { + + if (NonceCheckController.isOidcFlow(req, res)) { await sdk.findings.create({ title: "OIDC Flow Detected", description: "The request appears to be part of an OIDC flow.", From 907fcd81208c07990f8a2b371abcda1814345d68 Mon Sep 17 00:00:00 2001 From: imnyang Date: Sat, 31 May 2025 15:02:27 +0900 Subject: [PATCH 07/20] Remove pkce --- .gitignore | 3 +- dist/plugin_package.zip | Bin 15658 -> 0 bytes playground/pkce/.gitignore | 34 -------------------- playground/pkce/README.md | 15 --------- playground/pkce/bun.lock | 25 -------------- playground/pkce/package.json | 10 ------ playground/pkce/src/PKCEDowngradeExpress.js | 31 ------------------ playground/pkce/tsconfig.json | 29 ----------------- 8 files changed, 2 insertions(+), 145 deletions(-) delete mode 100644 dist/plugin_package.zip delete mode 100644 playground/pkce/.gitignore delete mode 100644 playground/pkce/README.md delete mode 100644 playground/pkce/bun.lock delete mode 100644 playground/pkce/package.json delete mode 100644 playground/pkce/src/PKCEDowngradeExpress.js delete mode 100644 playground/pkce/tsconfig.json diff --git a/.gitignore b/.gitignore index 648628f..0d4515a 100644 --- a/.gitignore +++ b/.gitignore @@ -220,5 +220,6 @@ dist/* packages/frontend/dist packages/backend/dist #!dist/*.zip +dist/plugin_package.zip -# End of https://www.toptal.com/developers/gitignore/api/node,macos,windows,linux \ No newline at end of file +# End of https://www.toptal.com/developers/gitignore/api/node,macos,windows,linux diff --git a/dist/plugin_package.zip b/dist/plugin_package.zip deleted file mode 100644 index 28184677ccc0929e907d8d2e3ba3431c8285501f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 15658 zcmWIWW@h1H0D)_w`=dZK40A9rFeD`=XQ$?+=tES2M9@_UAgRjCOG&NJ%PQ8_S13qK z&Q45EE!KybP+XL(Us{rxQ>>p+Qc|E-Qp{DBSfr4dS6q^qmz=6#tB_ZklVc4Q^e8DQ z2n8usuvJLTNh~f_sOC~o(AU!9QczIPQh3w7@zsuow=G)~-pt+crfbRDmMw3(mb_lN zN8wHL+&3*7-%efmy1V0b_Yys@dVMYhh2;Fa;*z4$Ccs*sxo4r$BPg$w(c6N)x zo3@_UYj(VuH{tcdISQ{gH@uxW6ihsQcJ<1Ah9Sh zSD`F1r!-YT7h%%dsWV<}UVz=K1qu-J-%Q^EH3Z_wVuW^u*Bkl~nxU?EJz)--PEgRL zq$cO5q&nuM_~e(T7HNQ80t>E^qDp9B!UGPXJT%DDIX|}`KQA?}1gb@^Bp+;ob7FC- zh9)HNY88?bOOi9t%>dhhRXvviI4t5&?8I02ixKymPG@^eFjJT*#- zGIc=V0rO62QKo{eLTOPZwqy$lx9rqPY?8=%2ogu7MLGUSS)dXzwOk=I$OmK@+{;iW zLe%ILrzRF9XMkN+te2izqLH0i2~`TqTNT2Rsi`45Ek^%cN=L@8z$ z?|CzA%bVpb3UBuBdA)26qHNG81cis@o9PqYw9Em8!kg(66y8qV^16E`v?PP(zt6%blp zZI}d3G71imID)4)n6uTAZH>`$1lap;W?_aj*eFoyD@HD?AV~q7`g9;}fE5LhKq5C0 zf>VKlEyPGFq*8Do73&p4$}gBxLFF&J$bu><$qxqC$B+gD$!Qo@afMtMfKzwV+BXa4 zXr!d(q?V*=LQ^?7j7d-G4q&H4vO9f}CD`$Ar{YVNXld>ZSPP`>(FkqRK=K;i#8#A= zn_rd+t~kI|5K?-hPC_HGv;&89u^uGakg7t6Z(*e%mNcZV0BulVum2E@F=&;SmzbN1 zQRltcv|8cyrj9qucfeY2#MFY&796;?0W~^{3-a@dQ$a;F)JYne3ZN1aR*r%@3Xt|L zBtb&c7syFqLm)NYu05}twjft`kQOSWY*Ns8Go!;wK`AFcIk6-&KTkM3r6IM1vq8;Za8ZV>4UBLEQj-gS3L1!tf?B*lHxhL8@S_Q+VN;lbV-alA&Oy zV4$F;1}Si(4Pq7S5lky^^8*qJAR{o^#0toc0$ZwwWGd7o1q@?AsS9KtxStGnm!d7C zqmJxv1qI|bELab$8x83up!5b|MnPLB5aqDODyW|i5do2q?!jG`_I!FHw(ACMIFCT(1k=cs1$(oLf_2Yq3~+c-Z!&0 zC`5xD6srJfHosmt2i8-Kjzv=SYWt4YJq;jdziC?YX4Xnf8z3%3lxa}6g6u@Jb0JlN z0@mgiD7nCgD-eYmxaSKp1saTy0!RnaLEnPtQYgIMu;I=0Eg&~TRl>Tyuy!3NOM~JW zRENR>e*x5)&>)4CYmTKQ8Tmz-Rq(1P2qm zY4>WwBn1sfuq(WtF#*)^fbgPYag~y~3U8J-yjd_6RG&gT0}6mQ(_3HnZg?|y%iFFU zAQ?ztg6da@8U>h#q0KmmQ?V45u=WwO+Y1Y8$e@%Su|*|VonK-uc;qcHHx*lH2`NTj`DVdXXs*+EJ$VUeECAXvfQ|q_5;eFny!0i_x%Tx0=tu-)=ozhZhwu>A0%F0OH!}$r4Uk4RG)JN~qu^eHr4?8} zl2|sBz(UAY0X1QPk{gmG_Ta`FTmUj~mj_Pad8jE|6O@rqbfd~c^B1JRNz2SBNi71m z{-{*kD8hWCmzkHGQ<{=m4C)=AIsvJKQc!?70cVjzTnPbfhrmpOWU*RnE-qXXB+2=C zB}Mr;IjKeZ$;Cx!&Kar6*|4b+(6k9`RwOUATme2y0_qHd=2DztI#8xfGK>8aOG`3B zi!wEeQVUB{i%Vds0}|S>p#Z2PsOJIh(P?NZ)YK>_DS;df8PNr+M1-JHa!zJyUP*jr zimj3+sC5eI{vjzSN`>@h;!7$EQbCGpY9Re!BsJ+piFqaX6cnYVWEQ0+m&BJAW#TZS zI5{7u`NbuPB_O+zq8Az~B}JvF5YK^%J$Q+jmY7ov76*w!11|{bh9IbiG+;hM4N8z* zrJ$++CJhQq=lm4-d$MU(A0rSB6@LP z0i=op>Kr>;1!Dtn_W>$kqhJEzqd7!PO+f=y2q~UWBD-XzI&WNt4{f6AZG$GY^uVpcxD`$$;||Xz~M+H9;{9Q4Nhp zNQwbPTq-z8pr;nFVx++rkZ+Vg{duq!C8#OjW&~ISYzWK=pp*rk5P+w7SjP%2i-591 zGN>#9d&sc_mJfWO0|<~b3oBoAKocn7VGNi>VEZ+|(=pH-g;E@;sX-=sGK<0HV+0sN z9$b{+&W)JyWPqH*A%TfI$RU9T(E(ALUzC}inU|OYb{Cr8r2fgBk^(@dr|E z&&@2(1y3_4rIwVZrsgR?bD~0GUJBeHs1_GNRsn!h56CH?`no8yEU_e2A+fkJFIfSR z8-h|xi^1)CeSHN`5P+*#D}^9Ph6aTsSOVe=SjGX#L&|i}h@-xOrja70o0&>y!Fbj>*S$YhFa_q$kI^zQBA~l{r`pobA9YNG6AvLwptoYgJHyXoDp`G!KB= zdGM5~04v5|VS(-hX!e1YO{kR@R1nl81t%j|0OsX8=jUf}Q2AVp2Fl>(Zp;6YG}#VWKg z!{2IyT7=|6@?$(NwVdSW&Py#vb1%_x49d8W)B?2?G~x?&0=66#4NE4VoUH`W10Gic zm;6Pb(lLclsjs7unU|6YnvBRxS4dPS$OlbDWG3b)!1JXNJZ=;ez*Ph|gyFdqC3hp| zXN8p1lGNmq)D(y-K^l+>@YEuW;*@Mqdj(u-gBXxf8RAg|1@MqQY&lIr0;FjG3L!it zm;$VL1BV5AV+Lk2sHy<1eo@f2RZxO^(+XZsf=gRO6$smk$`zagAT=-%7J;f|18iPP&{0sSCTxISR(@ul2B_VtSqlwih*v>j4O!2G zFddT9i&L`o(m=^3FTGeVxhOTUBvk{H$3e+ZL7^nGBq!BMK?&50RwygY$pa@Kh+Il) zadJ^+0chsSN+BUQ*k89OH7BtoH3bpe#qe|kO1iKxvEt%VsfLzMp#1EcT9T2UqM=!< zfFc}Plmim80*iv;xHbWldLfoWwId4@Y)3Xrl0(lD>(B69E` zz}wjsoCH9F2bsAb6BVjqZIa-E)MSNPg|wplTm_}%#LSd@EAYZhCCKVaxL%ZD1W2wa zNi8mcXBk+GKq{tOa9}9df?8L|frH31P!*uGqU7!xq6E{gpa6c)UY=yLz1~iKYS%Zahg$=}5P^@MarKWhNR)YHf(TK4TP@0CNA8?l#BmnAG z#wTYa=71*RQZYs1AwdOelY%mVBC-{Fsb#4}l^UQyEbwR>$}+HwMDXYqa;KHJ@C7wl zL7q?m1wL|KfVSPq2=3CN97JG)^93Y1Kte6E*uNk(&(lT0RsqEapoMHo;7+`frajUa zM1DbPUS^6CcwnluCM4X|fclh)m9U0GszM@2S8{${T4s7_5qRcL53|^{0u>zym%z$eD+ML6 zGr$E+Y7u(Ti@Q((#WW-`z$wJmRzayCCowaR69gqSB?zt3jO@v+$qApc}*HFnBso;6rqSQiAO$#np^@>Xpi%N>aGfOfw zlt2T@#Y&(_OehnSS3!c%W+b}hq2OXVL8ZDFY;>)azCO4`12Wwszqmw0v(^eO5RhL4 z54I$)VRi32?1YvlaZI!)&0{&Q=Nu3fc;#MLE!tn6PdaSPDr& z=tnpu6mAmoDiufw6oXnqwhExx6j0@tT3ixbkeaN4O|yamNHJ)QqEmiKC8)g&3LG#S zu^t^%Lctc=!)C=xQ?X5pL!%Db9o9gutRanV)QLCnDi5U5O;B4B<{pR{ptb;XWdKrR z8XATm z4y0%S^Wlz!*%y*i46_Wx#54w+a$z>*gHkcv3{Xc8G+uy6OV9)XA6WpULr@zmwYUVd zR5dR}17t7U08mYU)c`$M>km=wL;95|`MHUid7vy`keUoiOpx3FX&`}O4CE$o%iR`| z_R>>Jz&?Q62{ET2u_Ob@6i5)FngSm3HbPPa4nSDD7iL!`XuTbNKY*O+nS!nnR3?H9 zPt8lg2tT;@L0XaL!a%ly!W5JfVeS5eAlE1EuvLN@sYOMINI_0SVB0kkz{Vk54<7$eNK4GjNlig& zZ-CMmbU8W5KzMS2Bo<_2@%2g3g9YO)c_qbq z`FWmsC84UZLqh~ffpuM;-f0?89_x9Wj|8#1(pq6bzc zLDXY$x*lwJ0iq3>dqL5mY0Xv3m0AHxFW@N=kUv0UApzd(9CEqYuQRO}7(f{JHdS5* z28P_kyv(%J;u5{A;`}_2>yDdG66ZI>6v*7pvC}_R?w_Xevy(D*!>C$a67_1f)#=j(^3^e zixomr6LUeGk6KU;R?5lD%Pt0KfN%@I#)1SuL#_%?a}*Syo`CMN1-l4Twkl<3=7D{O zAp!Fph6HH;Uu8jlW?l)%8&GL|NQ%rVMwnbwnpcvUn+j5tl~|St8BGJZ8HNE)-y0Lq}qUZ0K-0?rvLx| diff --git a/playground/pkce/.gitignore b/playground/pkce/.gitignore deleted file mode 100644 index a14702c..0000000 --- a/playground/pkce/.gitignore +++ /dev/null @@ -1,34 +0,0 @@ -# dependencies (bun install) -node_modules - -# output -out -dist -*.tgz - -# code coverage -coverage -*.lcov - -# logs -logs -_.log -report.[0-9]_.[0-9]_.[0-9]_.[0-9]_.json - -# dotenv environment variable files -.env -.env.development.local -.env.test.local -.env.production.local -.env.local - -# caches -.eslintcache -.cache -*.tsbuildinfo - -# IntelliJ based IDEs -.idea - -# Finder (MacOS) folder config -.DS_Store diff --git a/playground/pkce/README.md b/playground/pkce/README.md deleted file mode 100644 index 4a3109f..0000000 --- a/playground/pkce/README.md +++ /dev/null @@ -1,15 +0,0 @@ -# playground - -To install dependencies: - -```bash -bun install -``` - -To run: - -```bash -bun run -``` - -This project was created using `bun init` in bun v1.2.14. [Bun](https://bun.sh) is a fast all-in-one JavaScript runtime. diff --git a/playground/pkce/bun.lock b/playground/pkce/bun.lock deleted file mode 100644 index 0a70737..0000000 --- a/playground/pkce/bun.lock +++ /dev/null @@ -1,25 +0,0 @@ -{ - "lockfileVersion": 1, - "workspaces": { - "": { - "name": "playground", - "devDependencies": { - "@types/bun": "latest", - }, - "peerDependencies": { - "typescript": "^5", - }, - }, - }, - "packages": { - "@types/bun": ["@types/bun@1.2.14", "", { "dependencies": { "bun-types": "1.2.14" } }, "sha512-VsFZKs8oKHzI7zwvECiAJ5oSorWndIWEVhfbYqZd4HI/45kzW7PN2Rr5biAzvGvRuNmYLSANY+H59ubHq8xw7Q=="], - - "@types/node": ["@types/node@22.15.21", "", { "dependencies": { "undici-types": "~6.21.0" } }, "sha512-EV/37Td6c+MgKAbkcLG6vqZ2zEYHD7bvSrzqqs2RIhbA6w3x+Dqz8MZM3sP6kGTeLrdoOgKZe+Xja7tUB2DNkQ=="], - - "bun-types": ["bun-types@1.2.14", "", { "dependencies": { "@types/node": "*" } }, "sha512-Kuh4Ub28ucMRWeiUUWMHsT9Wcbr4H3kLIO72RZZElSDxSu7vpetRvxIUDUaW6QtaIeixIpm7OXtNnZPf82EzwA=="], - - "typescript": ["typescript@5.8.3", "", { "bin": { "tsc": "bin/tsc", "tsserver": "bin/tsserver" } }, "sha512-p1diW6TqL9L07nNxvRMM7hMMw4c5XOo/1ibL4aAIGmSAt9slTE1Xgw5KWuof2uTOvCg9BY7ZRi+GaF+7sfgPeQ=="], - - "undici-types": ["undici-types@6.21.0", "", {}, "sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ=="], - } -} diff --git a/playground/pkce/package.json b/playground/pkce/package.json deleted file mode 100644 index 0bbbfb8..0000000 --- a/playground/pkce/package.json +++ /dev/null @@ -1,10 +0,0 @@ -{ - "name": "playground", - "private": true, - "devDependencies": { - "@types/bun": "latest" - }, - "peerDependencies": { - "typescript": "^5" - } -} diff --git a/playground/pkce/src/PKCEDowngradeExpress.js b/playground/pkce/src/PKCEDowngradeExpress.js deleted file mode 100644 index 61cf737..0000000 --- a/playground/pkce/src/PKCEDowngradeExpress.js +++ /dev/null @@ -1,31 +0,0 @@ -const express = require("express"); -const app = express(); - -app.get("/auth", (req, res) => { - const { - client_id, - response_type, - code_challenge, - code_challenge_method, - scope - } = req.query; - - console.log("Incoming request:", req.query); - - if (!client_id || response_type !== "code") { - return res.status(400).send("Missing required parameters"); - } - - // Simulate issuing an authorization code - const code = "dummy-auth-code"; - - // Simulate PKCE check (normally you'd validate here) - // We deliberately allow the downgrade here to simulate the vulnerability - const responseBody = `Authorization successful. code=${code}`; - return res.status(200).send(responseBody); -}); - -const PORT = 5050; -app.listen(PORT, () => { - console.log(`Test PKCE server running on http://localhost:${PORT}`); -}); diff --git a/playground/pkce/tsconfig.json b/playground/pkce/tsconfig.json deleted file mode 100644 index bfa0fea..0000000 --- a/playground/pkce/tsconfig.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "compilerOptions": { - // Environment setup & latest features - "lib": ["ESNext"], - "target": "ESNext", - "module": "Preserve", - "moduleDetection": "force", - "jsx": "react-jsx", - "allowJs": true, - - // Bundler mode - "moduleResolution": "bundler", - "allowImportingTsExtensions": true, - "verbatimModuleSyntax": true, - "noEmit": true, - - // Best practices - "strict": true, - "skipLibCheck": true, - "noFallthroughCasesInSwitch": true, - "noUncheckedIndexedAccess": true, - "noImplicitOverride": true, - - // Some stricter flags (disabled by default) - "noUnusedLocals": false, - "noUnusedParameters": false, - "noPropertyAccessFromIndexSignature": false - } -} From 77a05bb70739c6db830ad5de2228a9b0b920fc23 Mon Sep 17 00:00:00 2001 From: sultanofdisco Date: Sat, 31 May 2025 15:42:37 +0900 Subject: [PATCH 08/20] =?UTF-8?q?nonceCheck=20=EC=88=98=EC=A0=953?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- packages/backend/src/index.ts | 71 ++++++++++++++++++----------------- 1 file changed, 36 insertions(+), 35 deletions(-) diff --git a/packages/backend/src/index.ts b/packages/backend/src/index.ts index 564af6f..0165988 100644 --- a/packages/backend/src/index.ts +++ b/packages/backend/src/index.ts @@ -6,6 +6,7 @@ import { CsrfCheck } from "./controller/csrfCheck"; import { PKCECheck } from "./controller/PKCECheck"; import { AccessTokenLeakController } from "./controller/accessTokenDetector"; import { ScopeDetection } from "./controller/scopeDetection"; +import { NonceCheckController } from "./controller/nonceCheck"; export type API = DefineAPI<{}>; @@ -15,42 +16,42 @@ const csrfCheck = new CsrfCheck(); const pkceCheckController = new PKCECheck(); const tokenCheck = new AccessTokenLeakController(); const ScopeDetectionController = new ScopeDetection(); +const nonceCheckController = new NonceCheckController(); export function init(sdk: SDK) { - // sdk.events.onInterceptRequest(async (sdk, req: Request) => { - // const result = csrfCheck.checker(req); + sdk.events.onInterceptResponse(async (sdk, req: Request, res: Response) => { + await csrfCheck.checker(sdk, req, res); + await pkceCheckController.test(sdk, req); + await tokenCheck.testReq(sdk, req); + await tokenCheck.testResp(sdk, res, req); + await ScopeDetectionController.scan(sdk, req.getUrl()); - // if (result) { - // await sdk.findings.create({ - // title: "Possible SSO Request Detected", - // description: `SSO-related parameters detected in request:\n\n${req.getMethod()} ${req.getUrl()} : ${result}`, - // request: req, - // reporter: "", - // }); - // } - // }); - - sdk.events.onInterceptResponse( - async (sdk: SDK, {}>, req: Request, resp: Response) => { - await csrfCheck.checker(sdk, req, resp); - await pkceCheckController.test(sdk, req); - await tokenCheck.testReq(sdk, req); - await tokenCheck.testResp(sdk, resp, req); - await ScopeDetectionController.scan(sdk, req.getUrl()); - // sdk.events.onInterceptRequest(async (sdk, req: Request) => { - // const result = - // authZCodeGrantController.testReq(req) || - // implicitGrantController.testReq(req); - - // if (result) { - // await pkceCheckController.test(sdk, req); - - // await sdk.findings.create({ - // title: "Possible SSO Request Detected", - // description: `SSO-related parameters detected in request:\n\n${req.getMethod()} ${req.getUrl()} : ${result}`, - // request: req, - // reporter: "", - // }); + if (NonceCheckController.isOidcFlow(req, res)) { + await sdk.findings.create({ + title: "OIDC Flow Detected", + description: "The request appears to be part of an OIDC flow.", + request: req, + reporter: "", + }); } - ); -} \ No newline at end of file + }); + + /* + sdk.events.onInterceptRequest(async (sdk, req: Request) => { + const result = + authZCodeGrantController.testReq(req) || + implicitGrantController.testReq(req); + + if (result) { + await pkceCheckController.test(sdk, req); + + await sdk.findings.create({ + title: "Possible SSO Request Detected", + description: `SSO-related parameters detected in request:\n\n${req.getMethod()} ${req.getUrl()} : ${result}`, + request: req, + reporter: "", + }); + } + }); + */ +} From 2010b85c4df2d29a66be67c3cc6a5423867828a7 Mon Sep 17 00:00:00 2001 From: "tv0924@icloud.com" Date: Sun, 1 Jun 2025 20:14:10 +0900 Subject: [PATCH 09/20] =?UTF-8?q?[Fix]=20=ED=8A=B9=EC=A0=95=20=EA=B2=BD?= =?UTF-8?q?=EC=9A=B0=EC=97=90=EC=84=9C=20csrf=20=EB=B0=A9=EC=A7=80=20?= =?UTF-8?q?=ED=86=A0=ED=81=B0=EC=9D=B4=20=EC=97=86=EB=8B=A4=EA=B3=A0=20?= =?UTF-8?q?=ED=8C=90=EB=B3=84=ED=95=9C=20=EA=B2=83=EC=9D=84=20=EC=88=98?= =?UTF-8?q?=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- packages/backend/src/controller/csrfCheck.ts | 61 ++++++++++---------- 1 file changed, 30 insertions(+), 31 deletions(-) diff --git a/packages/backend/src/controller/csrfCheck.ts b/packages/backend/src/controller/csrfCheck.ts index 727b65b..f5018d5 100644 --- a/packages/backend/src/controller/csrfCheck.ts +++ b/packages/backend/src/controller/csrfCheck.ts @@ -5,18 +5,27 @@ import { HttpUtils } from "../utils/http"; const httpUtils = new HttpUtils(); export class CsrfCheck { + private isTargetUri(uri: string): boolean { + if ( + uri.includes("client_id=") && + (uri.includes("response_type=") || + uri.includes("grant_type=") || + uri.includes("redirect_uri=") || + uri.includes("scope=") || + uri.includes("state=") || + uri.includes("nonce=")) + ) { + return true; + } + + return false; + } + private isOauthUri(request: Request): boolean { - const query = request.getQuery() || ""; + const uri = request.getUrl() || ""; // Check if the request is an OAuth authorization request - if ( - query.includes("client_id=") && - (query.includes("response_type=") || - query.includes("grant_type=") || - query.includes("redirect_uri=") || - query.includes("scope=") || - query.includes("state=")) - ) { + if (this.isTargetUri(uri)) { return true; } @@ -25,23 +34,10 @@ export class CsrfCheck { private isOauthRedirectResponse(response: Response): boolean { const status = response.getCode(); - const locationHeader = httpUtils.getHeaderValue( - response.getHeaders(), - "location" - ); + const uri = + httpUtils.getHeaderValue(response.getHeaders(), "location") || ""; - if ( - status >= 300 && - status < 400 && - locationHeader && - (locationHeader.includes("client_id=") || - locationHeader.includes("response_type=") || - locationHeader.includes("grant_type=") || - locationHeader.includes("redirect_uri=") || - locationHeader.includes("scope=") || - locationHeader.includes("state=") || - locationHeader.includes("code=")) // code is also common in OAuth redirects - ) { + if (status >= 300 && status < 400 && this.isTargetUri(uri)) { return true; } return false; @@ -49,7 +45,9 @@ export class CsrfCheck { private isStateInQuery(request: Request): boolean { const query = request.getQuery(); - const stateValue = httpUtils.getQueryParam(query || "", "state"); + const stateValue = + httpUtils.getQueryParam(query || "", "state") || + httpUtils.getQueryParam(query || "", "nonce"); if (!stateValue) { return false; } @@ -72,17 +70,18 @@ export class CsrfCheck { // 요청에서 보낸 state 추출 const query = request.getQuery() || ""; - const originalState = httpUtils.getQueryParam(query, "state"); + const originalState = + httpUtils.getQueryParam(query, "state") || + httpUtils.getQueryParam(query || "", "nonce"); // 리다이렉트 URL에서 쿼리 부분만 추출 const locationHeader = httpUtils.getHeaderValue( response.getHeaders(), "location" ); - const responseState = httpUtils.getQueryParamFromURI( - locationHeader || "", - "state" - ); + const responseState = + httpUtils.getQueryParamFromURI(locationHeader || "", "state") || + httpUtils.getQueryParamFromURI(locationHeader || "", "nonce"); // state가 없거나, 요청값과 다르면 CSRF 위험 if (!responseState) { From 77a65002f7209ca80c000d1abe3701047ebf04af Mon Sep 17 00:00:00 2001 From: KMINGON Date: Sun, 1 Jun 2025 20:59:48 +0900 Subject: [PATCH 10/20] =?UTF-8?q?[FIX]:=20=ED=83=90=EC=A7=80=20=ED=82=A4?= =?UTF-8?q?=EC=9B=8C=EB=93=9C=20=EC=A0=95=EC=83=81=ED=99=94?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../src/controller/accessTokenDetector.ts | 22 +++++++++++++------ 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/packages/backend/src/controller/accessTokenDetector.ts b/packages/backend/src/controller/accessTokenDetector.ts index 8093a54..6e95120 100644 --- a/packages/backend/src/controller/accessTokenDetector.ts +++ b/packages/backend/src/controller/accessTokenDetector.ts @@ -51,7 +51,7 @@ export class AccessTokenLeakController { return { found: true, location: 'url', - title: "Access Token Leak in URL", + title: "Token Leak in URL", description: `요청 URL에 토큰이 포함되어 있습니다. (토큰: ${extractedTokenFromUrl.substring(0, 20)}...)`, value: url }; @@ -69,7 +69,7 @@ export class AccessTokenLeakController { return { found: true, location: 'body', - title: "Access Token Leak in Request Body", + title: "Token Leak in Request Body", description: `요청 Body에 토큰이이 포함되어 있습니다. (토큰: ${extractedTokenFromBody.substring(0, 20)}...)`, value: bodyText }; @@ -98,7 +98,7 @@ export class AccessTokenLeakController { return { found: true, location: 'header', - title: "Access Token Leak in Redirect URL", + title: "Token Leak in Redirect URL", description: `Location 헤더에 토큰이 노출되었습니다: ${locationHeaderStr} (토큰: ${extractedTokenFromHeader.substring(0, 20)}...)`, value: locationHeaderStr }; @@ -117,7 +117,7 @@ export class AccessTokenLeakController { return { found: true, location: 'body', - title: "Access Token Leak in Response Body", + title: "Token Leak in Response Body", description: `HTTP 응답 본문에 토큰이 노출되었습니다. (토큰: ${extractedTokenFromBody.substring(0, 20)}...)`, value: bodyText }; @@ -136,10 +136,18 @@ private extractTokenFromText(text: string): string | null { // 토큰 관련 키워드 리스트 const tokenKeys = [ 'access_token', - 'id_token', + 'accesstoken', + 'Access-Token', + 'Refresh_Token', + 'Refresh-Token', + 'RefreshToken', + 'Secret_Token', + 'Secret-Token', + 'SecretToken', + 'SSO_Auth', + 'SSO-Auth', + 'SSOAuth', 'auth_token', - 'token', - 'jwt', 'session_token' ]; From b8b7edb5ac8fbb9243b7ade4c6deaf016f9cc07a Mon Sep 17 00:00:00 2001 From: "tv0924@icloud.com" Date: Mon, 2 Jun 2025 10:50:11 +0900 Subject: [PATCH 11/20] =?UTF-8?q?[Update]=20oauth=20=ED=83=90=EC=A7=80=20?= =?UTF-8?q?=EB=A1=9C=EC=A7=81=20=EC=A0=95=EA=B5=90=ED=99=94?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- packages/backend/src/controller/csrfCheck.ts | 56 +++++--- packages/backend/src/index.ts | 22 ++-- packages/backend/src/utils/http.ts | 18 +-- pnpm-lock.yaml | 129 ++++++++++++++++++- 4 files changed, 180 insertions(+), 45 deletions(-) diff --git a/packages/backend/src/controller/csrfCheck.ts b/packages/backend/src/controller/csrfCheck.ts index f5018d5..1826ddd 100644 --- a/packages/backend/src/controller/csrfCheck.ts +++ b/packages/backend/src/controller/csrfCheck.ts @@ -7,13 +7,13 @@ const httpUtils = new HttpUtils(); export class CsrfCheck { private isTargetUri(uri: string): boolean { if ( - uri.includes("client_id=") && - (uri.includes("response_type=") || - uri.includes("grant_type=") || - uri.includes("redirect_uri=") || - uri.includes("scope=") || - uri.includes("state=") || - uri.includes("nonce=")) + httpUtils.getQueryParamFromURI(uri, "client_id") && + (httpUtils.getQueryParamFromURI(uri, "response_type") || + httpUtils.getQueryParamFromURI(uri, "grant_type") || + httpUtils.getQueryParamFromURI(uri, "redirect_uri") || + httpUtils.getQueryParamFromURI(uri, "scope") || + httpUtils.getQueryParamFromURI(uri, "state") || + httpUtils.getQueryParamFromURI(uri, "nonce")) ) { return true; } @@ -151,15 +151,25 @@ export class CsrfCheck { let result = ``; // 쿼리에 state 파라미터가 없으면 CSRF 위험 - if (this.isOauthUri(request) && !this.isStateInQuery(request)) { - result += "CSRF risk: missing state parameter"; // CSRF risk: missing state parameter + try { + if (this.isOauthUri(request) && !this.isStateInQuery(request)) { + result += "CSRF risk: missing state parameter"; // CSRF risk: missing state parameter + } + } catch (error) { + sdk.console.error(`Error checking state in query: ${error}`); } // location 헤더에 state 파라미터가 없거나, 요청에서 보낸 state와 다르면 CSRF 위험 - const stateAtResponseLocationHeaderCheck = - this.checkStateAtResponseLocationHeader(request, response); - if (stateAtResponseLocationHeaderCheck !== 0) { - result += `, ${stateAtResponseLocationHeaderCheck.join(", ")}`; + try { + const stateAtResponseLocationHeaderCheck = + this.checkStateAtResponseLocationHeader(request, response); + if (stateAtResponseLocationHeaderCheck !== 0) { + result += `, ${stateAtResponseLocationHeaderCheck.join(", ")}`; + } + } catch (error) { + sdk.console.error( + `Error checking state in response location header: ${error}` + ); } // // 처음으로 state를 발급한 요청에서 state 파라미터를 바꿔서 보내기 @@ -168,13 +178,19 @@ export class CsrfCheck { // result += `, ${reusedStateCheck.join(", ")}`; // } - if (result) { - await sdk.findings.create({ - title: "csrf vuln", - description: `SSO-related parameters detected in response:\n\n${request.getMethod()} ${request.getUrl()} : ${result}`, - request, - reporter: "csrf reporter", - }); + result.replace(/^\s*,\s*|\s*$/, ""); // Remove leading/trailing commas + try { + if (result) { + await sdk.findings.create({ + title: "csrf vuln", + description: `SSO-related parameters detected in response:\n\n${request.getMethod()} ${request.getUrl()} : ${result}`, + request, + reporter: "csrf reporter", + }); + sdk.console.log("qq"); + } + } catch (error) { + sdk.console.error(`Error creating finding: ${error}`); } } } diff --git a/packages/backend/src/index.ts b/packages/backend/src/index.ts index 0165988..6ed4c7b 100644 --- a/packages/backend/src/index.ts +++ b/packages/backend/src/index.ts @@ -6,17 +6,15 @@ import { CsrfCheck } from "./controller/csrfCheck"; import { PKCECheck } from "./controller/PKCECheck"; import { AccessTokenLeakController } from "./controller/accessTokenDetector"; import { ScopeDetection } from "./controller/scopeDetection"; -import { NonceCheckController } from "./controller/nonceCheck"; +// import { NonceCheckController } from "./controller/nonceCheck"; export type API = DefineAPI<{}>; const csrfCheck = new CsrfCheck(); -// const implicitGrantController = new ImplicitGrantController(); -// const authZCodeGrantController = new AuthZCodeGrantController(); const pkceCheckController = new PKCECheck(); const tokenCheck = new AccessTokenLeakController(); const ScopeDetectionController = new ScopeDetection(); -const nonceCheckController = new NonceCheckController(); +// const nonceCheckController = new NonceCheckController(); export function init(sdk: SDK) { sdk.events.onInterceptResponse(async (sdk, req: Request, res: Response) => { @@ -26,14 +24,14 @@ export function init(sdk: SDK) { await tokenCheck.testResp(sdk, res, req); await ScopeDetectionController.scan(sdk, req.getUrl()); - if (NonceCheckController.isOidcFlow(req, res)) { - await sdk.findings.create({ - title: "OIDC Flow Detected", - description: "The request appears to be part of an OIDC flow.", - request: req, - reporter: "", - }); - } + // if (NonceCheckController.isOidcFlow(req, res)) { + // await sdk.findings.create({ + // title: "OIDC Flow Detected", + // description: "The request appears to be part of an OIDC flow.", + // request: req, + // reporter: "", + // }); + // } }); /* diff --git a/packages/backend/src/utils/http.ts b/packages/backend/src/utils/http.ts index 56a6fe1..9fcd741 100644 --- a/packages/backend/src/utils/http.ts +++ b/packages/backend/src/utils/http.ts @@ -48,8 +48,8 @@ export class HttpUtils { } getQueryParamFromURI(uri: string, key: string): string | null { - uri = uri.toLowerCase(); - key = key.toLowerCase(); + uri = this.decodeAndLower(uri); + key = this.decodeAndLower(key); try { const urlObj = new URL(uri); return urlObj.searchParams.get(key); @@ -66,8 +66,8 @@ export class HttpUtils { * @returns - 해당 파라미터 값, 없으면 null */ getQueryParam(query: string, key: string): string | null { - query = query.toLowerCase(); - key = key.toLowerCase(); + query = this.decodeAndLower(query); + key = this.decodeAndLower(key); const params = new URLSearchParams(query); return params.get(key); @@ -82,9 +82,9 @@ export class HttpUtils { * @returns - "a=1&b=2&c=3..." 형태의 새로운 쿼리 문자열 */ setQueryParam(query: string, key: string, value: string): string { - query = query.toLowerCase(); - key = key.toLowerCase(); - value = value.toLowerCase(); + query = this.decodeAndLower(query); + key = this.decodeAndLower(key); + value = this.decodeAndLower(value); const params = new URLSearchParams(query); params.set(key, value); @@ -99,8 +99,8 @@ export class HttpUtils { * @returns - 삭제된 상태의 새로운 쿼리 문자열 */ removeQueryParam(query: string, key: string): string { - query = query.toLowerCase(); - key = key.toLowerCase(); + query = this.decodeAndLower(query); + key = this.decodeAndLower(key); const params = new URLSearchParams(query); params.delete(key); diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 83609d4..1caa9d9 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -7,10 +7,17 @@ settings: importers: .: + dependencies: + '@types/jsonwebtoken': + specifier: ^9.0.9 + version: 9.0.9 + jsonwebtoken: + specifier: ^9.0.2 + version: 9.0.2 devDependencies: '@caido-community/dev': specifier: ^0.1.3 - version: 0.1.5(postcss@8.5.3)(typescript@5.5.4) + version: 0.1.5(@types/node@22.15.29)(postcss@8.5.3)(typescript@5.5.4) '@caido/sdk-backend': specifier: ^0.48.1 version: 0.48.1 @@ -328,6 +335,15 @@ packages: '@types/estree@1.0.7': resolution: {integrity: sha512-w28IoSUCJpidD/TGviZwwMJckNESJZXFu7NBZ5YJ4mEUnNraUn9Pm8HSZm/jDF1pDWYKspWE7oVphigUPRakIQ==} + '@types/jsonwebtoken@9.0.9': + resolution: {integrity: sha512-uoe+GxEuHbvy12OUQct2X9JenKM3qAscquYymuQN4fMWG9DBQtykrQEFcAbVACF7qaLw9BePSodUL0kquqBJpQ==} + + '@types/ms@2.1.0': + resolution: {integrity: sha512-GsCCIZDE/p3i96vtEqx+7dBUGXrc7zeSK3wwPHIaRThS+9OhWIXRqzs4d6k1SVU8g91DrNRWxWUGhp5KXQb2VA==} + + '@types/node@22.15.29': + resolution: {integrity: sha512-LNdjOkUDlU1RZb8e1kOIUpN1qQUlzGkEtbVNo53vbrwDg5om6oduhm4SiUaPW5ASTXhAiP0jInWG8Qx9fVlOeQ==} + accepts@2.0.0: resolution: {integrity: sha512-5cvg6CtKwfgdmVqY1WIiXKc3Q1bkRqGLi+2W/6ao+6Y7gu/RCwRuAhGEzh5B4KlszSuTLgZYuqFqo5bImjNKng==} engines: {node: '>= 0.6'} @@ -364,6 +380,9 @@ packages: brace-expansion@2.0.1: resolution: {integrity: sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==} + buffer-equal-constant-time@1.0.1: + resolution: {integrity: sha512-zRpUiDwd/xk6ADqPMATG8vc9VPrkck7T07OIx0gnjmJAnHnTVXNQG3vfvWNuiZIkwu9KrKdA1iJKfsfTVxE6NA==} + bundle-require@5.1.0: resolution: {integrity: sha512-3WrrOuZiyaaZPWiEt4G3+IffISVC9HYlWueJEBWED4ZH4aIAC2PnkdnuRrR94M+w6yGWn4AglWtJtBI8YqvgoA==} engines: {node: ^12.20.0 || ^14.13.1 || >=16.0.0} @@ -465,6 +484,9 @@ packages: eastasianwidth@0.2.0: resolution: {integrity: sha512-I88TYZWc9XiYHRQ4/3c5rjjfgkjhLyW2luGIheGERbNQ6OY7yTybanSpDXZa8y7VUP9YmDcYa+eyq4ca7iLqWA==} + ecdsa-sig-formatter@1.0.11: + resolution: {integrity: sha512-nagl3RYrbNv6kQkeJIpt6NJZy8twLB/2vtz6yN9Z4vRKHN4/QZJIEbqohALSgwKdnksuY3k5Addp5lg8sVoVcQ==} + ee-first@1.1.1: resolution: {integrity: sha512-WMwm9LhRUo+WUaRN+vRuETqG89IgZphVSNkdFgeb6sS/E4OrDIN7t48CAewSHXc6C8lefD8KKfr5vY61brQlow==} @@ -622,9 +644,19 @@ packages: json-schema-traverse@1.0.0: resolution: {integrity: sha512-NM8/P9n3XjXhIZn1lLhkFaACTOURQXjWhV4BA/RnOv8xvgqtqpAX9IO4mRQxSx1Rlo4tqzeqb0sOlruaOy3dug==} + jsonwebtoken@9.0.2: + resolution: {integrity: sha512-PRp66vJ865SSqOlgqS8hujT5U4AOgMfhrwYIuIhfKaoSCZcirrmASQr8CX7cUg+RMih+hgznrjp99o+W4pJLHQ==} + engines: {node: '>=12', npm: '>=6'} + jszip@3.10.1: resolution: {integrity: sha512-xXDvecyTpGLrqFrvkrUSoxxfJI5AH7U8zxxtVclpsUtMCq4JQ290LY8AW5c7Ggnr/Y/oK+bQMbqK2qmtk3pN4g==} + jwa@1.4.2: + resolution: {integrity: sha512-eeH5JO+21J78qMvTIDdBXidBd6nG2kZjg5Ohz/1fpa28Z4CcsWUzJ1ZZyFq/3z3N17aZy+ZuBoHljASbL1WfOw==} + + jws@3.2.2: + resolution: {integrity: sha512-YHlZCB6lMTllWDtSPHz/ZXTsi8S00usEV6v1tjq8tOUZzw7DpSDWVXjXDre6ed1w/pd495ODpHZYSdkRTsa0HA==} + lie@3.3.0: resolution: {integrity: sha512-UaiMJzeWRlEujzAuw5LokY1L5ecNQYZKfmyZ9L7wDHb/p5etKaxXhohBcrw0EYby+G/NA52vRSN4N39dxHAIwQ==} @@ -639,6 +671,27 @@ packages: resolution: {integrity: sha512-IXO6OCs9yg8tMKzfPZ1YmheJbZCiEsnBdcB03l0OcfK9prKnJb96siuHCr5Fl37/yo9DnKU+TLpxzTUspw9shg==} engines: {node: ^12.20.0 || ^14.13.1 || >=16.0.0} + lodash.includes@4.3.0: + resolution: {integrity: sha512-W3Bx6mdkRTGtlJISOvVD/lbqjTlPPUDTMnlXZFnVwi9NKJ6tiAk6LVdlhZMm17VZisqhKcgzpO5Wz91PCt5b0w==} + + lodash.isboolean@3.0.3: + resolution: {integrity: sha512-Bz5mupy2SVbPHURB98VAcw+aHh4vRV5IPNhILUCsOzRmsTmSQ17jIuqopAentWoehktxGd9e/hbIXq980/1QJg==} + + lodash.isinteger@4.0.4: + resolution: {integrity: sha512-DBwtEWN2caHQ9/imiNeEA5ys1JoRtRfY3d7V9wkqtbycnAmTvRRmbHKDV4a0EYc678/dia0jrte4tjYwVBaZUA==} + + lodash.isnumber@3.0.3: + resolution: {integrity: sha512-QYqzpfwO3/CWf3XP+Z+tkQsfaLL/EnUlXWVkIk5FUPc4sBdTehEqZONuyRt2P67PXAk+NXmTBcc97zw9t1FQrw==} + + lodash.isplainobject@4.0.6: + resolution: {integrity: sha512-oSXzaWypCMHkPC3NvBEaPHf0KsA5mvPrOPgQWDsbg8n7orZ290M0BmC/jgRZ4vcJ6DTAhjrsSYgdsW/F+MFOBA==} + + lodash.isstring@4.0.1: + resolution: {integrity: sha512-0wJxfxH1wgO3GrbuP+dTTk7op+6L41QCXbGINEmD+ny/G/eCqGzxyCsh7159S+mgDDcoarnBw6PC1PS5+wUGgw==} + + lodash.once@4.1.1: + resolution: {integrity: sha512-Sb487aTOCr9drQVL8pIxOzVhafOjZN9UU54hiN8PU3uAiSV7lx1yYNpbNmex2PK6dSJoNTSJUUswT651yww3Mg==} + lodash.sortby@4.7.0: resolution: {integrity: sha512-HDWXG8isMntAyRF5vZ7xKuEvOhT4AhlRt/3czTSjvGUxjYCBVRQY48ViDHyfYz9VIoBkW4TMGQNapx+l3RUwdA==} @@ -837,6 +890,11 @@ packages: safer-buffer@2.1.2: resolution: {integrity: sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==} + semver@7.7.2: + resolution: {integrity: sha512-RF0Fw+rO5AMf9MAyaRXI4AV0Ulj5lMHqVxxdSgiVbixSCXoEmmX/jk0CuJw4+3SqroYO9VoUh+HcuJivvtJemA==} + engines: {node: '>=10'} + hasBin: true + send@1.2.0: resolution: {integrity: sha512-uaW0WwXKpL9blXE2o0bRhoL2EGXIrZxQ2ZQ4mgcfoBxdFmQold+qWsD2jLrfZ0trjKL6vOw0j//eAwcALFjKSw==} engines: {node: '>= 18'} @@ -971,6 +1029,9 @@ packages: engines: {node: '>=14.17'} hasBin: true + undici-types@6.21.0: + resolution: {integrity: sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ==} + unpipe@1.0.0: resolution: {integrity: sha512-pjy2bYhSsufwWlKwPc+l3cN7+wuJlK6uz0YdJEOlQDbl6jo/YlPi4mb8agUkVC8BF7V8NuzeyPNqRksA3hztKQ==} engines: {node: '>= 0.8'} @@ -1065,7 +1126,7 @@ packages: snapshots: - '@caido-community/dev@0.1.5(postcss@8.5.3)(typescript@5.5.4)': + '@caido-community/dev@0.1.5(@types/node@22.15.29)(postcss@8.5.3)(typescript@5.5.4)': dependencies: '@caido/plugin-manifest': 0.3.0 chalk: 5.4.1 @@ -1076,7 +1137,7 @@ snapshots: jiti: 2.4.2 jszip: 3.10.1 tsup: 8.3.5(jiti@2.4.2)(postcss@8.5.3)(typescript@5.5.4) - vite: 6.0.7(jiti@2.4.2) + vite: 6.0.7(@types/node@22.15.29)(jiti@2.4.2) ws: 8.18.0 zod: 3.24.1 transitivePeerDependencies: @@ -1284,6 +1345,17 @@ snapshots: '@types/estree@1.0.7': {} + '@types/jsonwebtoken@9.0.9': + dependencies: + '@types/ms': 2.1.0 + '@types/node': 22.15.29 + + '@types/ms@2.1.0': {} + + '@types/node@22.15.29': + dependencies: + undici-types: 6.21.0 + accepts@2.0.0: dependencies: mime-types: 3.0.1 @@ -1328,6 +1400,8 @@ snapshots: dependencies: balanced-match: 1.0.2 + buffer-equal-constant-time@1.0.1: {} + bundle-require@5.1.0(esbuild@0.24.2): dependencies: esbuild: 0.24.2 @@ -1401,6 +1475,10 @@ snapshots: eastasianwidth@0.2.0: {} + ecdsa-sig-formatter@1.0.11: + dependencies: + safe-buffer: 5.2.1 + ee-first@1.1.1: {} emoji-regex@8.0.0: {} @@ -1605,6 +1683,19 @@ snapshots: json-schema-traverse@1.0.0: {} + jsonwebtoken@9.0.2: + dependencies: + jws: 3.2.2 + lodash.includes: 4.3.0 + lodash.isboolean: 3.0.3 + lodash.isinteger: 4.0.4 + lodash.isnumber: 3.0.3 + lodash.isplainobject: 4.0.6 + lodash.isstring: 4.0.1 + lodash.once: 4.1.1 + ms: 2.1.3 + semver: 7.7.2 + jszip@3.10.1: dependencies: lie: 3.3.0 @@ -1612,6 +1703,17 @@ snapshots: readable-stream: 2.3.8 setimmediate: 1.0.5 + jwa@1.4.2: + dependencies: + buffer-equal-constant-time: 1.0.1 + ecdsa-sig-formatter: 1.0.11 + safe-buffer: 5.2.1 + + jws@3.2.2: + dependencies: + jwa: 1.4.2 + safe-buffer: 5.2.1 + lie@3.3.0: dependencies: immediate: 3.0.6 @@ -1622,6 +1724,20 @@ snapshots: load-tsconfig@0.2.5: {} + lodash.includes@4.3.0: {} + + lodash.isboolean@3.0.3: {} + + lodash.isinteger@4.0.4: {} + + lodash.isnumber@3.0.3: {} + + lodash.isplainobject@4.0.6: {} + + lodash.isstring@4.0.1: {} + + lodash.once@4.1.1: {} + lodash.sortby@4.7.0: {} lru-cache@10.4.3: {} @@ -1801,6 +1917,8 @@ snapshots: safer-buffer@2.1.2: {} + semver@7.7.2: {} + send@1.2.0: dependencies: debug: 4.3.6 @@ -1968,6 +2086,8 @@ snapshots: typescript@5.5.4: {} + undici-types@6.21.0: {} + unpipe@1.0.0: {} util-deprecate@1.0.2: {} @@ -1976,12 +2096,13 @@ snapshots: vary@1.1.2: {} - vite@6.0.7(jiti@2.4.2): + vite@6.0.7(@types/node@22.15.29)(jiti@2.4.2): dependencies: esbuild: 0.24.2 postcss: 8.5.3 rollup: 4.41.0 optionalDependencies: + '@types/node': 22.15.29 fsevents: 2.3.3 jiti: 2.4.2 From 1c57ad1a390ff4ee45a4b707b9831973028d8b0d Mon Sep 17 00:00:00 2001 From: "tv0924@icloud.com" Date: Mon, 2 Jun 2025 10:56:42 +0900 Subject: [PATCH 12/20] =?UTF-8?q?[Update]=20oauth=20=ED=83=90=EC=A7=80=20?= =?UTF-8?q?=EB=A1=9C=EC=A7=81=20=EC=A0=95=EA=B5=90=ED=99=94?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- packages/backend/src/controller/csrfCheck.ts | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/packages/backend/src/controller/csrfCheck.ts b/packages/backend/src/controller/csrfCheck.ts index 1826ddd..5931428 100644 --- a/packages/backend/src/controller/csrfCheck.ts +++ b/packages/backend/src/controller/csrfCheck.ts @@ -7,13 +7,13 @@ const httpUtils = new HttpUtils(); export class CsrfCheck { private isTargetUri(uri: string): boolean { if ( - httpUtils.getQueryParamFromURI(uri, "client_id") && - (httpUtils.getQueryParamFromURI(uri, "response_type") || - httpUtils.getQueryParamFromURI(uri, "grant_type") || - httpUtils.getQueryParamFromURI(uri, "redirect_uri") || - httpUtils.getQueryParamFromURI(uri, "scope") || - httpUtils.getQueryParamFromURI(uri, "state") || - httpUtils.getQueryParamFromURI(uri, "nonce")) + httpUtils.getQueryParamFromURI(uri, "client_id") !== null && + (httpUtils.getQueryParamFromURI(uri, "response_type") !== null || + httpUtils.getQueryParamFromURI(uri, "grant_type") !== null || + httpUtils.getQueryParamFromURI(uri, "redirect_uri") !== null || + httpUtils.getQueryParamFromURI(uri, "scope") !== null || + httpUtils.getQueryParamFromURI(uri, "state") !== null || + httpUtils.getQueryParamFromURI(uri, "nonce") !== null) ) { return true; } From c72f103221e873c582db7b68c32a71d482681317 Mon Sep 17 00:00:00 2001 From: imnyang Date: Mon, 2 Jun 2025 22:03:52 +0900 Subject: [PATCH 13/20] =?UTF-8?q?FEAT:=20=EB=A6=AC=ED=8C=A9=ED=86=A0?= =?UTF-8?q?=EB=A7=81?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- packages/backend/src/controller/PKCECheck.ts | 191 +++++++++---------- packages/backend/src/index.ts | 5 +- 2 files changed, 96 insertions(+), 100 deletions(-) diff --git a/packages/backend/src/controller/PKCECheck.ts b/packages/backend/src/controller/PKCECheck.ts index 8fc5671..6fd4ee7 100644 --- a/packages/backend/src/controller/PKCECheck.ts +++ b/packages/backend/src/controller/PKCECheck.ts @@ -2,138 +2,94 @@ import type { SDK } from "caido:plugin"; import { Body, RequestSpec, type Request } from "caido:utils"; export class PKCECheck { + // 필요한 PKCE 파라미터 목록 + private readonly requiredPKCEKeys = ["client_id", "response_type", "code_challenge", "code_challenge_method"]; + + // PKCE 취약점 테스트 메인 함수 async test(sdk: SDK, req: Request): Promise { const method = req.getMethod(); + const url = req.getUrl(); + + // GET 요청이 아니면 검사하지 않음 if (method !== "GET") { sdk.console.log("[PKCEDowngradeCheck] Not a GET request. Skipping."); return false; } - const query = req.getQuery(); - const searchParams = new URLSearchParams(query); - const requiredKeys = ["client_id", "response_type", "code_challenge", "code_challenge_method"]; + const searchParams = new URLSearchParams(req.getQuery()); - if (!requiredKeys.every((key) => searchParams.has(key))) { + // 필수 PKCE 파라미터들이 모두 있는지 확인 + if (!this.requiredPKCEKeys.every(key => searchParams.has(key))) { sdk.console.log("[PKCEDowngradeCheck] Required PKCE parameters missing. Skipping."); return false; } - const url = req.getUrl(); + // OpenID 여부 확인 const isOpenID = searchParams.get("scope")?.includes("openid") || url.includes("id_token"); const methodVal = searchParams.get("code_challenge_method"); const challengeVal = searchParams.get("code_challenge"); + // 파라미터가 없으면 경고 리포트 생성 if (!methodVal || !challengeVal) { - sdk.console.log("[PKCEDowngradeCheck] code_challenge or method missing. Skipping."); - await sdk.findings.create({ - title: isOpenID - ? "[WARN] OpenID Flow PKCE Parameters Missing" - : "[WARN] OAuth2 Flow PKCE Parameters Missing", - description: `PKCE parameters are missing or incomplete for ${url}. This may indicate a misconfiguration.`, - request: req, - reporter: "PKCE Checker", - }); + await this.reportFinding(sdk, req, url, isOpenID, "[WARN] PKCE Parameters Missing", "PKCE parameters are missing or incomplete."); return false; } + // code_challenge_method가 'plain'이면 취약할 수 있음 if (methodVal === "plain") { - sdk.console.log("[PKCEDowngradeCheck] code_challenge_method is 'plain'. Skipping."); - await sdk.findings.create({ - title: isOpenID - ? "[WARN] OpenID Flow PKCE Method is 'plain'" - : "[WARN] OAuth2 Flow PKCE Method is 'plain'", - description: `PKCE method is set to 'plain' for ${url}. This may indicate a downgrade vulnerability.`, - request: req, - reporter: "PKCE Checker", - }); + await this.reportFinding(sdk, req, url, isOpenID, "[WARN] PKCE Method is 'plain'", "PKCE method is set to 'plain'. This may indicate a downgrade vulnerability."); return false; } - // Remove PKCE parameters to simulate a downgraded request + // PKCE 관련 파라미터 제거하여 다운그레이드된 URL 생성 searchParams.delete("code_challenge"); searchParams.delete("code_challenge_method"); const downgradedQuery = searchParams.toString(); - const scheme = req.getUrl().startsWith("https") ? "https" : "http"; + const scheme = url.startsWith("https") ? "https" : "http"; const downgradedUrl = `${scheme}://${req.getHost()}:${req.getPort()}${req.getPath()}?${downgradedQuery}`; - sdk.console.log(`${req.getHost()} Original URL: ` + url); - sdk.console.log(`${req.getHost()} Downgraded URL: ` + downgradedUrl); + sdk.console.log(`${req.getHost()} Original URL: ${url}`); + sdk.console.log(`${req.getHost()} Downgraded URL: ${downgradedUrl}`); try { - // Use Caido Replay SDK to replay the original request - const spec = new RequestSpec(downgradedUrl); - spec.setBody(req.getBody() as Body); - for (const [key, value] of Object.entries(req.getHeaders())) { - if (Array.isArray(value)) { - spec.setHeader(key, value.join(', ')); // or another suitable delimiter - } else { - spec.setHeader(key, value); + // 원래 요청과 다운그레이드된 요청 각각 전송 + const downgradedResponse = await this.sendRequest(sdk, req, downgradedUrl, downgradedQuery); + const originalResponse = await this.sendRequest(sdk, req, url, req.getQuery()); + + if (downgradedResponse && originalResponse) { + const originalCode = originalResponse.getCode(); + const downgradedCode = downgradedResponse.getCode(); + + const originalLoc = originalResponse.getHeader("location") || ""; + const downgradedLoc = downgradedResponse.getHeader("location") || ""; + + sdk.console.log(`${req.getHost()} Original Status: ${originalCode}`); + sdk.console.log(`${req.getHost()} Downgraded Status: ${downgradedCode}`); + sdk.console.log(`${req.getHost()} Original Location: ${originalLoc}`); + sdk.console.log(`${req.getHost()} Downgraded Location: ${downgradedLoc}`); + + // 두 응답 모두 리디렉션이면서 code= 파라미터 포함 시 취약점 리포트 생성 + const bothRedirect = [301, 302].includes(originalCode) && [301, 302].includes(downgradedCode); + const bothContainCode = originalLoc.includes("code=") && downgradedLoc.includes("code="); + + if (bothRedirect && bothContainCode) { + const title = isOpenID + ? "[CRITICAL] OpenID Flow PKCE Downgrade Vulnerability" + : "[CRITICAL] OAuth2 Flow PKCE Downgrade Vulnerability"; + const reference = isOpenID + ? "https://openid.net/specs/openid-igov-oauth2-1_0-02.html#rfc.section.3.1.7" + : "https://datatracker.ietf.org/doc/html/rfc7636"; + + await sdk.findings.create({ + title, + description: `PKCE downgrade vulnerability detected!\n\nOriginal URL: ${url}\nDowngraded URL: ${downgradedUrl}\n\nBoth requests returned authorization codes, indicating the server accepts requests without PKCE protection.\n\nReference: ${reference}`, + request: req, + reporter: "PKCE Checker", + }); + + return true; } } - spec.setHost(req.getHost()); - spec.setMethod(req.getMethod()); - spec.setPath(req.getPath()); - spec.setQuery(downgradedQuery); - spec.setTls(req.getTls()); - spec.setPort(req.getPort()); - - let sendDowngradedRequest = await sdk.requests.send(spec); - - if (sendDowngradedRequest.response) { - let domain = spec.getHost(); - let port = spec.getPort(); - let path = spec.getPath(); - let query = spec.getQuery(); - let id = sendDowngradedRequest.response.getId(); - let code = sendDowngradedRequest.response.getCode(); - sdk.console.log(`REQ ${id}: ${domain}:${port}${path}${query} received a status code of ${code}`); - } - - if (sendDowngradedRequest.response?.getCode() === 302) { - await sdk.findings.create({ - title: isOpenID - ? "[CRITICAL] OpenID Flow PKCE Downgrade Vulnerability" - : "[CRITICAL] OAuth2 Flow PKCE Downgrade Vulnerability", - description: `The request to ${url} is vulnerable to a PKCE downgrade attack. This may indicate a configuration error.`, - request: req, - reporter: "PKCE Checker", - }); - } - -/* - sdk.console.log(`${req.getHost()} Original Status: ` + resOriginal.status); - sdk.console.log(`${req.getHost()} Downgraded Status: ` + resDowngraded.status); - - sdk.console.log(`${req.getHost()} Original Headers: ` + JSON.stringify(resOriginal.headers)); - sdk.console.log(`${req.getHost()} Downgraded Headers: ` + JSON.stringify(resDowngraded.headers)); - - // Caido Dev Docs 기준으로, 리다이렉트된 URL은 Response 객체의 url 속성에 저장되어 있음 - const locationOriginal = resOriginal.url ?? ""; - const locationDowngraded = resDowngraded.url ?? ""; - - sdk.console.log(`${req.getHost()} Original Location: ` + locationOriginal); - sdk.console.log(`${req.getHost()} Downgraded Location: ` + locationDowngraded); - - const statusEqual = resOriginal.status === resDowngraded.status; - const codeInRedirects = locationOriginal.includes("code=") && locationDowngraded.includes("code="); - - if (statusEqual && codeInRedirects) { - const title = isOpenID - ? "[CRITICAL] OpenID Flow PKCE Downgraded to Plaintext" - : "[CRITICAL] OAuth2 Flow PKCE Downgraded to Plaintext"; - const reference = isOpenID - ? "https://openid.net/specs/openid-igov-oauth2-1_0-02.html#rfc.section.3.1.7" - : "https://datatracker.ietf.org/doc/html/rfc7636"; - - await sdk.findings.create({ - title, - description: `PKCE downgrade detected for ${url}.\n\nDowngraded URL: ${downgradedUrl}\n\nRedirect contained code=.\n\nReference: ${reference}`, - request: req, - reporter: "", - }); - - return true; - }*/ } catch (err) { sdk.console.error(`PKCE downgrade check failed for ${url}: ${String(err)}`); } @@ -141,4 +97,41 @@ export class PKCECheck { sdk.console.log("[PKCEDowngradeCheck] No PKCE downgrade detected."); return false; } + + // 요청 전송 도우미 함수 + private async sendRequest(sdk: SDK, req: Request, url: string, query: string) { + const spec = new RequestSpec(url); + spec.setMethod(req.getMethod()); + spec.setPath(req.getPath()); + spec.setQuery(query); + spec.setBody(req.getBody() as Body); + spec.setHost(req.getHost()); + spec.setPort(req.getPort()); + spec.setTls(req.getTls()); + + for (const [key, value] of Object.entries(req.getHeaders())) { + spec.setHeader(key, Array.isArray(value) ? value.join(', ') : value); + } + + const result = await sdk.requests.send(spec); + return result.response ?? null; + } + + // 경고 리포트 생성 함수 + private async reportFinding( + sdk: SDK, + req: Request, + url: string, + isOpenID: boolean, + title: string, + message: string + ) { + const fullTitle = isOpenID ? `[WARN] OpenID Flow ${title}` : `[WARN] OAuth2 Flow ${title}`; + await sdk.findings.create({ + title: fullTitle, + description: `${message} (${url})`, + request: req, + reporter: "PKCE Checker", + }); + } } diff --git a/packages/backend/src/index.ts b/packages/backend/src/index.ts index bab0ee0..3072b06 100644 --- a/packages/backend/src/index.ts +++ b/packages/backend/src/index.ts @@ -30,10 +30,13 @@ export function init(sdk: SDK) { // } // }); + sdk.events.onInterceptRequest(async (sdk, req: Request) => { + await pkceCheckController.test(sdk, req); + }); + sdk.events.onInterceptResponse( async (sdk: SDK, {}>, req: Request, resp: Response) => { await csrfCheck.checker(sdk, req, resp); - await pkceCheckController.test(sdk, req); await tokenCheck.testReq(sdk, req); await tokenCheck.testResp(sdk, resp, req); await ScopeDetectionController.scan(sdk, req.getUrl()); From 986c6e59b6438f83e022fb2341b67b11bda366e7 Mon Sep 17 00:00:00 2001 From: gyuu04 Date: Tue, 3 Jun 2025 12:26:03 +0900 Subject: [PATCH 14/20] Create redirect_uriBypass.ts MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit redirect_uri 우회 탐지 로직 추가 --- .../src/controller/redirect_uriBypass.ts | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 packages/backend/src/controller/redirect_uriBypass.ts diff --git a/packages/backend/src/controller/redirect_uriBypass.ts b/packages/backend/src/controller/redirect_uriBypass.ts new file mode 100644 index 0000000..8b4b436 --- /dev/null +++ b/packages/backend/src/controller/redirect_uriBypass.ts @@ -0,0 +1,40 @@ +import type { Request, Response } from "caido:utils"; + + +export class RedirectBypassController { + isRedirectUri(req: Request): boolean { + const query = req.getQuery(); + + + // redirect_uri 파라미터 정규식으로 추출 + const redirectUriMatch = query.match(/redirect_uri=([^&]+)/i); + if (!redirectUriMatch) return false; + + + // redirect_uri 파라미터의 URL 문자열을 디코딩 + const redirectUri = decodeURIComponent(redirectUriMatch[1]); + + + // 우회 키워드 + const bypassPatterns = [ + "%ff@", "/", "%2f@", "%0a@", "%0d@", "\\", ".evil.com", "@", "%2f..%2f" + ]; + + + return bypassPatterns.some(pattern => redirectUri.includes(pattern)); + } + + + isCodeIssued(res: Response): boolean { + const location = res.getHeader("Location") || ""; + return location.includes("code="); + } + + + test(req: Request, res: Response): string | false { + if (this.isRedirectUri(req) && this.isCodeIssued(res)) { + return "redirect_uri bypass detected"; + } + return false; + } +} From 78042ef30509c0745beb289dc456641ac57d6926 Mon Sep 17 00:00:00 2001 From: gyuu04 Date: Tue, 3 Jun 2025 12:44:48 +0900 Subject: [PATCH 15/20] =?UTF-8?q?[Add]=20RedirectBypassController=20?= =?UTF-8?q?=EB=B0=8F=20=EC=8B=A4=ED=96=89=20=EB=A1=9C=EC=A7=81=20=EC=B6=94?= =?UTF-8?q?=EA=B0=80?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - redirect_uri 우회 탐지용 RedirectBypassController 클래스 추가 - index.ts에 testAsync 연결 로직 삽입 --- .../src/controller/redirect_uriBypass.ts | 20 ++++++++++++------- packages/backend/src/index.ts | 3 +++ 2 files changed, 16 insertions(+), 7 deletions(-) diff --git a/packages/backend/src/controller/redirect_uriBypass.ts b/packages/backend/src/controller/redirect_uriBypass.ts index 8b4b436..f77b324 100644 --- a/packages/backend/src/controller/redirect_uriBypass.ts +++ b/packages/backend/src/controller/redirect_uriBypass.ts @@ -1,40 +1,46 @@ import type { Request, Response } from "caido:utils"; - +import type { SDK } from "caido:plugin"; export class RedirectBypassController { isRedirectUri(req: Request): boolean { const query = req.getQuery(); - // redirect_uri 파라미터 정규식으로 추출 const redirectUriMatch = query.match(/redirect_uri=([^&]+)/i); if (!redirectUriMatch) return false; - // redirect_uri 파라미터의 URL 문자열을 디코딩 const redirectUri = decodeURIComponent(redirectUriMatch[1]); - // 우회 키워드 const bypassPatterns = [ "%ff@", "/", "%2f@", "%0a@", "%0d@", "\\", ".evil.com", "@", "%2f..%2f" ]; - return bypassPatterns.some(pattern => redirectUri.includes(pattern)); } - isCodeIssued(res: Response): boolean { const location = res.getHeader("Location") || ""; return location.includes("code="); } - test(req: Request, res: Response): string | false { if (this.isRedirectUri(req) && this.isCodeIssued(res)) { return "redirect_uri bypass detected"; } return false; } + + async testAsync(sdk: SDK, req: Request, res: Response) { + const result = this.test(req, res); + if (result) { + await sdk.findings.create({ + title: "Redirect URI Bypass Detected", + description: result, + request: req, + reporter: "gyu", + }); + } + } } diff --git a/packages/backend/src/index.ts b/packages/backend/src/index.ts index 44f817c..43d7516 100644 --- a/packages/backend/src/index.ts +++ b/packages/backend/src/index.ts @@ -7,6 +7,7 @@ import { PKCECheck } from "./controller/PKCECheck"; import { AccessTokenLeakController } from "./controller/accessTokenDetector"; import { ScopeDetection } from "./controller/scopeDetection"; // import { NonceCheckController } from "./controller/nonceCheck"; +import { RedirectBypassController } from "./controller/redirect_uriBypass"; export type API = DefineAPI<{}>; @@ -15,6 +16,7 @@ const pkceCheckController = new PKCECheck(); const tokenCheck = new AccessTokenLeakController(); const ScopeDetectionController = new ScopeDetection(); // const nonceCheckController = new NonceCheckController(); +const redirectBypassController = new RedirectBypassController(); export function init(sdk: SDK) { sdk.events.onInterceptResponse(async (sdk, req: Request, res: Response) => { @@ -23,6 +25,7 @@ export function init(sdk: SDK) { await tokenCheck.testReq(sdk, req); await tokenCheck.testResp(sdk, res, req); await ScopeDetectionController.scan(sdk, req.getUrl()); + await redirectBypassController.testAsync(sdk, req, res); // if (NonceCheckController.isOidcFlow(req, res)) { // await sdk.findings.create({ From 979dda299a720d9ac4bdaa6284eceb7895cf47fc Mon Sep 17 00:00:00 2001 From: gyuu04 Date: Tue, 3 Jun 2025 14:44:09 +0900 Subject: [PATCH 16/20] Update redirect_uriBypass.ts --- .../src/controller/redirect_uriBypass.ts | 45 ++++++++++++------- 1 file changed, 29 insertions(+), 16 deletions(-) diff --git a/packages/backend/src/controller/redirect_uriBypass.ts b/packages/backend/src/controller/redirect_uriBypass.ts index f77b324..ce521cb 100644 --- a/packages/backend/src/controller/redirect_uriBypass.ts +++ b/packages/backend/src/controller/redirect_uriBypass.ts @@ -2,42 +2,55 @@ import type { Request, Response } from "caido:utils"; import type { SDK } from "caido:plugin"; export class RedirectBypassController { - isRedirectUri(req: Request): boolean { + // redirect_uri를 확인하는 함수 + isRedirectUri(req: Request): { detected: boolean; redirectUri?: string } { + // ? 뒤에 오는 파라미터 모두 가져오고, 정규표현식으로 redirect_uri= 이후 주소만 뽑음(없으면 null) const query = req.getQuery(); - - // redirect_uri 파라미터 정규식으로 추출 const redirectUriMatch = query.match(/redirect_uri=([^&]+)/i); - if (!redirectUriMatch) return false; - // redirect_uri 파라미터의 URL 문자열을 디코딩 + // redirectUriMatch[1]은 ()로 감싼 부분 + // redirect_uri 파라미터가 없거나 있어도 주소가 문자열이 아니면 false + if (!redirectUriMatch || typeof redirectUriMatch[1] !== "string") { + return { detected: false }; + } + + // 인코딩된 주소를 원래대로 바꿈 (ex. https://~~) const redirectUri = decodeURIComponent(redirectUriMatch[1]); - // 우회 키워드 const bypassPatterns = [ - "%ff@", "/", "%2f@", "%0a@", "%0d@", "\\", ".evil.com", "@", "%2f..%2f" + "%ff@", "/", "%2f@", "%0a@", "%0d@", "\\", ".evil.com", "@", "%2f..%2f", ]; - - return bypassPatterns.some(pattern => redirectUri.includes(pattern)); + + // 위 패턴에 일치하는 게 있으면 true랑 redirectUri 반환 (false일 땐 undefined) + const detected = bypassPatterns.some(pattern => redirectUri.includes(pattern)); + return { detected, redirectUri: detected ? redirectUri : undefined }; } + // 응답에 인가 코드가 포함되어 있는지 확인하는 함수 isCodeIssued(res: Response): boolean { const location = res.getHeader("Location") || ""; return location.includes("code="); } - test(req: Request, res: Response): string | false { - if (this.isRedirectUri(req) && this.isCodeIssued(res)) { - return "redirect_uri bypass detected"; + // 위의 두 함수 모두 만족하면 true, 문제의 주소를 반환하는 함수 + test(req: Request, res: Response): { detected: boolean; redirectUri?: string } { + const redirectCheck = this.isRedirectUri(req); + const codeIssued = this.isCodeIssued(res); + + if (redirectCheck.detected && codeIssued) { + return { detected: true, redirectUri: redirectCheck.redirectUri }; } - return false; + + return { detected: false }; } - async testAsync(sdk: SDK, req: Request, res: Response) { + // 탐지된 결과 저장하는 함수 + async testAsync(sdk: SDK, req: Request, res: Response): Promise { const result = this.test(req, res); - if (result) { + if (result.detected) { await sdk.findings.create({ title: "Redirect URI Bypass Detected", - description: result, + description: `redirect_uri 우회 발견\nRedirect URI: ${result.redirectUri}`, request: req, reporter: "gyu", }); From efb89c668c6a785437d23560425310770507e190 Mon Sep 17 00:00:00 2001 From: "tv0924@icloud.com" Date: Wed, 4 Jun 2025 16:02:42 +0900 Subject: [PATCH 17/20] =?UTF-8?q?[Update]=20nonce=20=ED=8C=8C=EB=9D=BC?= =?UTF-8?q?=EB=AF=B8=ED=84=B0=20=EA=B0=90=EC=A7=80=20=EB=B2=94=EC=9C=84=20?= =?UTF-8?q?=EB=8A=98=EB=A6=BC=20=EB=B0=8F=20nonce=20=ED=8C=8C=EB=9D=BC?= =?UTF-8?q?=EB=AF=B8=ED=84=B0=20=EC=9E=AC=EC=82=AC=EC=9A=A9=EC=97=90?= =?UTF-8?q?=EB=8C=80=ED=95=9C=20=EA=B2=80=EC=A6=9D=20=EB=A1=9C=EC=A7=81=20?= =?UTF-8?q?=EC=B6=94=EA=B0=80?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- packages/backend/src/controller/csrfCheck.ts | 243 ++++++++++++------- packages/backend/src/utils/http.ts | 135 ++++++++++- playground/csrf/index.js | 24 +- 3 files changed, 312 insertions(+), 90 deletions(-) diff --git a/packages/backend/src/controller/csrfCheck.ts b/packages/backend/src/controller/csrfCheck.ts index 5931428..8a6f723 100644 --- a/packages/backend/src/controller/csrfCheck.ts +++ b/packages/backend/src/controller/csrfCheck.ts @@ -5,6 +5,15 @@ import { HttpUtils } from "../utils/http"; const httpUtils = new HttpUtils(); export class CsrfCheck { + private nonceParam = [ + "state", + "nonce", + "as", + "frame_id", + "csrf_token", + "csrf", + ]; + private isTargetUri(uri: string): boolean { if ( httpUtils.getQueryParamFromURI(uri, "client_id") !== null && @@ -43,105 +52,178 @@ export class CsrfCheck { return false; } - private isStateInQuery(request: Request): boolean { - const query = request.getQuery(); - const stateValue = - httpUtils.getQueryParam(query || "", "state") || - httpUtils.getQueryParam(query || "", "nonce"); - if (!stateValue) { - return false; + private isNonceInQuery(request: Request): boolean { + const query = request.getQuery() || ""; + + for (const param of this.nonceParam) { + if (httpUtils.getQueryParam(query, param) !== null) { + return true; // Nonce parameter is present in the query + } } - return true; + + return false; // No nonce parameter found in the query } - private checkStateAtResponseLocationHeader( + private getNonceParamName(url: string): string | null { + for (const param of this.nonceParam) { + if (httpUtils.getQueryParamFromURI(url, param) !== null) { + return param; // Return the first matching nonce parameter + } + } + + return null; // No nonce parameter found + } + + private checkNonceAtResponseLocationHeader( request: Request, response: Response ): string[] | 0 { + const nonceParamName = this.getNonceParamName(request.getUrl() || ""); + if ( - !( - this.isOauthUri(request) && - this.isStateInQuery(request) && - this.isOauthRedirectResponse(response) - ) + !this.isOauthUri(request) || + !this.isNonceInQuery(request) || + !this.isOauthRedirectResponse(response) || + !nonceParamName ) { return 0; // Not a target, no CSRF risk } - // 요청에서 보낸 state 추출 + // 요청에서 보낸 Nonce 추출 const query = request.getQuery() || ""; - const originalState = - httpUtils.getQueryParam(query, "state") || - httpUtils.getQueryParam(query || "", "nonce"); + const originalNonce = httpUtils.getQueryParam(query, nonceParamName); // 리다이렉트 URL에서 쿼리 부분만 추출 - const locationHeader = httpUtils.getHeaderValue( - response.getHeaders(), - "location" - ); - const responseState = - httpUtils.getQueryParamFromURI(locationHeader || "", "state") || - httpUtils.getQueryParamFromURI(locationHeader || "", "nonce"); + const locationHeader = + httpUtils.getHeaderValue(response.getHeaders(), "location") || ""; - // state가 없거나, 요청값과 다르면 CSRF 위험 - if (!responseState) { + const responseNonce = httpUtils.getQueryParamFromURI( + locationHeader || "", + nonceParamName + ); + + // Nonce가 없거나, 요청값과 다르면 CSRF 위험 + if (!responseNonce) { // missing state - return ["state parameter is missing in the response location header"]; + return ["Nonce parameter is missing in the response location header"]; } - if (originalState !== responseState) { + if (originalNonce !== responseNonce) { // mismatch - return ["state parameter mismatch between request and response"]; + return ["Nonce parameter mismatch between request and response"]; } return 0; // no CSRF risk detected } - // private async checkStateReuse( - // request: Request, - // originResponse: Response - // ): Promise { - // // uri에 oauth 관련 파라미터가 없지만, 응답이 oauth 리다이렉트 응답인지 확인 - // // 즉, 처음으로 state를 발급한 요청인지 확인 - // if ( - // !( - // !this.isOauthUri(request) && - // this.isOauthRedirectResponse(originResponse) - // ) - // ) { - // return 0; // Not a target, no CSRF risk - // } + private async checkNonceReuse( + sdk: SDK, {}>, + request: Request, + originResponse: Response + ): Promise { + // uri에 oauth 관련 파라미터가 없지만, 응답이 oauth 리다이렉트 응답인지 확인 + // 즉, 처음으로 Nonce를 발급한 요청인지 확인 + if ( + this.isOauthUri(request) || + !this.isOauthRedirectResponse(originResponse) + ) { + return 0; // Not a target, no CSRF risk + } - // const originResponseLocationHeader = httpUtils.getHeaderValue( - // originResponse.getHeaders(), - // "location" - // ); - // const originState = httpUtils.getQueryParamFromURI( - // originResponseLocationHeader || "", - // "state" - // ); + // 기존 응답의 location 헤더의 url에서 Nonce 파라미터 이름, nonce 파라미터 값, 쿼리 추출 + const originResponseLocationHeader = + httpUtils.getHeaderValue(originResponse.getHeaders(), "location") || ""; + const nonceParamName = + this.getNonceParamName(originResponseLocationHeader || "") || "state"; + const originLocationQuery = + httpUtils.getQueryFromURI(originResponseLocationHeader || "") || ""; + const originLocationNonce = httpUtils.getQueryParam( + originLocationQuery, + nonceParamName + ); - // const requestHeaders = request.getHeaders(); - // const noCookieHeaders = httpUtils.removeHeaders(requestHeaders, ["cookie"]); - // const newResponse = await httpUtils.resend(request, { - // headers: noCookieHeaders, - // }); - // const newLocationHeader = httpUtils.getHeaderValue( - // newResponse.getHeaders(), - // "location" - // ); - // const newState = httpUtils.getQueryParamFromURI( - // newLocationHeader || "", - // "state" - // ); + // 쿠키가 없는 헤더로 새로운 nonce를 발급받기 위해 요청 + const noCookieHeaders = httpUtils.removeHeaders(request.getHeaders(), [ + "cookie", + ]); + const noCookieResponse = await httpUtils.resend(sdk, request, { + headers: noCookieHeaders, + }); + if (!noCookieResponse || noCookieResponse?.getCode() >= 400) { + return 0; + } - // if (originState === newState) { - // return [ - // "State parameter reused in the response location header, indicating a potential CSRF risk", - // ]; - // } + // 쿠키가 없는 응답의 location 헤더 추출 및 Nonce 추출 + const noCookieLocationHeader = httpUtils.getHeaderValue( + noCookieResponse?.getHeaders() || {}, + "location" + ); + const newNonce = + httpUtils.getQueryParamFromURI( + noCookieLocationHeader || "", + nonceParamName + ) || ""; - // return 0; // no CSRF risk detected - // } + if (originLocationNonce === newNonce) { + return [ + "State parameter reused in the response location header, indicating a potential CSRF risk", + ]; + } + + // 기존 쿠키와 함께 새로운 Nonce로 요청 + const newQuery = httpUtils.setQueryParam( + originLocationQuery, + nonceParamName, + newNonce + ); + + // 기존 location 헤더의 uri 요청과 location 헤더에서 nonce값만 새로 발급한 값으로 바꾸어 요청한 결과를 비교 + const res1 = await httpUtils.customFetch( + sdk, + originResponseLocationHeader, + "GET", + originLocationQuery, + request.getHeaders() + ); + + const res2 = await httpUtils.customFetch( + sdk, + originResponseLocationHeader, + "GET", + newQuery, + request.getHeaders() + ); + + if ( + !res1 || + !res2 || + res1.getCode() >= 400 || + res2.getCode() >= 400 || + res1.getCode() !== res2.getCode() + ) { + return 0; + } + + if ( + res1.getCode() === res2.getCode() && + 300 <= res1.getCode() && + res1.getCode() < 400 + ) { + const res1LocationHeader = + httpUtils.getHeaderValue(res1.getHeaders(), "location") || ""; + const res2LocationHeader = + httpUtils.getHeaderValue(res2.getHeaders(), "location") || ""; + const res1ReirectPath = httpUtils.getPathFromURI(res1LocationHeader); + const res2ReirectPath = httpUtils.getPathFromURI(res2LocationHeader); + + if (res1ReirectPath === res2ReirectPath) { + return [ + "When nonce parameter reused in the response location header, it might not be verified. Indicating a potential CSRF risk", + ]; + } + } + + return 0; // no CSRF risk detected + } async checker( sdk: SDK, {}>, @@ -152,7 +234,7 @@ export class CsrfCheck { // 쿼리에 state 파라미터가 없으면 CSRF 위험 try { - if (this.isOauthUri(request) && !this.isStateInQuery(request)) { + if (this.isOauthUri(request) && !this.isNonceInQuery(request)) { result += "CSRF risk: missing state parameter"; // CSRF risk: missing state parameter } } catch (error) { @@ -162,7 +244,7 @@ export class CsrfCheck { // location 헤더에 state 파라미터가 없거나, 요청에서 보낸 state와 다르면 CSRF 위험 try { const stateAtResponseLocationHeaderCheck = - this.checkStateAtResponseLocationHeader(request, response); + this.checkNonceAtResponseLocationHeader(request, response); if (stateAtResponseLocationHeaderCheck !== 0) { result += `, ${stateAtResponseLocationHeaderCheck.join(", ")}`; } @@ -172,14 +254,14 @@ export class CsrfCheck { ); } - // // 처음으로 state를 발급한 요청에서 state 파라미터를 바꿔서 보내기 - // const reusedStateCheck = await this.checkStateReuse(request, response); - // if (reusedStateCheck !== 0) { - // result += `, ${reusedStateCheck.join(", ")}`; - // } + // 처음으로 state를 발급한 요청에서 state 파라미터를 바꿔서 보내기 + const reusedStateCheck = await this.checkNonceReuse(sdk, request, response); + if (reusedStateCheck !== 0) { + result += `, ${reusedStateCheck.join(", ")}`; + } - result.replace(/^\s*,\s*|\s*$/, ""); // Remove leading/trailing commas try { + result.replace(/^\s*,\s*|\s*$/, ""); // Remove leading/trailing commas if (result) { await sdk.findings.create({ title: "csrf vuln", @@ -187,7 +269,6 @@ export class CsrfCheck { request, reporter: "csrf reporter", }); - sdk.console.log("qq"); } } catch (error) { sdk.console.error(`Error creating finding: ${error}`); diff --git a/packages/backend/src/utils/http.ts b/packages/backend/src/utils/http.ts index 9fcd741..01e2cfc 100644 --- a/packages/backend/src/utils/http.ts +++ b/packages/backend/src/utils/http.ts @@ -1,3 +1,6 @@ +import type { SDK } from "caido:plugin"; +import { Body, RequestSpec, type Request, type Response } from "caido:utils"; + let instance: HttpUtils | null = null; export class HttpUtils { /** @@ -11,6 +14,14 @@ export class HttpUtils { return instance; } + encodeAndLower(value: string): string { + try { + return encodeURIComponent(value).toLowerCase(); + } catch { + return value.toLowerCase(); + } + } + /** * URI 디코딩 후 소문자로 변환하는 헬퍼 함수 * @param value - 디코딩하고 소문자로 변환할 문자열 @@ -47,12 +58,35 @@ export class HttpUtils { return result; } + getPathFromURI(uri: string): string | null { + uri = uri.toLowerCase(); + try { + const urlObj = new URL(uri); + const path = urlObj.pathname; + return path ? decodeURIComponent(path) : null; // 경로가 없으면 null 반환 + } catch (e) { + return null; // URL 파싱 실패 시 null 반환 + } + } + + getQueryFromURI(uri: string): string | null { + uri = uri.toLowerCase(); + try { + const urlObj = new URL(uri); + const query = urlObj.search; + return query ? decodeURIComponent(query.slice(1)) : null; // 쿼리 문자열에서 ? 제거 + } catch (e) { + return null; // URL 파싱 실패 시 null 반환 + } + } + getQueryParamFromURI(uri: string, key: string): string | null { - uri = this.decodeAndLower(uri); + uri = uri.toLowerCase(); key = this.decodeAndLower(key); try { const urlObj = new URL(uri); - return urlObj.searchParams.get(key); + const param = urlObj.searchParams.get(key); + return param ? decodeURIComponent(param) : null; } catch (e) { return null; } @@ -66,11 +100,12 @@ export class HttpUtils { * @returns - 해당 파라미터 값, 없으면 null */ getQueryParam(query: string, key: string): string | null { - query = this.decodeAndLower(query); + query = query.toLowerCase(); key = this.decodeAndLower(key); const params = new URLSearchParams(query); - return params.get(key); + const targetParam = params.get(key); + return targetParam ? decodeURIComponent(targetParam) : null; } /** @@ -82,12 +117,12 @@ export class HttpUtils { * @returns - "a=1&b=2&c=3..." 형태의 새로운 쿼리 문자열 */ setQueryParam(query: string, key: string, value: string): string { - query = this.decodeAndLower(query); + query = query.toLowerCase(); key = this.decodeAndLower(key); value = this.decodeAndLower(value); const params = new URLSearchParams(query); - params.set(key, value); + params.set(key, this.encodeAndLower(value)); return params.toString(); } @@ -99,7 +134,7 @@ export class HttpUtils { * @returns - 삭제된 상태의 새로운 쿼리 문자열 */ removeQueryParam(query: string, key: string): string { - query = this.decodeAndLower(query); + query = query.toLowerCase(); key = this.decodeAndLower(key); const params = new URLSearchParams(query); @@ -109,6 +144,7 @@ export class HttpUtils { // Headers /** + * !! 만약 request.getHeader(`${key}`)을 사용할 수 있다면 이 함수를 사용하지 마세요. * 주어진 헤더 맵에서 name에 해당하는 첫 번째 헤더 값을 반환합니다. * @param headers - Response.getHeaders() 가 반환하는 객체 * @param name - 꺼내고 싶은 헤더 이름 (예: "location", "Content-Type") @@ -207,4 +243,89 @@ export class HttpUtils { } return filtered; } + + async resend( + sdk: SDK, + request: Request, + options?: { + headers?: Record; + body?: Body; + method?: string; + query?: string; + } + ): Promise { + try { + const spec = new RequestSpec(request.getUrl()); + spec.setMethod(options?.method || request.getMethod() || "GET"); + if (options?.query) { + spec.setQuery(options.query); + } else { + spec.setQuery(request.getQuery() || ""); + } + + const originBody = request.getBody(); + if (options?.body) { + spec.setBody(options.body); + } else if (originBody) { + spec.setBody(originBody); + } + + const headers = request.getHeaders(); + if (options?.headers) { + // 기존 헤더에서 options.headers로 덮어쓰기 + const newHeaders = this.lowerCaseAllHeaders({ + ...headers, + ...options.headers, + }); + for (const [key, value] of Object.entries(newHeaders)) { + spec.setHeader(key, Array.isArray(value) ? value.join(", ") : value); + } + } else { + // 기존 헤더 그대로 사용 + for (const [key, value] of Object.entries(headers)) { + spec.setHeader(key, Array.isArray(value) ? value.join(", ") : value); + } + } + + const result = await sdk.requests.send(spec); + return result.response ?? null; + } catch (error) { + sdk.console.error( + `Error resending request to ${request.getUrl()}: ${String(error)}` + ); + return null; + } + } + + async customFetch( + sdk: SDK, + url: string, + method?: string, + query?: string, + headers?: Record, + body?: Body + ): Promise { + try { + const spec = new RequestSpec(url); + spec.setMethod(method || "GET"); + if (query) { + spec.setQuery(query); + } + if (body) { + spec.setBody(body); + } + + for (const [key, value] of Object.entries(headers || {})) { + spec.setHeader(key, Array.isArray(value) ? value.join(", ") : value); + } + + const result = await sdk.requests.send(spec); + return result.response ?? null; + } catch { + sdk.console.error( + `Error during custom fetch to ${url}: ${String(error)}` + ); + return null; + } + } } diff --git a/playground/csrf/index.js b/playground/csrf/index.js index 5c7a733..01c2bba 100644 --- a/playground/csrf/index.js +++ b/playground/csrf/index.js @@ -1,5 +1,6 @@ // app.js const express = require("express"); +const crypto = require("crypto"); const app = express(); const port = 8000; @@ -43,8 +44,6 @@ app.get("/authorize/mismatch-state", (req, res) => { ); const code = "authcode-67890"; - console.log(`[VULN] original state from client:`, originalState); - // 클라이언트 state와 다르게 'wrong-state'를 삽입 const wrongState = "wrong-state"; const location = `${redirectUri}?code=${code}&state=${wrongState}&client_id=${clientId}`; @@ -52,6 +51,24 @@ app.get("/authorize/mismatch-state", (req, res) => { res.status(302).send(`Redirecting to ${location}`); }); +/** + * 3) 랜덤 state를 생성하여 리다이렉트를 발생시키는 테스트용 엔드포인트 + * - /authorize/reuse-state-test 로 접근할 때마다 새로운 16진수 state를 생성 + * - 최초 요청에 OAuth 파라미터가 없으므로 isOauthUri(request) == false + * - 응답에 Location 헤더로 '...?state=<랜덤값>' 을 포함 + * -> Caido 플러그인의 checkNonceReuse 로직에서 새로운 state가 발급되었는지, + * 재사용되었는지를 검증할 수 있음 + * - 더하여 callback uri에서 해당 nonce의 유효성을 판단하지 않고 응답 시에 vuln + */ +app.get("/authorize/reuse-state-test", (req, res) => { + const state = crypto.randomBytes(16).toString("hex"); + + // 고정된 콜백 URI로 리다이렉트 (OAuth 파라미터는 여기서만 주입) + const location = `http://localhost:${port}/callback?state=${state}&client_id=123`; + res.set("Location", location); + res.status(302).send(`Redirecting to ${location}`); +}); + app.listen(port, () => { console.log( `Vulnerable OAuth test server listening at http://localhost:${port}` @@ -62,4 +79,7 @@ app.listen(port, () => { console.log( `2) Mismatch-State: http://localhost:${port}/authorize/mismatch-state?client_id=abc&state=xyz&redirect_uri=http://localhost:${port}/callback` ); + console.log( + `3) Reuse-State-Test: http://localhost:${port}/authorize/reuse-state-test` + ); }); From 1bc442b1d33a2dd4651510f402536cdff7fa08d6 Mon Sep 17 00:00:00 2001 From: KMINGON Date: Wed, 4 Jun 2025 17:01:32 +0900 Subject: [PATCH 18/20] =?UTF-8?q?[FIX]:=20tokenType=EA=B9=8C=EC=A7=80=20?= =?UTF-8?q?=EA=B2=80=EC=82=AC=ED=95=98=EC=97=AC=20OAuth=20Flow=EC=9D=B8?= =?UTF-8?q?=EC=A7=80=20=ED=99=95=EC=9D=B8?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../src/controller/accessTokenDetector.ts | 71 ++++++++++++------- 1 file changed, 46 insertions(+), 25 deletions(-) diff --git a/packages/backend/src/controller/accessTokenDetector.ts b/packages/backend/src/controller/accessTokenDetector.ts index 6e95120..283b19b 100644 --- a/packages/backend/src/controller/accessTokenDetector.ts +++ b/packages/backend/src/controller/accessTokenDetector.ts @@ -132,34 +132,53 @@ export class AccessTokenLeakController { * @param text - 검사할 텍스트 * @returns 토큰 값이 있으면 해당 값, 없으면 null */ -private extractTokenFromText(text: string): string | null { + private extractTokenFromText(text: string): string | null { // 토큰 관련 키워드 리스트 const tokenKeys = [ - 'access_token', - 'accesstoken', - 'Access-Token', - 'Refresh_Token', - 'Refresh-Token', - 'RefreshToken', - 'Secret_Token', - 'Secret-Token', - 'SecretToken', - 'SSO_Auth', - 'SSO-Auth', - 'SSOAuth', - 'auth_token', - 'session_token' - ]; + 'access_token', + 'accesstoken', + 'Access-Token', + 'Refresh_Token', + 'Refresh-Token', + 'RefreshToken', + 'Secret_Token', + 'Secret-Token', + 'SecretToken', + 'SSO_Auth', + 'SSO-Auth', + 'SSOAuth', + 'auth_token', + 'session_token' + ]; - // 정규표현식 패턴 리스트 생성 + const tokenTypeKeys = [ + 'token_type', + 'tokenType' + ]; + + // 정규표현식 토큰 타입 유무 패턴 리스트 생성 + const tokenTypeRegexes: RegExp[] = []; + for (const key of tokenTypeKeys) { + // JSON 형식: "token_type": "Bearer" + tokenTypeRegexes.push(new RegExp(`"${key}"\\s*:\\s*"bearer"`, 'i')); + // 일반 key=value 형식: token_type=Bearer + tokenTypeRegexes.push(new RegExp(`${key}[=:]\\s*bearer`, 'i')); + // 공백 있는 형식: token_type : Bearer + tokenTypeRegexes.push(new RegExp(`${key}\\s*:\\s*bearer`, 'i')); + } + + // token_type=bearer 형태 중 하나라도 포함되는지 확인 + const hasTokenTypeBearer = tokenTypeRegexes.some(rx => rx.test(text)); + + // 정규표현식 토큰 유무 패턴 리스트 생성 const tokenPatterns: RegExp[] = []; for (const key of tokenKeys) { - // 1. key=token 또는 key: token - tokenPatterns.push(new RegExp(`${key}[=:]\\s*([a-zA-Z0-9\\-._~+/]+=*)`, 'i')); + // 1. key=token 또는 key: token + tokenPatterns.push(new RegExp(`${key}[=:]\\s*([a-zA-Z0-9\\-._~+/]+=*)`, 'i')); - // 2. JSON 형태의 "key": "token" - tokenPatterns.push(new RegExp(`"${key}"\\s*:\\s*"([^"]+)"`, 'i')); + // 2. JSON 형태의 "key": "token" + tokenPatterns.push(new RegExp(`"${key}"\\s*:\\s*"([^"]+)"`, 'i')); } // 3. Authorization: Bearer 형태 @@ -167,12 +186,14 @@ private extractTokenFromText(text: string): string | null { // 모든 패턴에 대해 검사 for (const pattern of tokenPatterns) { - const match = pattern.exec(text); - if (match && match[1]) { - return match[1]; + const match = pattern.exec(text); + if (match && match[1]) { + if(hasTokenTypeBearer){ + return match[1]; } + } } return null; - } + } } \ No newline at end of file From ac53cd4be5804952b16e4064ed4175fcbdc673c8 Mon Sep 17 00:00:00 2001 From: KMINGON Date: Wed, 4 Jun 2025 17:04:39 +0900 Subject: [PATCH 19/20] =?UTF-8?q?[FIX]:=20index=EC=9D=98=20response?= =?UTF-8?q?=EC=97=90=20=EC=9C=84=EC=B9=98=ED=95=98=EB=8D=98=20request?= =?UTF-8?q?=EA=B2=80=EC=82=AC=20=ED=95=A8=EC=88=98=20=EC=9D=B4=EB=8F=99?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- packages/backend/src/index.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/backend/src/index.ts b/packages/backend/src/index.ts index 43d7516..a5e9113 100644 --- a/packages/backend/src/index.ts +++ b/packages/backend/src/index.ts @@ -22,7 +22,6 @@ export function init(sdk: SDK) { sdk.events.onInterceptResponse(async (sdk, req: Request, res: Response) => { await csrfCheck.checker(sdk, req, res); //await pkceCheckController.test(sdk, req); - await tokenCheck.testReq(sdk, req); await tokenCheck.testResp(sdk, res, req); await ScopeDetectionController.scan(sdk, req.getUrl()); await redirectBypassController.testAsync(sdk, req, res); @@ -38,6 +37,7 @@ export function init(sdk: SDK) { }); sdk.events.onInterceptRequest(async (sdk, req: Request) => { + await tokenCheck.testReq(sdk, req); await pkceCheckController.test(sdk, req); }); /* From 195be25c2297ceedcafc59a24e216a3acd1295c8 Mon Sep 17 00:00:00 2001 From: KMINGON Date: Wed, 4 Jun 2025 22:36:37 +0900 Subject: [PATCH 20/20] =?UTF-8?q?[DOCS]=20:=20findings=20=EC=B6=94?= =?UTF-8?q?=EA=B0=80=EB=90=A0=20=EB=95=8C=20reporter=20=EA=B0=92=20?= =?UTF-8?q?=EC=84=A4=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- packages/backend/src/controller/accessTokenDetector.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/backend/src/controller/accessTokenDetector.ts b/packages/backend/src/controller/accessTokenDetector.ts index 283b19b..c0570d0 100644 --- a/packages/backend/src/controller/accessTokenDetector.ts +++ b/packages/backend/src/controller/accessTokenDetector.ts @@ -19,7 +19,7 @@ export class AccessTokenLeakController { title: result.title, description: result.description, request, - reporter: "", + reporter: "AccessTokenLeak", }); } } @@ -31,7 +31,7 @@ export class AccessTokenLeakController { title: result.title, description: result.description, request, - reporter: "", + reporter: "AccessTokenLeak", }); } }