From b32d4e02af72c9be7fabf4a99f4d0366ba80214a Mon Sep 17 00:00:00 2001 From: kyu Date: Sun, 1 Jun 2025 20:12:12 +0900 Subject: [PATCH 1/3] clientsecretCheck --- .../src/controller/clientsecretCheck.ts | 33 +++++++++++++++++++ packages/backend/src/index.ts | 6 ++++ 2 files changed, 39 insertions(+) create mode 100644 packages/backend/src/controller/clientsecretCheck.ts diff --git a/packages/backend/src/controller/clientsecretCheck.ts b/packages/backend/src/controller/clientsecretCheck.ts new file mode 100644 index 0000000..0a13917 --- /dev/null +++ b/packages/backend/src/controller/clientsecretCheck.ts @@ -0,0 +1,33 @@ +import type { SDK } from "caido:plugin"; +import type { Request } from "caido:utils"; + +export class ClientSecretController { + test(req: Request): boolean { + const query = req.getQuery() ?? ""; /* URL에서 검사 */ + + const bodyRaw = req.getBody(); /* BODY 에서 검사 */ + const body = typeof bodyRaw === "string" ? bodyRaw : Array.isArray(bodyRaw) ? bodyRaw.join("&") : ""; + + const authRaw = req.getHeader("authorization"); /* authz 헤더 에서 검사 */ + const auth = typeof authRaw === "string" ? authRaw : Array.isArray(authRaw) ? authRaw.join(" ") : ""; + + return ( + query.includes("client_secret=") || + body.includes("client_secret=") || + auth.toLowerCase().startsWith("basic ") + ); + } + + async report(sdk: SDK, req: Request): Promise { + const url = req.getUrl(); + + await sdk.findings.create({ + title: "Exposed client_secret", + description: `The request to \`${url}\` contains a potential exposure of the OAuth2 \`client_secret\`.`, + request: req, + reporter: "Client_Secret_Finder", + dedupeKey: "client_secret_exposure" + }); + } +} + diff --git a/packages/backend/src/index.ts b/packages/backend/src/index.ts index 7633932..7022449 100644 --- a/packages/backend/src/index.ts +++ b/packages/backend/src/index.ts @@ -3,12 +3,14 @@ import type { Request } from "caido:utils"; import { ImplicitGrantController } from "./controller/implictGrant"; import { AuthZCodeGrantController } from "./controller/authZCodeGrant"; import { PKCECheck } from "./controller/PKCECheck"; +import { ClientSecretController } from "./controller/clientsecretCheck"; export type API = DefineAPI<{}>; const implicitGrantController = new ImplicitGrantController(); const authZCodeGrantController = new AuthZCodeGrantController(); const pkceCheck = new PKCECheck(); +const clientSecretController = new ClientSecretController(); // function matchSSORequest(req: Request): boolean { // const raw = req.getRaw().toString(); @@ -44,6 +46,10 @@ export function init(sdk: SDK) { reporter: "", }); } + if (clientSecretController.test(req)) { + await clientSecretController.report(sdk,req); + } + }); } From d3a0e8ae848dd41086fafe774f418a56c7b9b743 Mon Sep 17 00:00:00 2001 From: kyu Date: Mon, 2 Jun 2025 21:36:55 +0900 Subject: [PATCH 2/3] =?UTF-8?q?=EC=98=A4=EB=A5=98=EC=9E=A1=EA=B8=B0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- packages/backend/src/index.ts | 30 ++++++++++++++++++------------ 1 file changed, 18 insertions(+), 12 deletions(-) diff --git a/packages/backend/src/index.ts b/packages/backend/src/index.ts index b36d4e2..1d17c25 100644 --- a/packages/backend/src/index.ts +++ b/packages/backend/src/index.ts @@ -6,7 +6,7 @@ import { CsrfCheck } from "./controller/csrfCheck"; import { PKCECheck } from "./controller/PKCECheck"; import { AccessTokenLeakController } from "./controller/accessTokenDetector"; import { ScopeDetection } from "./controller/scopeDetection"; -import { NonceCheckController } from "./controller/nonceCheck"; +// import { NonceCheckController } from "./controller/nonceCheck"; import { ClientSecretController } from "./controller/clientsecretCheck"; export type API = DefineAPI<{}>; @@ -17,7 +17,7 @@ const csrfCheck = new CsrfCheck(); const pkceCheckController = new PKCECheck(); const tokenCheck = new AccessTokenLeakController(); const ScopeDetectionController = new ScopeDetection(); -const nonceCheckController = new NonceCheckController(); +// const nonceCheckController = new NonceCheckController(); const clientSecretController = new ClientSecretController(); export function init(sdk: SDK) { @@ -27,20 +27,26 @@ export function init(sdk: SDK) { await tokenCheck.testReq(sdk, req); await tokenCheck.testResp(sdk, res, req); await ScopeDetectionController.scan(sdk, req.getUrl()); - await clientSecretController.report(sdk,req); + // await clientSecretController.report(sdk,req); - if (NonceCheckController.isOidcFlow(req, res)) { - await sdk.findings.create({ - title: "OIDC Flow Detected", - description: "The request appears to be part of an OIDC flow.", - request: req, - reporter: "", - }); - } + // if (NonceCheckController.isOidcFlow(req, res)) { + // await sdk.findings.create({ + // title: "OIDC Flow Detected", + // description: "The request appears to be part of an OIDC flow.", + // request: req, + // reporter: "", + // }); + // } }); - /* + sdk.events.onInterceptRequest(async (sdk, req: Request) => { + if (clientSecretController.test(req)) { + await clientSecretController.report(sdk,req); + } + });/* + + await clientSecretController.report(sdk,req);}) const result = authZCodeGrantController.testReq(req) || implicitGrantController.testReq(req); From 5c6d9cb6004aaad65cb96bccb2909e3402575911 Mon Sep 17 00:00:00 2001 From: kyu Date: Mon, 2 Jun 2025 22:00:14 +0900 Subject: [PATCH 3/3] =?UTF-8?q?basic=EC=88=98=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- packages/backend/src/controller/clientsecretCheck.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/backend/src/controller/clientsecretCheck.ts b/packages/backend/src/controller/clientsecretCheck.ts index 0a13917..8bb01b3 100644 --- a/packages/backend/src/controller/clientsecretCheck.ts +++ b/packages/backend/src/controller/clientsecretCheck.ts @@ -14,7 +14,7 @@ export class ClientSecretController { return ( query.includes("client_secret=") || body.includes("client_secret=") || - auth.toLowerCase().startsWith("basic ") + auth.toLowerCase().startsWith("basic Y2xpZW50X3NlY3JldA") ); }