Merge pull request #21 from whs-authz-authn-project/feature/access-token-detector

[DOCS] AccessToken findings 생성 시 reporter 추가
Merge branch 'main' into feature/access-token-detector
2025-06-04 22:40:19 +09:00 · 2025-06-04 22:37:39 +09:00 · 2025-06-04 22:36:37 +09:00 · 2025-06-04 22:19:15 +09:00 · 2025-06-04 22:03:47 +09:00 · 2025-06-04 17:04:39 +09:00
2 changed files with 50 additions and 29 deletions
--- a/packages/backend/src/controller/accessTokenDetector.ts
+++ b/packages/backend/src/controller/accessTokenDetector.ts
@ -19,7 +19,7 @@ export class AccessTokenLeakController {
        title: result.title,
        description: result.description,
        request,
-        reporter: "",
+        reporter: "AccessTokenLeak",
      });
    }
  }
@ -31,7 +31,7 @@ export class AccessTokenLeakController {
        title: result.title,
        description: result.description,
        request,
-        reporter: "",
+        reporter: "AccessTokenLeak",
      });
    }
  }
@ -151,7 +151,26 @@ private extractTokenFromText(text: string): string | null {
      'session_token'
    ];
-  // 정규표현식 패턴 리스트 생성
+    const tokenTypeKeys = [
      'token_type',
      'tokenType'
    ];
     // 정규표현식 토큰 타입 유무 패턴 리스트 생성
    const tokenTypeRegexes: RegExp[] = [];
    for (const key of tokenTypeKeys) {
      // JSON 형식: "token_type": "Bearer"
      tokenTypeRegexes.push(new RegExp(`"${key}"\\s*:\\s*"bearer"`, 'i'));
      // 일반 key=value 형식: token_type=Bearer
      tokenTypeRegexes.push(new RegExp(`${key}[=:]\\s*bearer`, 'i'));
      // 공백 있는 형식: token_type : Bearer
      tokenTypeRegexes.push(new RegExp(`${key}\\s*:\\s*bearer`, 'i'));
    }
    // token_type=bearer 형태 중 하나라도 포함되는지 확인
    const hasTokenTypeBearer = tokenTypeRegexes.some(rx => rx.test(text));
    // 정규표현식 토큰 유무 패턴 리스트 생성
    const tokenPatterns: RegExp[] = [];
    for (const key of tokenKeys) {
@ -169,9 +188,11 @@ private extractTokenFromText(text: string): string | null {
    for (const pattern of tokenPatterns) {
      const match = pattern.exec(text);
      if (match && match[1]) {
        if(hasTokenTypeBearer){
          return match[1];
        }
      }
    }
    return null;
  }
--- a/packages/backend/src/index.ts
+++ b/packages/backend/src/index.ts
@ -22,7 +22,6 @@ export function init(sdk: SDK<API>) {
  sdk.events.onInterceptResponse(async (sdk, req: Request, res: Response) => {
    await csrfCheck.checker(sdk, req, res);
    //await pkceCheckController.test(sdk, req);
    await tokenCheck.testReq(sdk, req);
    await tokenCheck.testResp(sdk, res, req);
    await ScopeDetectionController.scan(sdk, req.getUrl());
    await redirectBypassController.testAsync(sdk, req, res);
@ -38,6 +37,7 @@ export function init(sdk: SDK<API>) {
  });
  sdk.events.onInterceptRequest(async (sdk, req: Request) => {
    await tokenCheck.testReq(sdk, req);
    await pkceCheckController.test(sdk, req);
  });
  /*
Author	SHA1	Message	Date
김민곤	1e9a0f1aa0	Merge pull request #21 from whs-authz-authn-project/feature/access-token-detector [DOCS] AccessToken findings 생성 시 reporter 추가	2025-06-04 22:40:19 +09:00
KMINGON	595d0e93a3	Merge branch 'main' into feature/access-token-detector	2025-06-04 22:37:39 +09:00
KMINGON	195be25c22	[DOCS] : findings 추가될 때 reporter 값 설정	2025-06-04 22:36:37 +09:00
김민곤	5a88570fe2	Merge pull request #19 from whs-authz-authn-project/feature/csrf [Update] nonce 파라미터 감지 범위 확장 및 nonce 파라미터 재사용에대한 검증 로직 추가	2025-06-04 22:19:15 +09:00
James	d2c95cff2e	Merge pull request #20 from whs-authz-authn-project/feature/access-token-detector [FIX] AccessToken 탐지 정확도 증가	2025-06-04 22:03:47 +09:00
KMINGON	ac53cd4be5	[FIX]: index의 response에 위치하던 request검사 함수 이동	2025-06-04 17:04:39 +09:00
KMINGON	ba98eef694	Merge branch 'main' into feature/access-token-detector	2025-06-04 17:02:13 +09:00
KMINGON	1bc442b1d3	[FIX]: tokenType까지 검사하여 OAuth Flow인지 확인	2025-06-04 17:01:32 +09:00