whs-authz-authn/caido-plugin-test
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: whs-authz-authn:main
Branches Tags
whs-authz-authn:main
whs-authz-authn:sujin
whs-authz-authn:feature/control-tower
whs-authz-authn:feature/access-token-detector
whs-authz-authn:feature/csrf
whs-authz-authn:scopeDetection
whs-authz-authn:feature/pkce
whs-authz-authn:gyu
whs-authz-authn:tk
whs-authz-authn:revert-10-sujin
whs-authz-authn:taewoo
whs-authz-authn:feature/scope
..
compare: whs-authz-authn:feature/csrf
Branches Tags
whs-authz-authn:sujin
whs-authz-authn:feature/control-tower
whs-authz-authn:main
whs-authz-authn:feature/access-token-detector
whs-authz-authn:feature/csrf
whs-authz-authn:scopeDetection
whs-authz-authn:feature/pkce
whs-authz-authn:gyu
whs-authz-authn:tk
whs-authz-authn:revert-10-sujin
whs-authz-authn:taewoo
whs-authz-authn:feature/scope

No commits in common. "main" and "feature/csrf" have entirely different histories.
main ... feature/cs

2 changed files with 29 additions and 50 deletions
Download patch file Download diff file Expand all files Collapse all files

27
packages/backend/src/controller/accessTokenDetector.ts
View file

@ -19,7 +19,7 @@ export class AccessTokenLeakController {
title: result.title, title: result.title,
description: result.description, description: result.description,
request, request,
reporter: "AccessTokenLeak", reporter: "",
}); });
} }
} }
@ -31,7 +31,7 @@ export class AccessTokenLeakController {
title: result.title, title: result.title,
description: result.description, description: result.description,
request, request,
reporter: "AccessTokenLeak", reporter: "",
}); });
} }
} }
@ -151,26 +151,7 @@ export class AccessTokenLeakController {
'session_token' 'session_token'
]; ];
const tokenTypeKeys = [ // 정규표현식 패턴 리스트 생성
'token_type',
'tokenType'
];
// 정규표현식 토큰 타입 유무 패턴 리스트 생성
const tokenTypeRegexes: RegExp[] = [];
for (const key of tokenTypeKeys) {
// JSON 형식: "token_type": "Bearer"
tokenTypeRegexes.push(new RegExp(`"${key}"\\s*:\\s*"bearer"`, 'i'));
// 일반 key=value 형식: token_type=Bearer
tokenTypeRegexes.push(new RegExp(`${key}[=:]\\s*bearer`, 'i'));
// 공백 있는 형식: token_type : Bearer
tokenTypeRegexes.push(new RegExp(`${key}\\s*:\\s*bearer`, 'i'));
}
// token_type=bearer 형태 중 하나라도 포함되는지 확인
const hasTokenTypeBearer = tokenTypeRegexes.some(rx => rx.test(text));
// 정규표현식 토큰 유무 패턴 리스트 생성
const tokenPatterns: RegExp[] = []; const tokenPatterns: RegExp[] = [];
for (const key of tokenKeys) { for (const key of tokenKeys) {
@ -188,11 +169,9 @@ export class AccessTokenLeakController {
for (const pattern of tokenPatterns) { for (const pattern of tokenPatterns) {
const match = pattern.exec(text); const match = pattern.exec(text);
if (match && match[1]) { if (match && match[1]) {
if(hasTokenTypeBearer){
return match[1]; return match[1];
} }
} }
}
return null; return null;
} }

2
packages/backend/src/index.ts
View file

@ -22,6 +22,7 @@ export function init(sdk: SDK<API>) {
sdk.events.onInterceptResponse(async (sdk, req: Request, res: Response) => { sdk.events.onInterceptResponse(async (sdk, req: Request, res: Response) => {
await csrfCheck.checker(sdk, req, res); await csrfCheck.checker(sdk, req, res);
//await pkceCheckController.test(sdk, req); //await pkceCheckController.test(sdk, req);
await tokenCheck.testReq(sdk, req);
await tokenCheck.testResp(sdk, res, req); await tokenCheck.testResp(sdk, res, req);
await ScopeDetectionController.scan(sdk, req.getUrl()); await ScopeDetectionController.scan(sdk, req.getUrl());
await redirectBypassController.testAsync(sdk, req, res); await redirectBypassController.testAsync(sdk, req, res);
@ -37,7 +38,6 @@ export function init(sdk: SDK<API>) {
}); });
sdk.events.onInterceptRequest(async (sdk, req: Request) => { sdk.events.onInterceptRequest(async (sdk, req: Request) => {
await tokenCheck.testReq(sdk, req);
await pkceCheckController.test(sdk, req); await pkceCheckController.test(sdk, req);
}); });
/* /*