Compare commits
24 commits
revert-10-
...
main
| Author | SHA1 | Date | |
|---|---|---|---|
|
1e9a0f1aa0 |
||
|
595d0e93a3 | ||
|
|
195be25c22 | ||
|
|
5a88570fe2 |
||
|
d2c95cff2e |
||
|
|
ac53cd4be5 | ||
|
|
ba98eef694 | ||
|
|
1bc442b1d3 | ||
|
|
efb89c668c | ||
|
c722adbe9d |
||
|
|
979dda299a | ||
|
|
14164ceb83 |
||
|
|
78042ef305 | ||
|
|
e45124de21 |
||
|
|
986c6e59b6 | ||
|
e83988f5fb |
||
|
|
e34649288c | ||
|
|
eca9a8a5b5 |
||
|
|
d820695cec | ||
|
|
c72f103221 | ||
|
|
1c57ad1a39 | ||
|
|
b8b7edb5ac | ||
|
|
316a078bd0 | ||
|
|
6efa9f4d20 |
10 changed files with 728 additions and 293 deletions
|
|
@ -2,138 +2,94 @@ import type { SDK } from "caido:plugin";
|
|||
import { Body, RequestSpec, type Request } from "caido:utils";
|
||||
|
||||
export class PKCECheck {
|
||||
// 필요한 PKCE 파라미터 목록
|
||||
private readonly requiredPKCEKeys = ["client_id", "response_type", "code_challenge", "code_challenge_method"];
|
||||
|
||||
// PKCE 취약점 테스트 메인 함수
|
||||
async test(sdk: SDK, req: Request): Promise<boolean> {
|
||||
const method = req.getMethod();
|
||||
const url = req.getUrl();
|
||||
|
||||
// GET 요청이 아니면 검사하지 않음
|
||||
if (method !== "GET") {
|
||||
sdk.console.log("[PKCEDowngradeCheck] Not a GET request. Skipping.");
|
||||
return false;
|
||||
}
|
||||
|
||||
const query = req.getQuery();
|
||||
const searchParams = new URLSearchParams(query);
|
||||
const requiredKeys = ["client_id", "response_type", "code_challenge", "code_challenge_method"];
|
||||
const searchParams = new URLSearchParams(req.getQuery());
|
||||
|
||||
if (!requiredKeys.every((key) => searchParams.has(key))) {
|
||||
// 필수 PKCE 파라미터들이 모두 있는지 확인
|
||||
if (!this.requiredPKCEKeys.every(key => searchParams.has(key))) {
|
||||
sdk.console.log("[PKCEDowngradeCheck] Required PKCE parameters missing. Skipping.");
|
||||
return false;
|
||||
}
|
||||
|
||||
const url = req.getUrl();
|
||||
// OpenID 여부 확인
|
||||
const isOpenID = searchParams.get("scope")?.includes("openid") || url.includes("id_token");
|
||||
const methodVal = searchParams.get("code_challenge_method");
|
||||
const challengeVal = searchParams.get("code_challenge");
|
||||
|
||||
// 파라미터가 없으면 경고 리포트 생성
|
||||
if (!methodVal || !challengeVal) {
|
||||
sdk.console.log("[PKCEDowngradeCheck] code_challenge or method missing. Skipping.");
|
||||
await sdk.findings.create({
|
||||
title: isOpenID
|
||||
? "[WARN] OpenID Flow PKCE Parameters Missing"
|
||||
: "[WARN] OAuth2 Flow PKCE Parameters Missing",
|
||||
description: `PKCE parameters are missing or incomplete for ${url}. This may indicate a misconfiguration.`,
|
||||
request: req,
|
||||
reporter: "PKCE Checker",
|
||||
});
|
||||
await this.reportFinding(sdk, req, url, isOpenID, "[WARN] PKCE Parameters Missing", "PKCE parameters are missing or incomplete.");
|
||||
return false;
|
||||
}
|
||||
|
||||
// code_challenge_method가 'plain'이면 취약할 수 있음
|
||||
if (methodVal === "plain") {
|
||||
sdk.console.log("[PKCEDowngradeCheck] code_challenge_method is 'plain'. Skipping.");
|
||||
await sdk.findings.create({
|
||||
title: isOpenID
|
||||
? "[WARN] OpenID Flow PKCE Method is 'plain'"
|
||||
: "[WARN] OAuth2 Flow PKCE Method is 'plain'",
|
||||
description: `PKCE method is set to 'plain' for ${url}. This may indicate a downgrade vulnerability.`,
|
||||
request: req,
|
||||
reporter: "PKCE Checker",
|
||||
});
|
||||
await this.reportFinding(sdk, req, url, isOpenID, "[WARN] PKCE Method is 'plain'", "PKCE method is set to 'plain'. This may indicate a downgrade vulnerability.");
|
||||
return false;
|
||||
}
|
||||
|
||||
// Remove PKCE parameters to simulate a downgraded request
|
||||
// PKCE 관련 파라미터 제거하여 다운그레이드된 URL 생성
|
||||
searchParams.delete("code_challenge");
|
||||
searchParams.delete("code_challenge_method");
|
||||
const downgradedQuery = searchParams.toString();
|
||||
const scheme = req.getUrl().startsWith("https") ? "https" : "http";
|
||||
const scheme = url.startsWith("https") ? "https" : "http";
|
||||
const downgradedUrl = `${scheme}://${req.getHost()}:${req.getPort()}${req.getPath()}?${downgradedQuery}`;
|
||||
|
||||
sdk.console.log(`${req.getHost()} Original URL: ` + url);
|
||||
sdk.console.log(`${req.getHost()} Downgraded URL: ` + downgradedUrl);
|
||||
sdk.console.log(`${req.getHost()} Original URL: ${url}`);
|
||||
sdk.console.log(`${req.getHost()} Downgraded URL: ${downgradedUrl}`);
|
||||
|
||||
try {
|
||||
// Use Caido Replay SDK to replay the original request
|
||||
const spec = new RequestSpec(downgradedUrl);
|
||||
spec.setBody(req.getBody() as Body);
|
||||
for (const [key, value] of Object.entries(req.getHeaders())) {
|
||||
if (Array.isArray(value)) {
|
||||
spec.setHeader(key, value.join(', ')); // or another suitable delimiter
|
||||
} else {
|
||||
spec.setHeader(key, value);
|
||||
}
|
||||
}
|
||||
spec.setHost(req.getHost());
|
||||
spec.setMethod(req.getMethod());
|
||||
spec.setPath(req.getPath());
|
||||
spec.setQuery(downgradedQuery);
|
||||
spec.setTls(req.getTls());
|
||||
spec.setPort(req.getPort());
|
||||
// 원래 요청과 다운그레이드된 요청 각각 전송
|
||||
const downgradedResponse = await this.sendRequest(sdk, req, downgradedUrl, downgradedQuery);
|
||||
const originalResponse = await this.sendRequest(sdk, req, url, req.getQuery());
|
||||
|
||||
let sendDowngradedRequest = await sdk.requests.send(spec);
|
||||
if (downgradedResponse && originalResponse) {
|
||||
const originalCode = originalResponse.getCode();
|
||||
const downgradedCode = downgradedResponse.getCode();
|
||||
|
||||
if (sendDowngradedRequest.response) {
|
||||
let domain = spec.getHost();
|
||||
let port = spec.getPort();
|
||||
let path = spec.getPath();
|
||||
let query = spec.getQuery();
|
||||
let id = sendDowngradedRequest.response.getId();
|
||||
let code = sendDowngradedRequest.response.getCode();
|
||||
sdk.console.log(`REQ ${id}: ${domain}:${port}${path}${query} received a status code of ${code}`);
|
||||
}
|
||||
const originalLoc = originalResponse.getHeader("location") || "";
|
||||
const downgradedLoc = downgradedResponse.getHeader("location") || "";
|
||||
|
||||
if (sendDowngradedRequest.response?.getCode() === 302) {
|
||||
await sdk.findings.create({
|
||||
title: isOpenID
|
||||
? "[CRITICAL] OpenID Flow PKCE Downgrade Vulnerability"
|
||||
: "[CRITICAL] OAuth2 Flow PKCE Downgrade Vulnerability",
|
||||
description: `The request to ${url} is vulnerable to a PKCE downgrade attack. This may indicate a configuration error.`,
|
||||
request: req,
|
||||
reporter: "PKCE Checker",
|
||||
});
|
||||
}
|
||||
sdk.console.log(`${req.getHost()} Original Status: ${originalCode}`);
|
||||
sdk.console.log(`${req.getHost()} Downgraded Status: ${downgradedCode}`);
|
||||
sdk.console.log(`${req.getHost()} Original Location: ${originalLoc}`);
|
||||
sdk.console.log(`${req.getHost()} Downgraded Location: ${downgradedLoc}`);
|
||||
|
||||
/*
|
||||
sdk.console.log(`${req.getHost()} Original Status: ` + resOriginal.status);
|
||||
sdk.console.log(`${req.getHost()} Downgraded Status: ` + resDowngraded.status);
|
||||
// 두 응답 모두 리디렉션이면서 code= 파라미터 포함 시 취약점 리포트 생성
|
||||
const bothRedirect = [301, 302].includes(originalCode) && [301, 302].includes(downgradedCode);
|
||||
const bothContainCode = originalLoc.includes("code=") && downgradedLoc.includes("code=");
|
||||
|
||||
sdk.console.log(`${req.getHost()} Original Headers: ` + JSON.stringify(resOriginal.headers));
|
||||
sdk.console.log(`${req.getHost()} Downgraded Headers: ` + JSON.stringify(resDowngraded.headers));
|
||||
|
||||
// Caido Dev Docs 기준으로, 리다이렉트된 URL은 Response 객체의 url 속성에 저장되어 있음
|
||||
const locationOriginal = resOriginal.url ?? "";
|
||||
const locationDowngraded = resDowngraded.url ?? "";
|
||||
|
||||
sdk.console.log(`${req.getHost()} Original Location: ` + locationOriginal);
|
||||
sdk.console.log(`${req.getHost()} Downgraded Location: ` + locationDowngraded);
|
||||
|
||||
const statusEqual = resOriginal.status === resDowngraded.status;
|
||||
const codeInRedirects = locationOriginal.includes("code=") && locationDowngraded.includes("code=");
|
||||
|
||||
if (statusEqual && codeInRedirects) {
|
||||
if (bothRedirect && bothContainCode) {
|
||||
const title = isOpenID
|
||||
? "[CRITICAL] OpenID Flow PKCE Downgraded to Plaintext"
|
||||
: "[CRITICAL] OAuth2 Flow PKCE Downgraded to Plaintext";
|
||||
? "[CRITICAL] OpenID Flow PKCE Downgrade Vulnerability"
|
||||
: "[CRITICAL] OAuth2 Flow PKCE Downgrade Vulnerability";
|
||||
const reference = isOpenID
|
||||
? "https://openid.net/specs/openid-igov-oauth2-1_0-02.html#rfc.section.3.1.7"
|
||||
: "https://datatracker.ietf.org/doc/html/rfc7636";
|
||||
|
||||
await sdk.findings.create({
|
||||
title,
|
||||
description: `PKCE downgrade detected for ${url}.\n\nDowngraded URL: ${downgradedUrl}\n\nRedirect contained code=.\n\nReference: ${reference}`,
|
||||
description: `PKCE downgrade vulnerability detected!\n\nOriginal URL: ${url}\nDowngraded URL: ${downgradedUrl}\n\nBoth requests returned authorization codes, indicating the server accepts requests without PKCE protection.\n\nReference: ${reference}`,
|
||||
request: req,
|
||||
reporter: "",
|
||||
reporter: "PKCE Checker",
|
||||
});
|
||||
|
||||
return true;
|
||||
}*/
|
||||
}
|
||||
}
|
||||
} catch (err) {
|
||||
sdk.console.error(`PKCE downgrade check failed for ${url}: ${String(err)}`);
|
||||
}
|
||||
|
|
@ -141,4 +97,41 @@ export class PKCECheck {
|
|||
sdk.console.log("[PKCEDowngradeCheck] No PKCE downgrade detected.");
|
||||
return false;
|
||||
}
|
||||
|
||||
// 요청 전송 도우미 함수
|
||||
private async sendRequest(sdk: SDK, req: Request, url: string, query: string) {
|
||||
const spec = new RequestSpec(url);
|
||||
spec.setMethod(req.getMethod());
|
||||
spec.setPath(req.getPath());
|
||||
spec.setQuery(query);
|
||||
spec.setBody(req.getBody() as Body);
|
||||
spec.setHost(req.getHost());
|
||||
spec.setPort(req.getPort());
|
||||
spec.setTls(req.getTls());
|
||||
|
||||
for (const [key, value] of Object.entries(req.getHeaders())) {
|
||||
spec.setHeader(key, Array.isArray(value) ? value.join(', ') : value);
|
||||
}
|
||||
|
||||
const result = await sdk.requests.send(spec);
|
||||
return result.response ?? null;
|
||||
}
|
||||
|
||||
// 경고 리포트 생성 함수
|
||||
private async reportFinding(
|
||||
sdk: SDK,
|
||||
req: Request,
|
||||
url: string,
|
||||
isOpenID: boolean,
|
||||
title: string,
|
||||
message: string
|
||||
) {
|
||||
const fullTitle = isOpenID ? `[WARN] OpenID Flow ${title}` : `[WARN] OAuth2 Flow ${title}`;
|
||||
await sdk.findings.create({
|
||||
title: fullTitle,
|
||||
description: `${message} (${url})`,
|
||||
request: req,
|
||||
reporter: "PKCE Checker",
|
||||
});
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -19,7 +19,7 @@ export class AccessTokenLeakController {
|
|||
title: result.title,
|
||||
description: result.description,
|
||||
request,
|
||||
reporter: "",
|
||||
reporter: "AccessTokenLeak",
|
||||
});
|
||||
}
|
||||
}
|
||||
|
|
@ -31,7 +31,7 @@ export class AccessTokenLeakController {
|
|||
title: result.title,
|
||||
description: result.description,
|
||||
request,
|
||||
reporter: "",
|
||||
reporter: "AccessTokenLeak",
|
||||
});
|
||||
}
|
||||
}
|
||||
|
|
@ -132,7 +132,7 @@ export class AccessTokenLeakController {
|
|||
* @param text - 검사할 텍스트
|
||||
* @returns 토큰 값이 있으면 해당 값, 없으면 null
|
||||
*/
|
||||
private extractTokenFromText(text: string): string | null {
|
||||
private extractTokenFromText(text: string): string | null {
|
||||
// 토큰 관련 키워드 리스트
|
||||
const tokenKeys = [
|
||||
'access_token',
|
||||
|
|
@ -151,7 +151,26 @@ private extractTokenFromText(text: string): string | null {
|
|||
'session_token'
|
||||
];
|
||||
|
||||
// 정규표현식 패턴 리스트 생성
|
||||
const tokenTypeKeys = [
|
||||
'token_type',
|
||||
'tokenType'
|
||||
];
|
||||
|
||||
// 정규표현식 토큰 타입 유무 패턴 리스트 생성
|
||||
const tokenTypeRegexes: RegExp[] = [];
|
||||
for (const key of tokenTypeKeys) {
|
||||
// JSON 형식: "token_type": "Bearer"
|
||||
tokenTypeRegexes.push(new RegExp(`"${key}"\\s*:\\s*"bearer"`, 'i'));
|
||||
// 일반 key=value 형식: token_type=Bearer
|
||||
tokenTypeRegexes.push(new RegExp(`${key}[=:]\\s*bearer`, 'i'));
|
||||
// 공백 있는 형식: token_type : Bearer
|
||||
tokenTypeRegexes.push(new RegExp(`${key}\\s*:\\s*bearer`, 'i'));
|
||||
}
|
||||
|
||||
// token_type=bearer 형태 중 하나라도 포함되는지 확인
|
||||
const hasTokenTypeBearer = tokenTypeRegexes.some(rx => rx.test(text));
|
||||
|
||||
// 정규표현식 토큰 유무 패턴 리스트 생성
|
||||
const tokenPatterns: RegExp[] = [];
|
||||
|
||||
for (const key of tokenKeys) {
|
||||
|
|
@ -169,9 +188,11 @@ private extractTokenFromText(text: string): string | null {
|
|||
for (const pattern of tokenPatterns) {
|
||||
const match = pattern.exec(text);
|
||||
if (match && match[1]) {
|
||||
if(hasTokenTypeBearer){
|
||||
return match[1];
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return null;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -5,15 +5,24 @@ import { HttpUtils } from "../utils/http";
|
|||
const httpUtils = new HttpUtils();
|
||||
|
||||
export class CsrfCheck {
|
||||
private nonceParam = [
|
||||
"state",
|
||||
"nonce",
|
||||
"as",
|
||||
"frame_id",
|
||||
"csrf_token",
|
||||
"csrf",
|
||||
];
|
||||
|
||||
private isTargetUri(uri: string): boolean {
|
||||
if (
|
||||
uri.includes("client_id=") &&
|
||||
(uri.includes("response_type=") ||
|
||||
uri.includes("grant_type=") ||
|
||||
uri.includes("redirect_uri=") ||
|
||||
uri.includes("scope=") ||
|
||||
uri.includes("state=") ||
|
||||
uri.includes("nonce="))
|
||||
httpUtils.getQueryParamFromURI(uri, "client_id") !== null &&
|
||||
(httpUtils.getQueryParamFromURI(uri, "response_type") !== null ||
|
||||
httpUtils.getQueryParamFromURI(uri, "grant_type") !== null ||
|
||||
httpUtils.getQueryParamFromURI(uri, "redirect_uri") !== null ||
|
||||
httpUtils.getQueryParamFromURI(uri, "scope") !== null ||
|
||||
httpUtils.getQueryParamFromURI(uri, "state") !== null ||
|
||||
httpUtils.getQueryParamFromURI(uri, "nonce") !== null)
|
||||
) {
|
||||
return true;
|
||||
}
|
||||
|
|
@ -43,105 +52,178 @@ export class CsrfCheck {
|
|||
return false;
|
||||
}
|
||||
|
||||
private isStateInQuery(request: Request): boolean {
|
||||
const query = request.getQuery();
|
||||
const stateValue =
|
||||
httpUtils.getQueryParam(query || "", "state") ||
|
||||
httpUtils.getQueryParam(query || "", "nonce");
|
||||
if (!stateValue) {
|
||||
return false;
|
||||
private isNonceInQuery(request: Request): boolean {
|
||||
const query = request.getQuery() || "";
|
||||
|
||||
for (const param of this.nonceParam) {
|
||||
if (httpUtils.getQueryParam(query, param) !== null) {
|
||||
return true; // Nonce parameter is present in the query
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
private checkStateAtResponseLocationHeader(
|
||||
return false; // No nonce parameter found in the query
|
||||
}
|
||||
|
||||
private getNonceParamName(url: string): string | null {
|
||||
for (const param of this.nonceParam) {
|
||||
if (httpUtils.getQueryParamFromURI(url, param) !== null) {
|
||||
return param; // Return the first matching nonce parameter
|
||||
}
|
||||
}
|
||||
|
||||
return null; // No nonce parameter found
|
||||
}
|
||||
|
||||
private checkNonceAtResponseLocationHeader(
|
||||
request: Request,
|
||||
response: Response
|
||||
): string[] | 0 {
|
||||
const nonceParamName = this.getNonceParamName(request.getUrl() || "");
|
||||
|
||||
if (
|
||||
!(
|
||||
this.isOauthUri(request) &&
|
||||
this.isStateInQuery(request) &&
|
||||
this.isOauthRedirectResponse(response)
|
||||
)
|
||||
!this.isOauthUri(request) ||
|
||||
!this.isNonceInQuery(request) ||
|
||||
!this.isOauthRedirectResponse(response) ||
|
||||
!nonceParamName
|
||||
) {
|
||||
return 0; // Not a target, no CSRF risk
|
||||
}
|
||||
|
||||
// 요청에서 보낸 state 추출
|
||||
// 요청에서 보낸 Nonce 추출
|
||||
const query = request.getQuery() || "";
|
||||
const originalState =
|
||||
httpUtils.getQueryParam(query, "state") ||
|
||||
httpUtils.getQueryParam(query || "", "nonce");
|
||||
const originalNonce = httpUtils.getQueryParam(query, nonceParamName);
|
||||
|
||||
// 리다이렉트 URL에서 쿼리 부분만 추출
|
||||
const locationHeader = httpUtils.getHeaderValue(
|
||||
response.getHeaders(),
|
||||
"location"
|
||||
);
|
||||
const responseState =
|
||||
httpUtils.getQueryParamFromURI(locationHeader || "", "state") ||
|
||||
httpUtils.getQueryParamFromURI(locationHeader || "", "nonce");
|
||||
const locationHeader =
|
||||
httpUtils.getHeaderValue(response.getHeaders(), "location") || "";
|
||||
|
||||
// state가 없거나, 요청값과 다르면 CSRF 위험
|
||||
if (!responseState) {
|
||||
const responseNonce = httpUtils.getQueryParamFromURI(
|
||||
locationHeader || "",
|
||||
nonceParamName
|
||||
);
|
||||
|
||||
// Nonce가 없거나, 요청값과 다르면 CSRF 위험
|
||||
if (!responseNonce) {
|
||||
// missing state
|
||||
return ["state parameter is missing in the response location header"];
|
||||
return ["Nonce parameter is missing in the response location header"];
|
||||
}
|
||||
if (originalState !== responseState) {
|
||||
if (originalNonce !== responseNonce) {
|
||||
// mismatch
|
||||
return ["state parameter mismatch between request and response"];
|
||||
return ["Nonce parameter mismatch between request and response"];
|
||||
}
|
||||
|
||||
return 0; // no CSRF risk detected
|
||||
}
|
||||
|
||||
// private async checkStateReuse(
|
||||
// request: Request,
|
||||
// originResponse: Response
|
||||
// ): Promise<string[] | 0> {
|
||||
// // uri에 oauth 관련 파라미터가 없지만, 응답이 oauth 리다이렉트 응답인지 확인
|
||||
// // 즉, 처음으로 state를 발급한 요청인지 확인
|
||||
// if (
|
||||
// !(
|
||||
// !this.isOauthUri(request) &&
|
||||
// this.isOauthRedirectResponse(originResponse)
|
||||
// )
|
||||
// ) {
|
||||
// return 0; // Not a target, no CSRF risk
|
||||
// }
|
||||
private async checkNonceReuse(
|
||||
sdk: SDK<DefineAPI<{}>, {}>,
|
||||
request: Request,
|
||||
originResponse: Response
|
||||
): Promise<string[] | 0> {
|
||||
// uri에 oauth 관련 파라미터가 없지만, 응답이 oauth 리다이렉트 응답인지 확인
|
||||
// 즉, 처음으로 Nonce를 발급한 요청인지 확인
|
||||
if (
|
||||
this.isOauthUri(request) ||
|
||||
!this.isOauthRedirectResponse(originResponse)
|
||||
) {
|
||||
return 0; // Not a target, no CSRF risk
|
||||
}
|
||||
|
||||
// const originResponseLocationHeader = httpUtils.getHeaderValue(
|
||||
// originResponse.getHeaders(),
|
||||
// "location"
|
||||
// );
|
||||
// const originState = httpUtils.getQueryParamFromURI(
|
||||
// originResponseLocationHeader || "",
|
||||
// "state"
|
||||
// );
|
||||
// 기존 응답의 location 헤더의 url에서 Nonce 파라미터 이름, nonce 파라미터 값, 쿼리 추출
|
||||
const originResponseLocationHeader =
|
||||
httpUtils.getHeaderValue(originResponse.getHeaders(), "location") || "";
|
||||
const nonceParamName =
|
||||
this.getNonceParamName(originResponseLocationHeader || "") || "state";
|
||||
const originLocationQuery =
|
||||
httpUtils.getQueryFromURI(originResponseLocationHeader || "") || "";
|
||||
const originLocationNonce = httpUtils.getQueryParam(
|
||||
originLocationQuery,
|
||||
nonceParamName
|
||||
);
|
||||
|
||||
// const requestHeaders = request.getHeaders();
|
||||
// const noCookieHeaders = httpUtils.removeHeaders(requestHeaders, ["cookie"]);
|
||||
// const newResponse = await httpUtils.resend(request, {
|
||||
// headers: noCookieHeaders,
|
||||
// });
|
||||
// const newLocationHeader = httpUtils.getHeaderValue(
|
||||
// newResponse.getHeaders(),
|
||||
// "location"
|
||||
// );
|
||||
// const newState = httpUtils.getQueryParamFromURI(
|
||||
// newLocationHeader || "",
|
||||
// "state"
|
||||
// );
|
||||
// 쿠키가 없는 헤더로 새로운 nonce를 발급받기 위해 요청
|
||||
const noCookieHeaders = httpUtils.removeHeaders(request.getHeaders(), [
|
||||
"cookie",
|
||||
]);
|
||||
const noCookieResponse = await httpUtils.resend(sdk, request, {
|
||||
headers: noCookieHeaders,
|
||||
});
|
||||
if (!noCookieResponse || noCookieResponse?.getCode() >= 400) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
// if (originState === newState) {
|
||||
// return [
|
||||
// "State parameter reused in the response location header, indicating a potential CSRF risk",
|
||||
// ];
|
||||
// }
|
||||
// 쿠키가 없는 응답의 location 헤더 추출 및 Nonce 추출
|
||||
const noCookieLocationHeader = httpUtils.getHeaderValue(
|
||||
noCookieResponse?.getHeaders() || {},
|
||||
"location"
|
||||
);
|
||||
const newNonce =
|
||||
httpUtils.getQueryParamFromURI(
|
||||
noCookieLocationHeader || "",
|
||||
nonceParamName
|
||||
) || "";
|
||||
|
||||
// return 0; // no CSRF risk detected
|
||||
// }
|
||||
if (originLocationNonce === newNonce) {
|
||||
return [
|
||||
"State parameter reused in the response location header, indicating a potential CSRF risk",
|
||||
];
|
||||
}
|
||||
|
||||
// 기존 쿠키와 함께 새로운 Nonce로 요청
|
||||
const newQuery = httpUtils.setQueryParam(
|
||||
originLocationQuery,
|
||||
nonceParamName,
|
||||
newNonce
|
||||
);
|
||||
|
||||
// 기존 location 헤더의 uri 요청과 location 헤더에서 nonce값만 새로 발급한 값으로 바꾸어 요청한 결과를 비교
|
||||
const res1 = await httpUtils.customFetch(
|
||||
sdk,
|
||||
originResponseLocationHeader,
|
||||
"GET",
|
||||
originLocationQuery,
|
||||
request.getHeaders()
|
||||
);
|
||||
|
||||
const res2 = await httpUtils.customFetch(
|
||||
sdk,
|
||||
originResponseLocationHeader,
|
||||
"GET",
|
||||
newQuery,
|
||||
request.getHeaders()
|
||||
);
|
||||
|
||||
if (
|
||||
!res1 ||
|
||||
!res2 ||
|
||||
res1.getCode() >= 400 ||
|
||||
res2.getCode() >= 400 ||
|
||||
res1.getCode() !== res2.getCode()
|
||||
) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (
|
||||
res1.getCode() === res2.getCode() &&
|
||||
300 <= res1.getCode() &&
|
||||
res1.getCode() < 400
|
||||
) {
|
||||
const res1LocationHeader =
|
||||
httpUtils.getHeaderValue(res1.getHeaders(), "location") || "";
|
||||
const res2LocationHeader =
|
||||
httpUtils.getHeaderValue(res2.getHeaders(), "location") || "";
|
||||
const res1ReirectPath = httpUtils.getPathFromURI(res1LocationHeader);
|
||||
const res2ReirectPath = httpUtils.getPathFromURI(res2LocationHeader);
|
||||
|
||||
if (res1ReirectPath === res2ReirectPath) {
|
||||
return [
|
||||
"When nonce parameter reused in the response location header, it might not be verified. Indicating a potential CSRF risk",
|
||||
];
|
||||
}
|
||||
}
|
||||
|
||||
return 0; // no CSRF risk detected
|
||||
}
|
||||
|
||||
async checker(
|
||||
sdk: SDK<DefineAPI<{}>, {}>,
|
||||
|
|
@ -151,23 +233,35 @@ export class CsrfCheck {
|
|||
let result = ``;
|
||||
|
||||
// 쿼리에 state 파라미터가 없으면 CSRF 위험
|
||||
if (this.isOauthUri(request) && !this.isStateInQuery(request)) {
|
||||
try {
|
||||
if (this.isOauthUri(request) && !this.isNonceInQuery(request)) {
|
||||
result += "CSRF risk: missing state parameter"; // CSRF risk: missing state parameter
|
||||
}
|
||||
} catch (error) {
|
||||
sdk.console.error(`Error checking state in query: ${error}`);
|
||||
}
|
||||
|
||||
// location 헤더에 state 파라미터가 없거나, 요청에서 보낸 state와 다르면 CSRF 위험
|
||||
try {
|
||||
const stateAtResponseLocationHeaderCheck =
|
||||
this.checkStateAtResponseLocationHeader(request, response);
|
||||
this.checkNonceAtResponseLocationHeader(request, response);
|
||||
if (stateAtResponseLocationHeaderCheck !== 0) {
|
||||
result += `, ${stateAtResponseLocationHeaderCheck.join(", ")}`;
|
||||
}
|
||||
} catch (error) {
|
||||
sdk.console.error(
|
||||
`Error checking state in response location header: ${error}`
|
||||
);
|
||||
}
|
||||
|
||||
// // 처음으로 state를 발급한 요청에서 state 파라미터를 바꿔서 보내기
|
||||
// const reusedStateCheck = await this.checkStateReuse(request, response);
|
||||
// if (reusedStateCheck !== 0) {
|
||||
// result += `, ${reusedStateCheck.join(", ")}`;
|
||||
// }
|
||||
// 처음으로 state를 발급한 요청에서 state 파라미터를 바꿔서 보내기
|
||||
const reusedStateCheck = await this.checkNonceReuse(sdk, request, response);
|
||||
if (reusedStateCheck !== 0) {
|
||||
result += `, ${reusedStateCheck.join(", ")}`;
|
||||
}
|
||||
|
||||
try {
|
||||
result.replace(/^\s*,\s*|\s*$/, ""); // Remove leading/trailing commas
|
||||
if (result) {
|
||||
await sdk.findings.create({
|
||||
title: "csrf vuln",
|
||||
|
|
@ -176,5 +270,8 @@ export class CsrfCheck {
|
|||
reporter: "csrf reporter",
|
||||
});
|
||||
}
|
||||
} catch (error) {
|
||||
sdk.console.error(`Error creating finding: ${error}`);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
import type { Request } from "caido:utils";
|
||||
import type { Request, Response } from "caido:utils";
|
||||
import { TokenLeakCheck } from "./tokenLeakCheck";
|
||||
|
||||
export class NonceCheckController{
|
||||
|
|
@ -6,8 +6,8 @@ export class NonceCheckController{
|
|||
* 응답이 OIDC(OpenID Connect) 플로우인지 확인하는 메서드
|
||||
*/
|
||||
|
||||
public static isOidcFlow(req: Request): boolean {
|
||||
if(TokenLeakCheck.extractIdToken(req)) {
|
||||
public static isOidcFlow(req: Request, res:Response): boolean {
|
||||
if(TokenLeakCheck.extractIdToken(req, res)) {
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
|
|
@ -15,10 +15,10 @@ export class NonceCheckController{
|
|||
|
||||
|
||||
public static isNonceCheckRequest(req: Request): boolean {
|
||||
const id_token = decodeIdToken(req);
|
||||
const id_token = TokenLeakCheck.decodeIdToken(req);
|
||||
|
||||
// 1. nonce 파라미터가 포함된 요청인지 확인
|
||||
if (id_token.includes("nonce=")) {
|
||||
if (id_token && id_token.includes("nonce=")) {
|
||||
return true;
|
||||
}
|
||||
|
||||
|
|
@ -26,8 +26,4 @@ export class NonceCheckController{
|
|||
}
|
||||
}
|
||||
|
||||
function decodeIdToken(req: Request): string {
|
||||
// Implement actual decoding logic here. For now, return an empty string or mock value.
|
||||
return "";
|
||||
}
|
||||
|
||||
|
|
|
|||
59
packages/backend/src/controller/redirect_uriBypass.ts
Normal file
59
packages/backend/src/controller/redirect_uriBypass.ts
Normal file
|
|
@ -0,0 +1,59 @@
|
|||
import type { Request, Response } from "caido:utils";
|
||||
import type { SDK } from "caido:plugin";
|
||||
|
||||
export class RedirectBypassController {
|
||||
// redirect_uri를 확인하는 함수
|
||||
isRedirectUri(req: Request): { detected: boolean; redirectUri?: string } {
|
||||
// ? 뒤에 오는 파라미터 모두 가져오고, 정규표현식으로 redirect_uri= 이후 주소만 뽑음(없으면 null)
|
||||
const query = req.getQuery();
|
||||
const redirectUriMatch = query.match(/redirect_uri=([^&]+)/i);
|
||||
|
||||
// redirectUriMatch[1]은 ()로 감싼 부분
|
||||
// redirect_uri 파라미터가 없거나 있어도 주소가 문자열이 아니면 false
|
||||
if (!redirectUriMatch || typeof redirectUriMatch[1] !== "string") {
|
||||
return { detected: false };
|
||||
}
|
||||
|
||||
// 인코딩된 주소를 원래대로 바꿈 (ex. https://~~)
|
||||
const redirectUri = decodeURIComponent(redirectUriMatch[1]);
|
||||
|
||||
const bypassPatterns = [
|
||||
"%ff@", "/", "%2f@", "%0a@", "%0d@", "\\", ".evil.com", "@", "%2f..%2f",
|
||||
];
|
||||
|
||||
// 위 패턴에 일치하는 게 있으면 true랑 redirectUri 반환 (false일 땐 undefined)
|
||||
const detected = bypassPatterns.some(pattern => redirectUri.includes(pattern));
|
||||
return { detected, redirectUri: detected ? redirectUri : undefined };
|
||||
}
|
||||
|
||||
// 응답에 인가 코드가 포함되어 있는지 확인하는 함수
|
||||
isCodeIssued(res: Response): boolean {
|
||||
const location = res.getHeader("Location") || "";
|
||||
return location.includes("code=");
|
||||
}
|
||||
|
||||
// 위의 두 함수 모두 만족하면 true, 문제의 주소를 반환하는 함수
|
||||
test(req: Request, res: Response): { detected: boolean; redirectUri?: string } {
|
||||
const redirectCheck = this.isRedirectUri(req);
|
||||
const codeIssued = this.isCodeIssued(res);
|
||||
|
||||
if (redirectCheck.detected && codeIssued) {
|
||||
return { detected: true, redirectUri: redirectCheck.redirectUri };
|
||||
}
|
||||
|
||||
return { detected: false };
|
||||
}
|
||||
|
||||
// 탐지된 결과 저장하는 함수
|
||||
async testAsync(sdk: SDK, req: Request, res: Response): Promise<void> {
|
||||
const result = this.test(req, res);
|
||||
if (result.detected) {
|
||||
await sdk.findings.create({
|
||||
title: "Redirect URI Bypass Detected",
|
||||
description: `redirect_uri 우회 발견\nRedirect URI: ${result.redirectUri}`,
|
||||
request: req,
|
||||
reporter: "gyu",
|
||||
});
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -1,8 +1,8 @@
|
|||
import type { Request } from "caido:utils";
|
||||
import type { Request,Response } from "caido:utils";
|
||||
import jwt from "jsonwebtoken";
|
||||
|
||||
export class TokenLeakCheck {
|
||||
public static extractIdToken(req: Request): string | null {
|
||||
public static extractIdToken(req: Request, res?: Response): string | null {
|
||||
// 1. Authorization 헤더 확인\\
|
||||
const header = req.getHeaders() as Record<string, string | string[] | undefined>;
|
||||
const authHeader = header["authorization"] || header["Authorization"];
|
||||
|
|
@ -16,19 +16,21 @@ export class TokenLeakCheck {
|
|||
return (query as Record<string, any>).id_token;
|
||||
}
|
||||
|
||||
// 3. POST 바디 안에 id_token이 있을 경우
|
||||
const rawBody = req.getRaw();
|
||||
// 3. response 안에 id_token이 있을 경우
|
||||
if (res) {
|
||||
const rawBody = res.getRaw();
|
||||
const body = rawBody ? rawBody.toString() : "";
|
||||
const match = body.match(/id_token=([^&\s]+)/);
|
||||
if (match && typeof match[1] === "string") {
|
||||
if (match && typeof match[1] === "string" ) {
|
||||
return decodeURIComponent(match[1]);
|
||||
}
|
||||
}
|
||||
|
||||
return null;
|
||||
}
|
||||
|
||||
public static decodeIdToken(req: Request): Record<string, any> | null {
|
||||
const token = this.extractIdToken(req);
|
||||
public static decodeIdToken(req: Request, res?: Response): Record<string, any> | null {
|
||||
const token = this.extractIdToken(req, res);
|
||||
if (!token) return null;
|
||||
|
||||
const decoded = jwt.decode(token, { complete: true });
|
||||
|
|
|
|||
|
|
@ -6,51 +6,56 @@ import { CsrfCheck } from "./controller/csrfCheck";
|
|||
import { PKCECheck } from "./controller/PKCECheck";
|
||||
import { AccessTokenLeakController } from "./controller/accessTokenDetector";
|
||||
import { ScopeDetection } from "./controller/scopeDetection";
|
||||
// import { NonceCheckController } from "./controller/nonceCheck";
|
||||
import { RedirectBypassController } from "./controller/redirect_uriBypass";
|
||||
|
||||
export type API = DefineAPI<{}>;
|
||||
|
||||
const csrfCheck = new CsrfCheck();
|
||||
// const implicitGrantController = new ImplicitGrantController();
|
||||
// const authZCodeGrantController = new AuthZCodeGrantController();
|
||||
const pkceCheckController = new PKCECheck();
|
||||
const tokenCheck = new AccessTokenLeakController();
|
||||
const ScopeDetectionController = new ScopeDetection();
|
||||
// const nonceCheckController = new NonceCheckController();
|
||||
const redirectBypassController = new RedirectBypassController();
|
||||
|
||||
export function init(sdk: SDK<API>) {
|
||||
// sdk.events.onInterceptRequest(async (sdk, req: Request) => {
|
||||
// const result = csrfCheck.checker(req);
|
||||
sdk.events.onInterceptResponse(async (sdk, req: Request, res: Response) => {
|
||||
await csrfCheck.checker(sdk, req, res);
|
||||
//await pkceCheckController.test(sdk, req);
|
||||
await tokenCheck.testResp(sdk, res, req);
|
||||
await ScopeDetectionController.scan(sdk, req.getUrl());
|
||||
await redirectBypassController.testAsync(sdk, req, res);
|
||||
|
||||
// if (result) {
|
||||
// if (NonceCheckController.isOidcFlow(req, res)) {
|
||||
// await sdk.findings.create({
|
||||
// title: "Possible SSO Request Detected",
|
||||
// description: `SSO-related parameters detected in request:\n\n${req.getMethod()} ${req.getUrl()} : ${result}`,
|
||||
// title: "OIDC Flow Detected",
|
||||
// description: "The request appears to be part of an OIDC flow.",
|
||||
// request: req,
|
||||
// reporter: "",
|
||||
// });
|
||||
// }
|
||||
// });
|
||||
});
|
||||
|
||||
sdk.events.onInterceptResponse(
|
||||
async (sdk: SDK<DefineAPI<{}>, {}>, req: Request, resp: Response) => {
|
||||
await csrfCheck.checker(sdk, req, resp);
|
||||
await pkceCheckController.test(sdk, req);
|
||||
sdk.events.onInterceptRequest(async (sdk, req: Request) => {
|
||||
await tokenCheck.testReq(sdk, req);
|
||||
await tokenCheck.testResp(sdk, resp, req);
|
||||
await ScopeDetectionController.scan(sdk, req.getUrl());
|
||||
// sdk.events.onInterceptRequest(async (sdk, req: Request) => {
|
||||
// const result =
|
||||
// authZCodeGrantController.testReq(req) ||
|
||||
// implicitGrantController.testReq(req);
|
||||
await pkceCheckController.test(sdk, req);
|
||||
});
|
||||
/*
|
||||
sdk.events.onInterceptRequest(async (sdk, req: Request) => {
|
||||
const result =
|
||||
authZCodeGrantController.testReq(req) ||
|
||||
implicitGrantController.testReq(req);
|
||||
|
||||
// if (result) {
|
||||
// await pkceCheckController.test(sdk, req);
|
||||
if (result) {
|
||||
await pkceCheckController.test(sdk, req);
|
||||
|
||||
// await sdk.findings.create({
|
||||
// title: "Possible SSO Request Detected",
|
||||
// description: `SSO-related parameters detected in request:\n\n${req.getMethod()} ${req.getUrl()} : ${result}`,
|
||||
// request: req,
|
||||
// reporter: "",
|
||||
// });
|
||||
await sdk.findings.create({
|
||||
title: "Possible SSO Request Detected",
|
||||
description: `SSO-related parameters detected in request:\n\n${req.getMethod()} ${req.getUrl()} : ${result}`,
|
||||
request: req,
|
||||
reporter: "",
|
||||
});
|
||||
}
|
||||
);
|
||||
});
|
||||
*/
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,3 +1,6 @@
|
|||
import type { SDK } from "caido:plugin";
|
||||
import { Body, RequestSpec, type Request, type Response } from "caido:utils";
|
||||
|
||||
let instance: HttpUtils | null = null;
|
||||
export class HttpUtils {
|
||||
/**
|
||||
|
|
@ -11,6 +14,14 @@ export class HttpUtils {
|
|||
return instance;
|
||||
}
|
||||
|
||||
encodeAndLower(value: string): string {
|
||||
try {
|
||||
return encodeURIComponent(value).toLowerCase();
|
||||
} catch {
|
||||
return value.toLowerCase();
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* URI 디코딩 후 소문자로 변환하는 헬퍼 함수
|
||||
* @param value - 디코딩하고 소문자로 변환할 문자열
|
||||
|
|
@ -47,12 +58,35 @@ export class HttpUtils {
|
|||
return result;
|
||||
}
|
||||
|
||||
getQueryParamFromURI(uri: string, key: string): string | null {
|
||||
getPathFromURI(uri: string): string | null {
|
||||
uri = uri.toLowerCase();
|
||||
key = key.toLowerCase();
|
||||
try {
|
||||
const urlObj = new URL(uri);
|
||||
return urlObj.searchParams.get(key);
|
||||
const path = urlObj.pathname;
|
||||
return path ? decodeURIComponent(path) : null; // 경로가 없으면 null 반환
|
||||
} catch (e) {
|
||||
return null; // URL 파싱 실패 시 null 반환
|
||||
}
|
||||
}
|
||||
|
||||
getQueryFromURI(uri: string): string | null {
|
||||
uri = uri.toLowerCase();
|
||||
try {
|
||||
const urlObj = new URL(uri);
|
||||
const query = urlObj.search;
|
||||
return query ? decodeURIComponent(query.slice(1)) : null; // 쿼리 문자열에서 ? 제거
|
||||
} catch (e) {
|
||||
return null; // URL 파싱 실패 시 null 반환
|
||||
}
|
||||
}
|
||||
|
||||
getQueryParamFromURI(uri: string, key: string): string | null {
|
||||
uri = uri.toLowerCase();
|
||||
key = this.decodeAndLower(key);
|
||||
try {
|
||||
const urlObj = new URL(uri);
|
||||
const param = urlObj.searchParams.get(key);
|
||||
return param ? decodeURIComponent(param) : null;
|
||||
} catch (e) {
|
||||
return null;
|
||||
}
|
||||
|
|
@ -67,10 +101,11 @@ export class HttpUtils {
|
|||
*/
|
||||
getQueryParam(query: string, key: string): string | null {
|
||||
query = query.toLowerCase();
|
||||
key = key.toLowerCase();
|
||||
key = this.decodeAndLower(key);
|
||||
|
||||
const params = new URLSearchParams(query);
|
||||
return params.get(key);
|
||||
const targetParam = params.get(key);
|
||||
return targetParam ? decodeURIComponent(targetParam) : null;
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
@ -83,11 +118,11 @@ export class HttpUtils {
|
|||
*/
|
||||
setQueryParam(query: string, key: string, value: string): string {
|
||||
query = query.toLowerCase();
|
||||
key = key.toLowerCase();
|
||||
value = value.toLowerCase();
|
||||
key = this.decodeAndLower(key);
|
||||
value = this.decodeAndLower(value);
|
||||
|
||||
const params = new URLSearchParams(query);
|
||||
params.set(key, value);
|
||||
params.set(key, this.encodeAndLower(value));
|
||||
return params.toString();
|
||||
}
|
||||
|
||||
|
|
@ -100,7 +135,7 @@ export class HttpUtils {
|
|||
*/
|
||||
removeQueryParam(query: string, key: string): string {
|
||||
query = query.toLowerCase();
|
||||
key = key.toLowerCase();
|
||||
key = this.decodeAndLower(key);
|
||||
|
||||
const params = new URLSearchParams(query);
|
||||
params.delete(key);
|
||||
|
|
@ -109,6 +144,7 @@ export class HttpUtils {
|
|||
|
||||
// Headers
|
||||
/**
|
||||
* !! 만약 request.getHeader(`${key}`)을 사용할 수 있다면 이 함수를 사용하지 마세요.
|
||||
* 주어진 헤더 맵에서 name에 해당하는 첫 번째 헤더 값을 반환합니다.
|
||||
* @param headers - Response.getHeaders() 가 반환하는 객체
|
||||
* @param name - 꺼내고 싶은 헤더 이름 (예: "location", "Content-Type")
|
||||
|
|
@ -207,4 +243,89 @@ export class HttpUtils {
|
|||
}
|
||||
return filtered;
|
||||
}
|
||||
|
||||
async resend(
|
||||
sdk: SDK,
|
||||
request: Request,
|
||||
options?: {
|
||||
headers?: Record<string, string | string[]>;
|
||||
body?: Body;
|
||||
method?: string;
|
||||
query?: string;
|
||||
}
|
||||
): Promise<Response | null> {
|
||||
try {
|
||||
const spec = new RequestSpec(request.getUrl());
|
||||
spec.setMethod(options?.method || request.getMethod() || "GET");
|
||||
if (options?.query) {
|
||||
spec.setQuery(options.query);
|
||||
} else {
|
||||
spec.setQuery(request.getQuery() || "");
|
||||
}
|
||||
|
||||
const originBody = request.getBody();
|
||||
if (options?.body) {
|
||||
spec.setBody(options.body);
|
||||
} else if (originBody) {
|
||||
spec.setBody(originBody);
|
||||
}
|
||||
|
||||
const headers = request.getHeaders();
|
||||
if (options?.headers) {
|
||||
// 기존 헤더에서 options.headers로 덮어쓰기
|
||||
const newHeaders = this.lowerCaseAllHeaders({
|
||||
...headers,
|
||||
...options.headers,
|
||||
});
|
||||
for (const [key, value] of Object.entries(newHeaders)) {
|
||||
spec.setHeader(key, Array.isArray(value) ? value.join(", ") : value);
|
||||
}
|
||||
} else {
|
||||
// 기존 헤더 그대로 사용
|
||||
for (const [key, value] of Object.entries(headers)) {
|
||||
spec.setHeader(key, Array.isArray(value) ? value.join(", ") : value);
|
||||
}
|
||||
}
|
||||
|
||||
const result = await sdk.requests.send(spec);
|
||||
return result.response ?? null;
|
||||
} catch (error) {
|
||||
sdk.console.error(
|
||||
`Error resending request to ${request.getUrl()}: ${String(error)}`
|
||||
);
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
||||
async customFetch(
|
||||
sdk: SDK,
|
||||
url: string,
|
||||
method?: string,
|
||||
query?: string,
|
||||
headers?: Record<string, string | string[]>,
|
||||
body?: Body
|
||||
): Promise<Response | null> {
|
||||
try {
|
||||
const spec = new RequestSpec(url);
|
||||
spec.setMethod(method || "GET");
|
||||
if (query) {
|
||||
spec.setQuery(query);
|
||||
}
|
||||
if (body) {
|
||||
spec.setBody(body);
|
||||
}
|
||||
|
||||
for (const [key, value] of Object.entries(headers || {})) {
|
||||
spec.setHeader(key, Array.isArray(value) ? value.join(", ") : value);
|
||||
}
|
||||
|
||||
const result = await sdk.requests.send(spec);
|
||||
return result.response ?? null;
|
||||
} catch {
|
||||
sdk.console.error(
|
||||
`Error during custom fetch to ${url}: ${String(error)}`
|
||||
);
|
||||
return null;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
// app.js
|
||||
const express = require("express");
|
||||
const crypto = require("crypto");
|
||||
const app = express();
|
||||
const port = 8000;
|
||||
|
||||
|
|
@ -43,8 +44,6 @@ app.get("/authorize/mismatch-state", (req, res) => {
|
|||
);
|
||||
const code = "authcode-67890";
|
||||
|
||||
console.log(`[VULN] original state from client:`, originalState);
|
||||
|
||||
// 클라이언트 state와 다르게 'wrong-state'를 삽입
|
||||
const wrongState = "wrong-state";
|
||||
const location = `${redirectUri}?code=${code}&state=${wrongState}&client_id=${clientId}`;
|
||||
|
|
@ -52,6 +51,24 @@ app.get("/authorize/mismatch-state", (req, res) => {
|
|||
res.status(302).send(`Redirecting to ${location}`);
|
||||
});
|
||||
|
||||
/**
|
||||
* 3) 랜덤 state를 생성하여 리다이렉트를 발생시키는 테스트용 엔드포인트
|
||||
* - /authorize/reuse-state-test 로 접근할 때마다 새로운 16진수 state를 생성
|
||||
* - 최초 요청에 OAuth 파라미터가 없으므로 isOauthUri(request) == false
|
||||
* - 응답에 Location 헤더로 '...?state=<랜덤값>' 을 포함
|
||||
* -> Caido 플러그인의 checkNonceReuse 로직에서 새로운 state가 발급되었는지,
|
||||
* 재사용되었는지를 검증할 수 있음
|
||||
* - 더하여 callback uri에서 해당 nonce의 유효성을 판단하지 않고 응답 시에 vuln
|
||||
*/
|
||||
app.get("/authorize/reuse-state-test", (req, res) => {
|
||||
const state = crypto.randomBytes(16).toString("hex");
|
||||
|
||||
// 고정된 콜백 URI로 리다이렉트 (OAuth 파라미터는 여기서만 주입)
|
||||
const location = `http://localhost:${port}/callback?state=${state}&client_id=123`;
|
||||
res.set("Location", location);
|
||||
res.status(302).send(`Redirecting to ${location}`);
|
||||
});
|
||||
|
||||
app.listen(port, () => {
|
||||
console.log(
|
||||
`Vulnerable OAuth test server listening at http://localhost:${port}`
|
||||
|
|
@ -62,4 +79,7 @@ app.listen(port, () => {
|
|||
console.log(
|
||||
`2) Mismatch-State: http://localhost:${port}/authorize/mismatch-state?client_id=abc&state=xyz&redirect_uri=http://localhost:${port}/callback`
|
||||
);
|
||||
console.log(
|
||||
`3) Reuse-State-Test: http://localhost:${port}/authorize/reuse-state-test`
|
||||
);
|
||||
});
|
||||
|
|
|
|||
129
pnpm-lock.yaml
generated
129
pnpm-lock.yaml
generated
|
|
@ -7,10 +7,17 @@ settings:
|
|||
importers:
|
||||
|
||||
.:
|
||||
dependencies:
|
||||
'@types/jsonwebtoken':
|
||||
specifier: ^9.0.9
|
||||
version: 9.0.9
|
||||
jsonwebtoken:
|
||||
specifier: ^9.0.2
|
||||
version: 9.0.2
|
||||
devDependencies:
|
||||
'@caido-community/dev':
|
||||
specifier: ^0.1.3
|
||||
version: 0.1.5(postcss@8.5.3)(typescript@5.5.4)
|
||||
version: 0.1.5(@types/node@22.15.29)(postcss@8.5.3)(typescript@5.5.4)
|
||||
'@caido/sdk-backend':
|
||||
specifier: ^0.48.1
|
||||
version: 0.48.1
|
||||
|
|
@ -328,6 +335,15 @@ packages:
|
|||
'@types/estree@1.0.7':
|
||||
resolution: {integrity: sha512-w28IoSUCJpidD/TGviZwwMJckNESJZXFu7NBZ5YJ4mEUnNraUn9Pm8HSZm/jDF1pDWYKspWE7oVphigUPRakIQ==}
|
||||
|
||||
'@types/jsonwebtoken@9.0.9':
|
||||
resolution: {integrity: sha512-uoe+GxEuHbvy12OUQct2X9JenKM3qAscquYymuQN4fMWG9DBQtykrQEFcAbVACF7qaLw9BePSodUL0kquqBJpQ==}
|
||||
|
||||
'@types/ms@2.1.0':
|
||||
resolution: {integrity: sha512-GsCCIZDE/p3i96vtEqx+7dBUGXrc7zeSK3wwPHIaRThS+9OhWIXRqzs4d6k1SVU8g91DrNRWxWUGhp5KXQb2VA==}
|
||||
|
||||
'@types/node@22.15.29':
|
||||
resolution: {integrity: sha512-LNdjOkUDlU1RZb8e1kOIUpN1qQUlzGkEtbVNo53vbrwDg5om6oduhm4SiUaPW5ASTXhAiP0jInWG8Qx9fVlOeQ==}
|
||||
|
||||
accepts@2.0.0:
|
||||
resolution: {integrity: sha512-5cvg6CtKwfgdmVqY1WIiXKc3Q1bkRqGLi+2W/6ao+6Y7gu/RCwRuAhGEzh5B4KlszSuTLgZYuqFqo5bImjNKng==}
|
||||
engines: {node: '>= 0.6'}
|
||||
|
|
@ -364,6 +380,9 @@ packages:
|
|||
brace-expansion@2.0.1:
|
||||
resolution: {integrity: sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==}
|
||||
|
||||
buffer-equal-constant-time@1.0.1:
|
||||
resolution: {integrity: sha512-zRpUiDwd/xk6ADqPMATG8vc9VPrkck7T07OIx0gnjmJAnHnTVXNQG3vfvWNuiZIkwu9KrKdA1iJKfsfTVxE6NA==}
|
||||
|
||||
bundle-require@5.1.0:
|
||||
resolution: {integrity: sha512-3WrrOuZiyaaZPWiEt4G3+IffISVC9HYlWueJEBWED4ZH4aIAC2PnkdnuRrR94M+w6yGWn4AglWtJtBI8YqvgoA==}
|
||||
engines: {node: ^12.20.0 || ^14.13.1 || >=16.0.0}
|
||||
|
|
@ -465,6 +484,9 @@ packages:
|
|||
eastasianwidth@0.2.0:
|
||||
resolution: {integrity: sha512-I88TYZWc9XiYHRQ4/3c5rjjfgkjhLyW2luGIheGERbNQ6OY7yTybanSpDXZa8y7VUP9YmDcYa+eyq4ca7iLqWA==}
|
||||
|
||||
ecdsa-sig-formatter@1.0.11:
|
||||
resolution: {integrity: sha512-nagl3RYrbNv6kQkeJIpt6NJZy8twLB/2vtz6yN9Z4vRKHN4/QZJIEbqohALSgwKdnksuY3k5Addp5lg8sVoVcQ==}
|
||||
|
||||
ee-first@1.1.1:
|
||||
resolution: {integrity: sha512-WMwm9LhRUo+WUaRN+vRuETqG89IgZphVSNkdFgeb6sS/E4OrDIN7t48CAewSHXc6C8lefD8KKfr5vY61brQlow==}
|
||||
|
||||
|
|
@ -622,9 +644,19 @@ packages:
|
|||
json-schema-traverse@1.0.0:
|
||||
resolution: {integrity: sha512-NM8/P9n3XjXhIZn1lLhkFaACTOURQXjWhV4BA/RnOv8xvgqtqpAX9IO4mRQxSx1Rlo4tqzeqb0sOlruaOy3dug==}
|
||||
|
||||
jsonwebtoken@9.0.2:
|
||||
resolution: {integrity: sha512-PRp66vJ865SSqOlgqS8hujT5U4AOgMfhrwYIuIhfKaoSCZcirrmASQr8CX7cUg+RMih+hgznrjp99o+W4pJLHQ==}
|
||||
engines: {node: '>=12', npm: '>=6'}
|
||||
|
||||
jszip@3.10.1:
|
||||
resolution: {integrity: sha512-xXDvecyTpGLrqFrvkrUSoxxfJI5AH7U8zxxtVclpsUtMCq4JQ290LY8AW5c7Ggnr/Y/oK+bQMbqK2qmtk3pN4g==}
|
||||
|
||||
jwa@1.4.2:
|
||||
resolution: {integrity: sha512-eeH5JO+21J78qMvTIDdBXidBd6nG2kZjg5Ohz/1fpa28Z4CcsWUzJ1ZZyFq/3z3N17aZy+ZuBoHljASbL1WfOw==}
|
||||
|
||||
jws@3.2.2:
|
||||
resolution: {integrity: sha512-YHlZCB6lMTllWDtSPHz/ZXTsi8S00usEV6v1tjq8tOUZzw7DpSDWVXjXDre6ed1w/pd495ODpHZYSdkRTsa0HA==}
|
||||
|
||||
lie@3.3.0:
|
||||
resolution: {integrity: sha512-UaiMJzeWRlEujzAuw5LokY1L5ecNQYZKfmyZ9L7wDHb/p5etKaxXhohBcrw0EYby+G/NA52vRSN4N39dxHAIwQ==}
|
||||
|
||||
|
|
@ -639,6 +671,27 @@ packages:
|
|||
resolution: {integrity: sha512-IXO6OCs9yg8tMKzfPZ1YmheJbZCiEsnBdcB03l0OcfK9prKnJb96siuHCr5Fl37/yo9DnKU+TLpxzTUspw9shg==}
|
||||
engines: {node: ^12.20.0 || ^14.13.1 || >=16.0.0}
|
||||
|
||||
lodash.includes@4.3.0:
|
||||
resolution: {integrity: sha512-W3Bx6mdkRTGtlJISOvVD/lbqjTlPPUDTMnlXZFnVwi9NKJ6tiAk6LVdlhZMm17VZisqhKcgzpO5Wz91PCt5b0w==}
|
||||
|
||||
lodash.isboolean@3.0.3:
|
||||
resolution: {integrity: sha512-Bz5mupy2SVbPHURB98VAcw+aHh4vRV5IPNhILUCsOzRmsTmSQ17jIuqopAentWoehktxGd9e/hbIXq980/1QJg==}
|
||||
|
||||
lodash.isinteger@4.0.4:
|
||||
resolution: {integrity: sha512-DBwtEWN2caHQ9/imiNeEA5ys1JoRtRfY3d7V9wkqtbycnAmTvRRmbHKDV4a0EYc678/dia0jrte4tjYwVBaZUA==}
|
||||
|
||||
lodash.isnumber@3.0.3:
|
||||
resolution: {integrity: sha512-QYqzpfwO3/CWf3XP+Z+tkQsfaLL/EnUlXWVkIk5FUPc4sBdTehEqZONuyRt2P67PXAk+NXmTBcc97zw9t1FQrw==}
|
||||
|
||||
lodash.isplainobject@4.0.6:
|
||||
resolution: {integrity: sha512-oSXzaWypCMHkPC3NvBEaPHf0KsA5mvPrOPgQWDsbg8n7orZ290M0BmC/jgRZ4vcJ6DTAhjrsSYgdsW/F+MFOBA==}
|
||||
|
||||
lodash.isstring@4.0.1:
|
||||
resolution: {integrity: sha512-0wJxfxH1wgO3GrbuP+dTTk7op+6L41QCXbGINEmD+ny/G/eCqGzxyCsh7159S+mgDDcoarnBw6PC1PS5+wUGgw==}
|
||||
|
||||
lodash.once@4.1.1:
|
||||
resolution: {integrity: sha512-Sb487aTOCr9drQVL8pIxOzVhafOjZN9UU54hiN8PU3uAiSV7lx1yYNpbNmex2PK6dSJoNTSJUUswT651yww3Mg==}
|
||||
|
||||
lodash.sortby@4.7.0:
|
||||
resolution: {integrity: sha512-HDWXG8isMntAyRF5vZ7xKuEvOhT4AhlRt/3czTSjvGUxjYCBVRQY48ViDHyfYz9VIoBkW4TMGQNapx+l3RUwdA==}
|
||||
|
||||
|
|
@ -837,6 +890,11 @@ packages:
|
|||
safer-buffer@2.1.2:
|
||||
resolution: {integrity: sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==}
|
||||
|
||||
semver@7.7.2:
|
||||
resolution: {integrity: sha512-RF0Fw+rO5AMf9MAyaRXI4AV0Ulj5lMHqVxxdSgiVbixSCXoEmmX/jk0CuJw4+3SqroYO9VoUh+HcuJivvtJemA==}
|
||||
engines: {node: '>=10'}
|
||||
hasBin: true
|
||||
|
||||
send@1.2.0:
|
||||
resolution: {integrity: sha512-uaW0WwXKpL9blXE2o0bRhoL2EGXIrZxQ2ZQ4mgcfoBxdFmQold+qWsD2jLrfZ0trjKL6vOw0j//eAwcALFjKSw==}
|
||||
engines: {node: '>= 18'}
|
||||
|
|
@ -971,6 +1029,9 @@ packages:
|
|||
engines: {node: '>=14.17'}
|
||||
hasBin: true
|
||||
|
||||
undici-types@6.21.0:
|
||||
resolution: {integrity: sha512-iwDZqg0QAGrg9Rav5H4n0M64c3mkR59cJ6wQp+7C4nI0gsmExaedaYLNO44eT4AtBBwjbTiGPMlt2Md0T9H9JQ==}
|
||||
|
||||
unpipe@1.0.0:
|
||||
resolution: {integrity: sha512-pjy2bYhSsufwWlKwPc+l3cN7+wuJlK6uz0YdJEOlQDbl6jo/YlPi4mb8agUkVC8BF7V8NuzeyPNqRksA3hztKQ==}
|
||||
engines: {node: '>= 0.8'}
|
||||
|
|
@ -1065,7 +1126,7 @@ packages:
|
|||
|
||||
snapshots:
|
||||
|
||||
'@caido-community/dev@0.1.5(postcss@8.5.3)(typescript@5.5.4)':
|
||||
'@caido-community/dev@0.1.5(@types/node@22.15.29)(postcss@8.5.3)(typescript@5.5.4)':
|
||||
dependencies:
|
||||
'@caido/plugin-manifest': 0.3.0
|
||||
chalk: 5.4.1
|
||||
|
|
@ -1076,7 +1137,7 @@ snapshots:
|
|||
jiti: 2.4.2
|
||||
jszip: 3.10.1
|
||||
tsup: 8.3.5(jiti@2.4.2)(postcss@8.5.3)(typescript@5.5.4)
|
||||
vite: 6.0.7(jiti@2.4.2)
|
||||
vite: 6.0.7(@types/node@22.15.29)(jiti@2.4.2)
|
||||
ws: 8.18.0
|
||||
zod: 3.24.1
|
||||
transitivePeerDependencies:
|
||||
|
|
@ -1284,6 +1345,17 @@ snapshots:
|
|||
|
||||
'@types/estree@1.0.7': {}
|
||||
|
||||
'@types/jsonwebtoken@9.0.9':
|
||||
dependencies:
|
||||
'@types/ms': 2.1.0
|
||||
'@types/node': 22.15.29
|
||||
|
||||
'@types/ms@2.1.0': {}
|
||||
|
||||
'@types/node@22.15.29':
|
||||
dependencies:
|
||||
undici-types: 6.21.0
|
||||
|
||||
accepts@2.0.0:
|
||||
dependencies:
|
||||
mime-types: 3.0.1
|
||||
|
|
@ -1328,6 +1400,8 @@ snapshots:
|
|||
dependencies:
|
||||
balanced-match: 1.0.2
|
||||
|
||||
buffer-equal-constant-time@1.0.1: {}
|
||||
|
||||
bundle-require@5.1.0(esbuild@0.24.2):
|
||||
dependencies:
|
||||
esbuild: 0.24.2
|
||||
|
|
@ -1401,6 +1475,10 @@ snapshots:
|
|||
|
||||
eastasianwidth@0.2.0: {}
|
||||
|
||||
ecdsa-sig-formatter@1.0.11:
|
||||
dependencies:
|
||||
safe-buffer: 5.2.1
|
||||
|
||||
ee-first@1.1.1: {}
|
||||
|
||||
emoji-regex@8.0.0: {}
|
||||
|
|
@ -1605,6 +1683,19 @@ snapshots:
|
|||
|
||||
json-schema-traverse@1.0.0: {}
|
||||
|
||||
jsonwebtoken@9.0.2:
|
||||
dependencies:
|
||||
jws: 3.2.2
|
||||
lodash.includes: 4.3.0
|
||||
lodash.isboolean: 3.0.3
|
||||
lodash.isinteger: 4.0.4
|
||||
lodash.isnumber: 3.0.3
|
||||
lodash.isplainobject: 4.0.6
|
||||
lodash.isstring: 4.0.1
|
||||
lodash.once: 4.1.1
|
||||
ms: 2.1.3
|
||||
semver: 7.7.2
|
||||
|
||||
jszip@3.10.1:
|
||||
dependencies:
|
||||
lie: 3.3.0
|
||||
|
|
@ -1612,6 +1703,17 @@ snapshots:
|
|||
readable-stream: 2.3.8
|
||||
setimmediate: 1.0.5
|
||||
|
||||
jwa@1.4.2:
|
||||
dependencies:
|
||||
buffer-equal-constant-time: 1.0.1
|
||||
ecdsa-sig-formatter: 1.0.11
|
||||
safe-buffer: 5.2.1
|
||||
|
||||
jws@3.2.2:
|
||||
dependencies:
|
||||
jwa: 1.4.2
|
||||
safe-buffer: 5.2.1
|
||||
|
||||
lie@3.3.0:
|
||||
dependencies:
|
||||
immediate: 3.0.6
|
||||
|
|
@ -1622,6 +1724,20 @@ snapshots:
|
|||
|
||||
load-tsconfig@0.2.5: {}
|
||||
|
||||
lodash.includes@4.3.0: {}
|
||||
|
||||
lodash.isboolean@3.0.3: {}
|
||||
|
||||
lodash.isinteger@4.0.4: {}
|
||||
|
||||
lodash.isnumber@3.0.3: {}
|
||||
|
||||
lodash.isplainobject@4.0.6: {}
|
||||
|
||||
lodash.isstring@4.0.1: {}
|
||||
|
||||
lodash.once@4.1.1: {}
|
||||
|
||||
lodash.sortby@4.7.0: {}
|
||||
|
||||
lru-cache@10.4.3: {}
|
||||
|
|
@ -1801,6 +1917,8 @@ snapshots:
|
|||
|
||||
safer-buffer@2.1.2: {}
|
||||
|
||||
semver@7.7.2: {}
|
||||
|
||||
send@1.2.0:
|
||||
dependencies:
|
||||
debug: 4.3.6
|
||||
|
|
@ -1968,6 +2086,8 @@ snapshots:
|
|||
|
||||
typescript@5.5.4: {}
|
||||
|
||||
undici-types@6.21.0: {}
|
||||
|
||||
unpipe@1.0.0: {}
|
||||
|
||||
util-deprecate@1.0.2: {}
|
||||
|
|
@ -1976,12 +2096,13 @@ snapshots:
|
|||
|
||||
vary@1.1.2: {}
|
||||
|
||||
vite@6.0.7(jiti@2.4.2):
|
||||
vite@6.0.7(@types/node@22.15.29)(jiti@2.4.2):
|
||||
dependencies:
|
||||
esbuild: 0.24.2
|
||||
postcss: 8.5.3
|
||||
rollup: 4.41.0
|
||||
optionalDependencies:
|
||||
'@types/node': 22.15.29
|
||||
fsevents: 2.3.3
|
||||
jiti: 2.4.2
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue