whs-authz-authn/oauth-backend
1
0
Fork 0
mirror of https://github.com/j93es/oauth-backend.git synced 2026-06-04 05:21:51 +09:00
Code Issues Projects Releases Packages Wiki Activity

[Refactor] 리팩터링

Browse source
This commit is contained in:
tv0924@icloud.com 2025-06-26 10:43:52 +09:00
commit 062552d3d8
12 changed files with 24 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.gitignore vendored
View file

@ -9,6 +9,8 @@ wheels/
# Virtual environments # Virtual environments
.venv .venv
.env
data/ data/

6
addon/access_token.py
View file

@ -4,8 +4,8 @@ from typing import List, Dict, Optional, Any
from mitmproxy.http import HTTPFlow from mitmproxy.http import HTTPFlow
import lib.target as target import lib.cur_target_url as cur_target_url
from lib.report import save_report from lib.report_vuln import save_report
# 결과 리포트 저장용 데이터 클래스 # 결과 리포트 저장용 데이터 클래스
@dataclass @dataclass
@ -32,7 +32,7 @@ class AccessTokenScanner:
findings.extend(await self._scan_response(flow.response, flow.request.url)) findings.extend(await self._scan_response(flow.response, flow.request.url))
if findings: if findings:
target_value = target.load() target_value = cur_target_url.load()
save_report([f.to_report(target_value) for f in findings]) save_report([f.to_report(target_value) for f in findings])
# 내부 구현 # 내부 구현

6
addon/csrf_check.py
View file

@ -4,8 +4,8 @@ from urllib.parse import urlparse, parse_qs, unquote
import httpx import httpx
from typing import Optional, Union, List from typing import Optional, Union, List
import lib.target as target import lib.cur_target_url as cur_target_url
from lib.report import save_report from lib.report_vuln import save_report
class CsrfChecker: class CsrfChecker:
nonce_params = { nonce_params = {
@ -153,7 +153,7 @@ class CsrfChecker:
desc = " | ".join(msgs) desc = " | ".join(msgs)
status = "MEDIUM" status = "MEDIUM"
report_data = [{ report_data = [{
'target': target.load(), 'target': cur_target_url.load(),
'status': status, 'status': status,
'title': "CSRF Risk", 'title': "CSRF Risk",
'description': desc, 'description': desc,

0
addon/GoogleLoginHint.py → addon/google_login_hint.py
View file

4
addon/init.py
View file

@ -1,12 +1,12 @@
from mitmproxy import http from mitmproxy import http
import asyncio import asyncio
from pkce_check import PKCEDowngradeChecker from pkce_check import PKCEDowngradeChecker
from ScopeDetection import ScopeDetection from addon.scope_detection import ScopeDetection
from csrf_check import CsrfChecker from csrf_check import CsrfChecker
from nonce_check import NonceChecker from nonce_check import NonceChecker
from redirect_uri_check import RedirectBypassChecker from redirect_uri_check import RedirectBypassChecker
from access_token import AccessTokenScanner from access_token import AccessTokenScanner
from GoogleLoginHint import GoogleLoginHint from addon.google_login_hint import GoogleLoginHint
import os import os
from dotenv import load_dotenv from dotenv import load_dotenv

6
addon/nonce_check.py
View file

@ -3,8 +3,8 @@ from urllib.parse import urlparse, parse_qs
from typing import Union from typing import Union
import httpx import httpx
import lib.target as target import lib.cur_target_url as cur_target_url
from lib.report import save_report from lib.report_vuln import save_report
class NonceChecker: class NonceChecker:
def is_oidc_flow(self, flow) -> bool: def is_oidc_flow(self, flow) -> bool:
@ -76,7 +76,7 @@ class NonceChecker:
url = req.pretty_url url = req.pretty_url
if not nonce: if not nonce:
report_data = [{ report_data = [{
'target': target.load(), 'target': cur_target_url.load(),
'status': "CRITICAL", 'status': "CRITICAL",
'title': "nonce is missing in id_token", 'title': "nonce is missing in id_token",
'description': "Nonce is present in the request but missing in the id_token.", 'description': "Nonce is present in the request but missing in the id_token.",

6
addon/pkce_check.py
View file

@ -3,8 +3,8 @@ import asyncio
import httpx import httpx
from typing import Dict, List from typing import Dict, List
import lib.target as target import lib.cur_target_url as cur_target_url
from lib.report import save_report from lib.report_vuln import save_report
class PKCEDowngradeChecker: class PKCEDowngradeChecker:
@ -170,7 +170,7 @@ class PKCEDowngradeChecker:
self, status: str, title: str, description: str, uri: str self, status: str, title: str, description: str, uri: str
) -> Dict[str, str]: ) -> Dict[str, str]:
return { return {
"target": target.load(), "target": cur_target_url.load(),
"status": status, "status": status,
"title": title, "title": title,
"description": description, "description": description,

6
addon/redirect_uri_check.py
View file

@ -4,8 +4,8 @@ import asyncio
import random import random
import time import time
from urllib.parse import urlparse, parse_qs, urlencode, urlunparse from urllib.parse import urlparse, parse_qs, urlencode, urlunparse
import lib.target as target import lib.cur_target_url as cur_target_url
from lib.report import save_report from lib.report_vuln import save_report
class RedirectRateLimiter: class RedirectRateLimiter:
"""redirect_uri_check 전용 rate limiter""" """redirect_uri_check 전용 rate limiter"""
@ -1385,7 +1385,7 @@ class RedirectBypassChecker:
) )
report_data = [{ report_data = [{
"target": target.load(), "target": cur_target_url.load(),
"status": "CRITICAL", "status": "CRITICAL",
"title": "Redirect URI Bypass Vulnerability", "title": "Redirect URI Bypass Vulnerability",
"description": description, "description": description,

6
addon/ScopeDetection.py → addon/scope_detection.py
View file

@ -1,5 +1,5 @@
import lib.target as target import lib.cur_target_url as cur_target_url
from lib.report import save_report from lib.report_vuln import save_report
class ScopeDetection: class ScopeDetection:
def get_scope_from_query(self, query: str) -> str | None: def get_scope_from_query(self, query: str) -> str | None:
@ -44,7 +44,7 @@ class ScopeDetection:
if result != 0: if result != 0:
report_data = [{ report_data = [{
'target': target.load(), 'target': cur_target_url.load(),
'status': "WARNING", 'status': "WARNING",
'title': "OAuth scope value issue", 'title': "OAuth scope value issue",
'description': f"{method} {url}: {', '.join(result)}", 'description': f"{method} {url}: {', '.join(result)}",

0
lib/target.py → lib/cur_target_url.py
View file

0
lib/report.py → lib/report_vuln.py
View file

4
runner/backend/__init__.py
View file

@ -1,6 +1,6 @@
from fastapi import FastAPI, Query, HTTPException from fastapi import FastAPI, Query, HTTPException
from fastapi.responses import Response from fastapi.responses import Response
import lib.target as target import lib.cur_target_url as cur_target_url
app = FastAPI() app = FastAPI()
@ -8,7 +8,7 @@ app = FastAPI()
@app.post("/start") @app.post("/start")
async def start(url: str = Query(None)): async def start(url: str = Query(None)):
if url: if url:
target.save(url) cur_target_url.save(url)
print(f"Target URL set to: {url}") print(f"Target URL set to: {url}")
return {"message": f"Target URL set to: {url}"} return {"message": f"Target URL set to: {url}"}
return {"error": "No URL provided"} return {"error": "No URL provided"}