[수정] req,res 구분 코드

2026-06-04 04:51:51 +09:00 · 2025-06-09 23:35:52 +09:00 · 2025-06-09 23:35:52 +09:00 · 568d3f0ce5
commit 568d3f0ce5
parent 4059cc7adb
2 changed files with 37 additions and 6 deletions
--- a/addon/cleintsecret_check.py
+++ b/addon/cleintsecret_check.py
@ -1,5 +1,9 @@
+# clientsecret_check.py
 from mitmproxy import http
 from urllib.parse import urlparse, parse_qs
+from typing import List
+import lib.target as target
+from lib.report import save_report


 class ClientSecretChecker:
@ -25,7 +29,7 @@ class ClientSecretChecker:
        referer = flow.request.headers.get("Referer", "")
        return "client_secret" in referer

-    def check_client_secret_leak(self, flow: http.HTTPFlow) -> list[str]:
+    def check_client_secret_leak(self, flow: http.HTTPFlow) -> List[str]:
        messages = []

        if self.has_client_secret_in_uri(flow.request.url):
@ -39,14 +43,34 @@ class ClientSecretChecker:

        return messages

-    async def request(self, flow: http.HTTPFlow) -> None:
+    def _report(self, flow: http.HTTPFlow, issues: List[str], direction: str):
+        desc = " | ".join(issues)
+        report_data = [{
+            'target': target.load(),
+            'status': "HIGH",
+            'title': f"OAuth Client Secret Exposure ({direction})",
+            'description': desc,
+            'uri': flow.request.url,
+        }]
+        save_report(report_data)
+        print(f"[INFO] Client Secret Leak Detected ({direction}): {desc}")
+
+    def request(self, flow: http.HTTPFlow) -> None:
        try:
            if not self.is_oauth_uri(flow.request.url):
                return
-
            issues = self.check_client_secret_leak(flow)
            if issues:
-                print(f"[HIGH] OAuth Client Secret Exposure: {' | '.join(issues)}")
-                print(f"[URL] {flow.request.url}")
+                self._report(flow, issues, "request")
        except Exception as e:
-            print(f"[ERROR] Client Secret Check failed: {e}")
+            print(f"[ERROR] Client Secret Check (request) failed: {e}")
+
+    def response(self, flow: http.HTTPFlow) -> None:
+        try:
+            if not self.is_oauth_uri(flow.request.url):
+                return
+            issues = self.check_client_secret_leak(flow)
+            if issues:
+                self._report(flow, issues, "response")
+        except Exception as e:
+            print(f"[ERROR] Client Secret Check (response) failed: {e}")
--- a/addon/init.py
+++ b/addon/init.py
@ -67,10 +67,17 @@ class ClientSecretAddon:
        self.checker = ClientSecretChecker()

    async def request(self, flow: http.HTTPFlow):
+        try:
+            self.checker.request(flow)
+        except Exception as e:
+            print(f"[ERROR] ClientSecretAddon request failed: {e}")
+            pass
+        
+    async def response(self, flow: http.HTTPFlow):
        try:
            self.checker.response(flow)
        except Exception as e:
-            print(f"[ERROR] ClientSecretAddon failed: {e}")
+            print(f"[ERROR] ClientSecretAddon response failed: {e}")
            pass
        
 addons = [PKCEAddon(), ScopeAddon(), CsrfAddon(), NonceAddon(), ClientSecretAddon()]