From 568d3f0ce5d1445e442c569267c0fe614cd8461b Mon Sep 17 00:00:00 2001
From: tk <onthisway07@gmail.com>
Date: Mon, 9 Jun 2025 23:35:52 +0900
Subject: [PATCH] =?UTF-8?q?[=EC=88=98=EC=A0=95]=20req,res=20=EA=B5=AC?=
 =?UTF-8?q?=EB=B6=84=20=EC=BD=94=EB=93=9C?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 addon/cleintsecret_check.py | 36 ++++++++++++++++++++++++++++++------
 addon/init.py               |  9 ++++++++-
 2 files changed, 38 insertions(+), 7 deletions(-)

diff --git a/addon/cleintsecret_check.py b/addon/cleintsecret_check.py
index 481bfe6..f48ed93 100644
--- a/addon/cleintsecret_check.py
+++ b/addon/cleintsecret_check.py
@@ -1,5 +1,9 @@
+# clientsecret_check.py
 from mitmproxy import http
 from urllib.parse import urlparse, parse_qs
+from typing import List
+import lib.target as target
+from lib.report import save_report
 
 
 class ClientSecretChecker:
@@ -25,7 +29,7 @@ class ClientSecretChecker:
         referer = flow.request.headers.get("Referer", "")
         return "client_secret" in referer
 
-    def check_client_secret_leak(self, flow: http.HTTPFlow) -> list[str]:
+    def check_client_secret_leak(self, flow: http.HTTPFlow) -> List[str]:
         messages = []
 
         if self.has_client_secret_in_uri(flow.request.url):
@@ -39,14 +43,34 @@ class ClientSecretChecker:
 
         return messages
 
-    async def request(self, flow: http.HTTPFlow) -> None:
+    def _report(self, flow: http.HTTPFlow, issues: List[str], direction: str):
+        desc = " | ".join(issues)
+        report_data = [{
+            'target': target.load(),
+            'status': "HIGH",
+            'title': f"OAuth Client Secret Exposure ({direction})",
+            'description': desc,
+            'uri': flow.request.url,
+        }]
+        save_report(report_data)
+        print(f"[INFO] Client Secret Leak Detected ({direction}): {desc}")
+
+    def request(self, flow: http.HTTPFlow) -> None:
         try:
             if not self.is_oauth_uri(flow.request.url):
                 return
-
             issues = self.check_client_secret_leak(flow)
             if issues:
-                print(f"[HIGH] OAuth Client Secret Exposure: {' | '.join(issues)}")
-                print(f"[URL] {flow.request.url}")
+                self._report(flow, issues, "request")
         except Exception as e:
-            print(f"[ERROR] Client Secret Check failed: {e}")
+            print(f"[ERROR] Client Secret Check (request) failed: {e}")
+
+    def response(self, flow: http.HTTPFlow) -> None:
+        try:
+            if not self.is_oauth_uri(flow.request.url):
+                return
+            issues = self.check_client_secret_leak(flow)
+            if issues:
+                self._report(flow, issues, "response")
+        except Exception as e:
+            print(f"[ERROR] Client Secret Check (response) failed: {e}")
diff --git a/addon/init.py b/addon/init.py
index 29e7027..d84c551 100644
--- a/addon/init.py
+++ b/addon/init.py
@@ -67,10 +67,17 @@ class ClientSecretAddon:
         self.checker = ClientSecretChecker()
 
     async def request(self, flow: http.HTTPFlow):
+        try:
+            self.checker.request(flow)
+        except Exception as e:
+            print(f"[ERROR] ClientSecretAddon request failed: {e}")
+            pass
+        
+    async def response(self, flow: http.HTTPFlow):
         try:
             self.checker.response(flow)
         except Exception as e:
-            print(f"[ERROR] ClientSecretAddon failed: {e}")
+            print(f"[ERROR] ClientSecretAddon response failed: {e}")
             pass
         
 addons = [PKCEAddon(), ScopeAddon(), CsrfAddon(), NonceAddon(), ClientSecretAddon()]