client_secret 검증(query,body,header)

2026-06-04 05:51:51 +09:00 · 2025-06-09 21:37:34 +09:00 · 2025-06-09 21:37:34 +09:00 · cba2d545b6
commit cba2d545b6
parent 69268f0a9a
2 changed files with 77 additions and 1 deletions
--- a/addon/cleintsecret_check.py
+++ b/addon/cleintsecret_check.py
@ -0,0 +1,64 @@
+# client_secret_check.py
+from mitmproxy import http, ctx
+from urllib.parse import urlparse, parse_qs
+from typing import Optional, List
+import lib.target as target
+from lib.report import save_report
+
+
+class ClientSecretChecker:
+    def is_oauth_uri(self, uri: str) -> bool:
+        qs = parse_qs(urlparse(uri).query)
+        keys = qs.keys()
+        return "client_id" in keys and ("client_secret" in keys or "client_secret" in uri)
+
+    def has_client_secret_in_uri(self, uri: str) -> bool:
+        qs = parse_qs(urlparse(uri).query)
+        return "client_secret" in qs
+
+    def is_post_with_client_secret(self, flow: http.HTTPFlow) -> bool:
+        if flow.request.method != "POST":
+            return False
+        content_type = flow.request.headers.get("Content-Type", "")
+        if "application/x-www-form-urlencoded" in content_type:
+            body = parse_qs(flow.request.get_text())
+            return "client_secret" in body
+        return False
+
+    def is_exposed_in_referer(self, flow: http.HTTPFlow) -> bool:
+        referer = flow.request.headers.get("Referer", "")
+        return "client_secret" in referer
+
+    def check_client_secret_leak(self, flow: http.HTTPFlow) -> List[str]:
+        messages = []
+
+        if self.has_client_secret_in_uri(flow.request.url):
+            messages.append("client_secret found in URL query string")
+
+        if self.is_post_with_client_secret(flow):
+            messages.append("client_secret found in POST body")
+
+        if self.is_exposed_in_referer(flow):
+            messages.append("client_secret exposed in Referer header")
+
+        return messages
+
+    def response(self, flow: http.HTTPFlow) -> None:
+        try:
+            if not self.is_oauth_uri(flow.request.url):
+                return
+
+            issues = self.check_client_secret_leak(flow)
+            if issues:
+                desc = " | ".join(issues)
+                report_data = [{
+                    'target': target.load(),
+                    'status': "HIGH",
+                    'title': "OAuth Client Secret Exposure",
+                    'description': desc,
+                    'uri': flow.request.url,
+                }]
+                save_report(report_data)
+                print(f"[INFO] Client Secret Check: {desc}")
+        except Exception as e:
+            print(f"[ERROR] Client Secret Check failed: {e}")
--- a/addon/init.py
+++ b/addon/init.py
@ -4,6 +4,7 @@ from pkce_check import PKCEDowngradeChecker
 from ScopeDetection import ScopeDetection
 from csrf_check import CsrfChecker
 from nonce_check import NonceChecker
+from cleintsecret_check import ClientSecretChecker

 class PKCEAddon:
    def __init__(self):
@ -61,4 +62,15 @@ class NonceAddon:
            print(f"[ERROR] NonceAddon failed: {e}")
            pass
        
-addons = [PKCEAddon(), ScopeAddon(), CsrfAddon(), NonceAddon()]
+class ClientSecretAddon:
+    def __init__(self):
+        self.checker = ClientSecretChecker()
+
+    async def request(self, flow: http.HTTPFlow):
+        try:
+            self.checker.response(flow)
+        except Exception as e:
+            print(f"[ERROR] ClientSecretAddon failed: {e}")
+            pass
+        
+addons = [PKCEAddon(), ScopeAddon(), CsrfAddon(), NonceAddon(), ClientSecretAddon()]