Merge pull request #27 from j93es/gyu

[REFACTOR]: Access Token 탐지 조건 완화

.gitignore

@@ -9,6 +9,8 @@ wheels/
 # Virtual environments
 .venv
 
+.env
+
 data/
 
 

README.md

@@ -51,40 +51,44 @@ http://localhost:11081로 백엔드 서버가 열리게 됩니다.
 `./addon/init.py`
 
 ```py
-from example_check import Example
+...
-
+    async def request(self, flow: http.HTTPFlow):
-class LoggerAddon:
+        if false_true_varifing_task.is_verifing_false_true():
-    def __init__(self):
+            return
-        self.checker = Example()
-
-    def request(self, flow: http.HTTPFlow): # 비동기가 필요할 경우 async def로 할 것
-            self.checker.test(flow)
-    def response(self, flow: http.HTTPFlow): # 비동기가 필요할 경우 async def로 할 것
-        self.checker.test(flow)
 
+        tasks = [
+            try_catch(self.google_login_hint.request(flow)) if self.google_login_hint else None,
+            try_catch(PKCEDowngradeChecker().test(flow)),
+            try_catch(Example().test(flow))
+        ]
+        await asyncio.gather(*tasks)
+    ...
 ```
 
 `./addon/example.py`
 
 ```py
-import lib.target as target
+from lib.report_vuln import report_vuln
-from lib.report import save_report
 
 class Example:
     async def test(self, flow):
-        req = flow.request
-        method = req.method
         url = req.pretty_url
 
         # data/report.csv에 저장
-        report_data = [{
+        report_vuln(
-            'target': target.load(),
+            title="PKCE Plain Method",
-            'status': "CRITICAL",
+            desc="PKCE method is set to 'plain'. Possible downgrade.",
-            'title': "PKCE Downgrade Vulnerability",
+            status="CRITICAL",
-            'description': "PKCE downgrade vulnerability detected! Both URLs returned authorization code.",
+            uri=url,
-            'uri': f"Original: {url}\nDowngraded: {downgraded_url}"
+        )
-        }]
-        save_report(report_data)
 ```
 
 이러한 예제를 참고하여 작성하여주세요.
+
+# 백엔드 API DOCS
+
+`uv run main.py`으로 백엔드를 실행한 후에, 다음의 url에 접속합니다.
+
+```
+http://localhost:11081/redoc
+```

addon/ScopeDetection.py

@@ -1,53 +0,0 @@
-import lib.target as target
-from lib.report import save_report
-
-class ScopeDetection:
-    def get_scope_from_query(self, query: str) -> str | None:
-        if not query:
-            return None
-        import urllib.parse
-        parsed = urllib.parse.parse_qs(query)
-        scope_values = parsed.get("scope", [])
-        if scope_values:
-            return scope_values[0]
-        return None
-
-    async def check_scope(self, flow):
-        req = flow.request
-        res = flow.response
-
-        # req.query가 MultiDictView일 수 있으므로 문자열로 변환
-        if hasattr(req.query, "urlencode"):
-            query = req.query.urlencode()
-        else:
-            query = str(req.query) if req.query else ""
-
-        location = res.headers.get("location", "")
-
-        query_scope = self.get_scope_from_query(query)
-        location_scope = self.get_scope_from_query(location)
-
-        result = []
-        if query_scope in ["all", "*"]:
-            result.append(f"Scope value issue detected in request: {query_scope}")
-        if location_scope in ["all", "*"]:
-            result.append(f"Scope value issue detected in response location: {location_scope}")
-
-        return result if result else 0
-
-    async def test(self, flow):
-        req = flow.request
-        method = req.method
-        url = req.pretty_url
-
-        result = await self.check_scope(flow)
-
-        if result != 0:
-            report_data = [{
-                'target': target.load(),
-                'status': "WARNING",
-                'title': "OAuth scope value issue",
-                'description': f"{method} {url}: {', '.join(result)}",
-                'uri': url
-            }]
-            save_report(report_data)

addon/access_token.py

@@ -1,23 +1,10 @@
 import re
-from dataclasses import dataclass, asdict
+import asyncio
-from typing import List, Dict, Optional, Any
 
+from typing import Optional, Any
 from mitmproxy.http import HTTPFlow
-
+from urllib.parse import urlparse, parse_qs
-import lib.target as target
+from lib.report_vuln import report_vuln
-from lib.report import save_report
-
-# 결과 리포트 저장용 데이터 클래스
-@dataclass
-class TokenLeakResult:
-    title: str
-    description: str
-    uri: str
-    status: str = "MEDIUM" # 기본 상태
-
-    def to_report(self, target_value) -> Dict[str, str]:
-        """리포트 저장 포맷(dict)으로 변환"""
-        return {"target": target_value, **asdict(self)}
 
 
 # 요청/응답에서 액세스 토큰 노출 여부를 검사하는 스캐너
@@ -26,31 +13,24 @@ class AccessTokenScanner:
     async def scan(self, flow: HTTPFlow) -> None:
         """단일 HTTPFlow(request + response)에 대해 요청과 응답을 모두 검사."""
         print(f"[TOKENDEBUG] Request URL: {flow.request.url}")
-        findings: List[TokenLeakResult] = []
         
-        findings.extend(await self._scan_request(flow.request))
+        async_gather = []
-        findings.extend(await self._scan_response(flow.response, flow.request.url))
+        async_gather.append(self._scan_request(flow.request))
-
+        async_gather.append(self._scan_response(flow.response, flow.request.url))
-        if findings:
+        await asyncio.gather(*async_gather)
-            target_value = target.load()
-            save_report([f.to_report(target_value) for f in findings])
 
     # 내부 구현
-    async def _scan_request(self, request: Any) -> List[TokenLeakResult]:
+    async def _scan_request(self, request: Any):
-        results: List[TokenLeakResult] = []
         
         print("[TOKENDEBUG] ==scan request==")
         # URL 검사
-        token_result = self._extract_token(request.url)
+        if self._is_implicit_flow(request.url):
-        if token_result:
+            print("[TOKENDEBUG] OAuth Implicit Flow detected.")
-            token, has_bearer = token_result
+            report_vuln(
-            results.append(
-                TokenLeakResult(
                 title="Token Leak in Request URL",
-                    description=f"요청 URL에 토큰이 포함되어 있습니다 (앞 20자): {token[:20]}…",
+                desc="취약한 Grant Type입니다 (Implicit Grant Type)",
-                    uri=request.url,
+                status="MEDIUM",
-                    status="MEDIUM" if has_bearer else "LOW"
+                uri=request.url
-                )
             )
 
         # Body 검사 (텍스트 컨텐츠인 경우)
@@ -58,54 +38,40 @@ class AccessTokenScanner:
             body_text = request.get_text(strict=False)
             token_result = self._extract_token(body_text)
             if token_result:
-                token, has_bearer = token_result
+                report_vuln(
-                results.append(
-                    TokenLeakResult(
                     title="Token Leak in Request Body",
-                        description=f"요청 본문에 토큰이 포함되어 있습니다 (앞 20자): {token[:20]}…",
+                    desc=f"요청 본문에 토큰이 포함되어 있습니다 (앞 20자): {token_result[:20]}…",
-                        uri=request.url,
+                    status="LOW",
-                        status="MEDIUM" if has_bearer else "LOW"
+                    uri=request.url
-                    )
                 )
 
-        return results
+    async def _scan_response(self, response: Optional[Any], request_url: str):
-
-    async def _scan_response(self, response: Optional[Any], request_url: str) -> List[TokenLeakResult]:
         if response is None:
-            return []
+            return
 
-        results: List[TokenLeakResult] = []
         print("[TOKENDEBUG] ==scan response==")
         # Location 헤더 검사 (리다이렉트)
         if location_header := response.headers.get("Location"):
             token_result = self._extract_token(location_header)
             if token_result:
-                token, has_bearer = token_result
+                report_vuln(
-                if has_bearer:
-                    results.append(
-                        TokenLeakResult(
                     title="Token Leak in Redirect URL (Location header)",
-                            description=f"Location 헤더에 토큰이 노출되었습니다 (앞 20자): {token[:20]}…",
+                    desc=f"Location 헤더에 토큰이 노출되었습니다 (앞 20자): {token_result[:20]}…",
+                    status="MEDIUM",
                     uri=location_header,
                 )
-                    )
 
         # Body 검사 (텍스트 컨텐츠인 경우)
         if response.content:
             body_text = response.get_text(strict=False)
             token_result = self._extract_token(body_text)
             if token_result:
-                token, has_bearer = token_result
+                report_vuln(
-                if has_bearer:
-                    results.append(
-                        TokenLeakResult(
                     title="Token Leak in Response Body",
-                            description=f"응답 본문에 토큰이 노출되었습니다 (앞 20자): {token[:20]}…",
+                    desc=f"응답 본문에 토큰이 노출되었습니다 (앞 20자): {token_result[:20]}…",
+                    status="LOW",
                     uri=request_url,
                 )
-                    )
-
-        return results
 
     # 토큰 탐지 키워드드
     _TOKEN_KEYS = [
@@ -115,8 +81,6 @@ class AccessTokenScanner:
         "refreshtoken",
         "auth_token",
         "session_token",
-        "secret_token",
-        "ssoauth",
     ]
 
     # "bearer" 표시가 동시에 존재할 때만 토큰으로 판단하여 false positive를 줄임
@@ -150,6 +114,38 @@ class AccessTokenScanner:
             if (m := pattern.search(text)) and m.group(1):
                 print(f"[TOKENDEBUG] token: {m.group(1)}")
                 print(f"[TOKENDEBUG] has_bearer: {has_bearer}")
-                return m.group(1), has_bearer
+                if has_bearer:
+                    return m.group(1)
         print("[TOKENDEBUG] No matched.")
         return None
+
+    def _is_implicit_flow(self, request_url: str) -> bool:
+        """
+        URL의 파라미터에서 OAuth Implicit Flow 패턴을 체크합니다.
+        
+        Args:
+            request_url: 체크할 요청 URL
+            
+        Returns:
+            bool: client_id, redirect_uri, response_type이 모두 존재하고 
+                response_type 값이 'token'인 경우 True, 그렇지 않으면 False
+        """
+        try:
+            parsed_url = urlparse(request_url)
+            query_params = parse_qs(parsed_url.query)
+            
+            # 필요한 파라미터들이 모두 존재하는지 확인
+            required_params = ['redirect_uri', 'response_type']
+            
+            for param in required_params:
+                if param not in query_params:
+                    return False
+            
+            # response_type 값이 'token'인지 확인
+            response_type_values = query_params.get('response_type', [])
+            
+            # response_type 파라미터가 존재하고 값 중에 'token'이 있는지 확인
+            return 'token' in response_type_values or 'id_token' in response_type_values
+            
+        except Exception:
+            return False

addon/client_secret.py

@@ -0,0 +1,29 @@
+from lib.report_vuln import report_vuln
+from urllib.parse import urlparse, parse_qs
+
+class ClientSecret:
+    def get_target_from_query(self, query: str, target: str) -> str | None:
+        if not query:
+            return None
+        parsed = parse_qs(query)
+        scope_values = parsed.get(target, [])
+        if scope_values:
+            return scope_values[0]
+        return None
+
+    async def test(self, flow):
+        req = flow.request
+        
+        parsed = urlparse(req.pretty_url)
+        query = parsed.query
+
+        query_client_id = self.get_target_from_query(query, "client_id")
+        query_client_secret = self.get_target_from_query(query, "client_secret")
+        
+        if query_client_id and query_client_secret:
+            report_vuln(
+                title="OAuth Client Secret Exposure",
+                desc=f"Client ID and Secret found in request: {query_client_id}, {query_client_secret}",
+                status="CRITICAL",
+                uri=req.pretty_url
+            )

addon/csrf_check.py

@@ -1,26 +1,17 @@
 # csrf_check.py
-from mitmproxy import http, ctx
+from mitmproxy import http
 from urllib.parse import urlparse, parse_qs, unquote
 import httpx
 from typing import Optional, Union, List
 
-import lib.target as target
+from lib.report_vuln import report_vuln
-from lib.report import save_report
+from lib.utils.is_oauth_uri import is_oauth_uri
 
 class CsrfChecker:
     nonce_params = {
-        "state", "nonce", "as", "frame_id", "csrf_token", "csrf"
+        "state", "nonce", "csrf_token", "csrf"
     }
 
-    def is_oauth_uri(self, uri: str) -> bool:
-        qs = parse_qs(urlparse(uri).query)
-        qs_keys = [*qs]
-        
-        if "client_id" in qs_keys and any(p in qs_keys for p in (
-                "redirect_uri", "response_type", "grant_type", "scope", "state", "nonce")):
-            return True
-        return False
-
     def get_header(self, headers: http.Headers, name: str) -> Optional[str]:
         # mitmproxy Headers는 case-insensitive
         raw = headers.get(name)
@@ -40,7 +31,7 @@ class CsrfChecker:
     def is_oauth_redirect(self, flow: http.HTTPFlow) -> bool:
         code = flow.response.status_code
         loc = self.get_header(flow.response.headers, "location") or ""
-        return 300 <= code < 400 and self.is_oauth_uri(loc)
+        return 300 <= code < 400 and is_oauth_uri(loc)
 
     def check_nonce_in_request(self, flow: http.HTTPFlow) -> bool:
         qs = parse_qs(urlparse(flow.request.url).query)
@@ -74,7 +65,7 @@ class CsrfChecker:
     
     def check_redirect_nonce(self, flow: http.HTTPFlow) -> Union[List[str], int]:
         # ① OAuth URI, ② 요청에 nonce, ③ 리다이렉트 응답
-        if not (self.is_oauth_uri(flow.request.url)
+        if not (is_oauth_uri(flow.request.url)
                 and self.check_nonce_in_request(flow)
                 and self.is_oauth_redirect(flow)):
             return 0
@@ -85,18 +76,29 @@ class CsrfChecker:
         resp_nonce = self.get_query_param(loc, param) if param else None
 
         if resp_nonce is None:
-            return ["Missing nonce in redirect"]
+            report_vuln(
+                title="CSRF Risk", 
+                desc="Missing nonce in redirect response", 
+                status="CRITICAL", 
+                uri=flow.request.url
+            )
+            return 1
         if orig_nonce != resp_nonce:
-            return ["Nonce mismatch request↔response"]
+            report_vuln(
+                title="CSRF Risk", 
+                desc="Nonce mismatch request↔response", 
+                status="HIGH", 
+                uri=flow.request.url
+            )
+            return 1
 
         return 0
 
     async def check_nonce_reuse(self, flow: http.HTTPFlow) -> Union[int, List[str]]:
         # OAuth Request가 아니면서, OAuth 리다이렉트 응답인 경우만 검사
-        if self.is_oauth_uri(flow.request.url) or not self.is_oauth_redirect(flow):
+        if is_oauth_uri(flow.request.url) or not self.is_oauth_redirect(flow):
             return 0
         
-
         loc0 = self.get_header(flow.response.headers, "location") or ""
         param = self.find_nonce_param(loc0) or "state"
         qs0 = parse_qs(urlparse(loc0).query)
@@ -111,10 +113,16 @@ class CsrfChecker:
         if new_nonce is None:
             return 0
         if new_nonce == orig_nonce:
-            return ["Nonce reused without cookies"]
+            report_vuln(
+                title="CSRF Risk", 
+                desc="Nonce reused without cookies", 
+                status="CRITICAL", 
+                uri=flow.request.url
+            )
+            return 1
 
         # (2) 두 번의 리다이렉트 비교
-        async with httpx.AsyncClient(follow_redirects=False) as cli:
+        async with httpx.AsyncClient(follow_redirects=True) as cli:
             # 원본 쿼리
             req1 = await cli.get(loc0, params=qs0, headers=flow.request.headers)
             # nonce 교체 쿼리
@@ -127,42 +135,35 @@ class CsrfChecker:
             and urlparse(req1.headers.get("location", "")).path
             == urlparse(req2.headers.get("location", "")).path
         ):
-            return ["Identical redirects on nonce swap → potential CSRF"]
+            report_vuln(
+                title="CSRF Risk", 
+                desc="Identical redirects on nonce swap → potential CSRF", 
+                status="NOT-VERIFIED-HIGH", 
+                uri=flow.request.url
+            )
+            return 1
 
         return 0
 
     async def response(self, flow: http.HTTPFlow) -> None:
         try:
-            msgs: List[str] = []
 
             # 1) 요청에 nonce 없으면
-            if self.is_oauth_uri(flow.request.url) and not self.check_nonce_in_request(flow):
+            if is_oauth_uri(flow.request.url) and not self.check_nonce_in_request(flow):
-                msgs.append("Missing state/nonce in request")
+                report_vuln(
+                    title="CSRF Risk", 
+                    desc="Missing nonce in OAuth request", 
+                    status="CRITICAL", 
+                    uri=flow.request.url
+                )
+                return
 
             # 2) 리다이렉트에서 nonce 검사
             r1 = self.check_redirect_nonce(flow)
-            if r1:
-                msgs.extend(r1 if isinstance(r1, list) else [])
 
             # 3) nonce 재사용 검사
             r2 = await self.check_nonce_reuse(flow)
-            if r2:
-                msgs.extend(r2 if isinstance(r2, list) else [])
 
-            if msgs:
-                desc = " | ".join(msgs)
-                status = "MEDIUM"
-                report_data = [{
-                    'target': target.load(),
-                    'status': status,
-                    'title': "CSRF Risk",
-                    'description': desc,
-                    'uri': flow.request.url,
-                }]
-                save_report(report_data)
-                print(f"[INFO] CSRF Check: {desc}")
-            else:
-                pass
         except Exception as e:
             print(f"[ERROR] CSRF Check failed: {e}")
             return

addon/google_login_hint.py

@@ -44,8 +44,8 @@ class GoogleLoginHint:
                 
                 # 요청 URL 수정 - URL과 호스트 모두 업데이트
                 flow.request.url = new_url
-                flow.request.pretty_url = new_url
                 print(f"🔄 Modified URL: {new_url}")
+                
     def _is_google_oauth_url(self, url):
         """Google OAuth URL인지 확인"""
         google_oauth_domains = [

addon/google_response_type_token.py

@@ -0,0 +1,52 @@
+from lib.report_vuln import report_vuln
+import httpx
+from lib.utils.is_oauth_uri import is_oauth_uri
+from urllib.parse import urlparse, parse_qs
+
+class GoogleResponseTypeToken:
+    def get_taregt_from_query(self, query: str, target: str) -> str | None:
+        if not query:
+            return None
+        parsed = parse_qs(query)
+        scope_values = parsed.get(target, [])
+        if scope_values:
+            return scope_values[0]
+        return None
+
+    async def test(self, flow):
+        req = flow.request
+        
+        if not is_oauth_uri(req.pretty_url):
+            return
+        
+        if req.pretty_host != "accounts.google.com":
+            return
+        
+        if "response_type=token" in req.pretty_url:
+            return
+        
+        url = f"{req.pretty_url}".replace("response_type=code", "response_type=token")
+        
+        async with httpx.AsyncClient(follow_redirects=True) as cli:
+            response = await cli.request(
+                method=req.method,
+                url=url,
+                headers=req.headers,
+                content=req.get_content(),
+            )
+
+            
+        if response.status_code >= 400:
+            return
+        
+        if "<b>400.</b>" in response.text:
+            return
+        
+        if "response_type=token" in str(response.url):
+            report_vuln(
+                "Google Response Type Token",
+                f"Response type token allowed in {req.pretty_url}",
+                "HIGH",
+                str(response.url)
+            )
+            

addon/init.py

@@ -1,110 +1,93 @@
 from mitmproxy import http
 import asyncio
 from pkce_check import PKCEDowngradeChecker
-from ScopeDetection import ScopeDetection
+from addon.scope_detection import ScopeDetection
 from csrf_check import CsrfChecker
-from nonce_check import NonceChecker
+from client_secret import ClientSecret
-from redirect_uri_check import RedirectBypassChecker
+from addon.open_redirect_check import OpenRedirectChecker
 from access_token import AccessTokenScanner
-from GoogleLoginHint import GoogleLoginHint
+from addon.google_login_hint import GoogleLoginHint
+from addon.google_response_type_token import GoogleResponseTypeToken
 import os
 from dotenv import load_dotenv
+from lib.utils.try_catch import try_catch
+from lib.false_true_varifing_task import FalseTrueVarifingTask
+
+# Initialize the singleton task manager
+false_true_varifing_task = FalseTrueVarifingTask()
 
 load_dotenv(override=True)
 
-class PKCEAddon:
+_open_redirect_checker = OpenRedirectChecker()
-    def __init__(self):
-        self.checker = PKCEDowngradeChecker()
 
-    async def request(self, flow: http.HTTPFlow):
+class AddonBase:
-        print(
+    """
-            f"[DEBUG] Processing request: {flow.request.method} {flow.request.pretty_url}"
+    Base class for addons.
-        )
+    Each addon should implement its own request or response method.
-        try:
+    """
-            await self.checker.test(flow)
-        except Exception as e:
-            print(f"[ERROR] Addon failed: {e}")
-            pass
     
-            
-class CsrfAddon:
-    def __init__(self):
-        self.checker = CsrfChecker()
-
-    async def response(self, flow: http.HTTPFlow):
-        try:
-            await self.checker.response(flow)
-        except Exception as e:
-            print(f"[ERROR] CSRF Addon failed: {e}")
-            pass
-        
-        
-class ScopeAddon:
-    def __init__(self):
-        self.checker = ScopeDetection()
-        self._flow_map = {}  # 요청 정보를 저장
-
-    async def request(self, flow: http.HTTPFlow):
-        self._flow_map[flow.id] = {
-            "method": flow.request.method,
-            "url": flow.request.pretty_url,
-            "query": flow.request.query,
-        }
-
-    async def response(self, flow: http.HTTPFlow):
-        try:
-            await self.checker.test(flow)
-        except Exception as e:
-            print(f"[ERROR] ScopeDetection failed: {e}")
-
-class NonceAddon:
-    def __init__(self):
-        self.checker = NonceChecker()
-
-    async def response(self, flow: http.HTTPFlow):
-        try:
-            pass
-            # TODO id_token을 파싱하는 부분이 누락되어있습니다.
-            # await self.checker.check_nonce_in_id_token(flow)
-        except Exception as e:
-            print(f"[ERROR] NonceAddon failed: {e}")
-            pass
-
-class AccessTokenAddon:
-    def __init__(self):
-        self.checker = AccessTokenScanner()
-
-    async def response(self, flow: http.HTTPFlow):
-        try:
-            await self.checker.scan(flow)
-        except Exception as e:
-            print(f"[ERROR] AccessToken Addon failed: {e}")
-            pass
-
-class RedirectBypassAddon:
-    def __init__(self):
-        self.checker = RedirectBypassChecker()
-
-    # request 대신 response 로 바꿔 보세요:
-    async def response(self, flow: http.HTTPFlow):
-        try:
-            await self.checker.test(flow)
-        except Exception as e:
-            print(f"[ERROR] RedirectBypass Addon failed: {e}")
-
-class GoogleLoginHintAddon():
     def __init__(self) -> None:
         if os.getenv('GOOGLE_ID'):
-            self.checker = GoogleLoginHint()
+            self.google_login_hint = GoogleLoginHint()
         else:
-            self.checker = None
+            self.google_login_hint = None
+
+    def should_ignore(self, flow: http.HTTPFlow) -> bool:
+        """Check if the request should be ignored."""
+        ignore_domains = [
+            ".googleapis.com",
+            "android.clients.google.com",  # Added missing comma here
+            ".adtrafficquality.google",
+            ".googlesyndication.com",
+            "cdn.jsdelivr.net",
+            "update.googleapis.com",
+            ".google-analytics.com",
+            ".gstatic.com"
+        ]
+        # Ignore .googleapis.com domains
+        for domain in ignore_domains:
+            if domain in flow.request.pretty_host:
+                return True
+        
+        # Ignore static files (JS, CSS, fonts, images, etc.)
+        # Split on '?' to remove query parameters before checking extension
+        path = flow.request.path.split('?')[0].lower()
+        static_extensions = [
+            '.js', '.css', '.woff2', '.woff', '.ttf', '.otf', '.svg',
+            '.png', '.jpg', '.jpeg', '.gif', '.webp', '.ico', '.bmp',
+            '.tiff', '.tif', '.webm', '.mp4', '.avi', '.mov', '.pdf', '.md',
+            '.txt', '.csv'
+        ]
+        
+        if any(path.endswith(ext) for ext in static_extensions):
+            return True
+            
+        return False
 
     async def request(self, flow: http.HTTPFlow):
-        if self.checker is None:
+        if self.google_login_hint:
-            return
+            await try_catch(self.google_login_hint.request(flow))
-        try:
-            await self.checker.request(flow)
-        except Exception as e:
-            print(f"[ERROR] GoogleLoginHint Addon failed: {e}")
             
-addons = [PKCEAddon(), ScopeAddon(), CsrfAddon(), NonceAddon(), AccessTokenAddon(), RedirectBypassAddon(), GoogleLoginHintAddon()]
+        if false_true_varifing_task.is_verifing_false_true():
+            return
+            
+        tasks = [
+            try_catch(PKCEDowngradeChecker().test(flow)),
+        ]
+        await asyncio.gather(*tasks)
+
+    async def response(self, flow: http.HTTPFlow):
+        if false_true_varifing_task.is_verifing_false_true() or self.should_ignore(flow):
+            return
+            
+        tasks = [
+            try_catch(CsrfChecker().response(flow)),
+            try_catch(ScopeDetection().test(flow)),
+            try_catch(ClientSecret().test(flow)),
+            try_catch(AccessTokenScanner().scan(flow)),
+            try_catch(GoogleResponseTypeToken().test(flow)),
+            try_catch(_open_redirect_checker.test(flow)),
+        ]
+        await asyncio.gather(*tasks)
+
+addons = [AddonBase()]

addon/nonce_check.py

@@ -1,10 +1,8 @@
 import jwt
 from urllib.parse import urlparse, parse_qs
 from typing import Union
-import httpx
 
-import lib.target as target
+from lib.report_vuln import report_vuln
-from lib.report import save_report
 
 class NonceChecker:
     def is_oidc_flow(self, flow) -> bool:
@@ -72,17 +70,13 @@ class NonceChecker:
     def check_nonce_in_id_token(self, flow, id_token: str) -> bool:
         decoded = self.decode_id_token(id_token)
         nonce = decoded.get("nonce")
-        req = flow.request
-        url = req.pretty_url
         if not nonce:
-            report_data = [{
+            report_vuln(
-                'target': target.load(),
+                title="Nonce Check Failed",
-                'status': "CRITICAL",
+                desc="id_token에 nonce가 없습니다.",
-                'title': "nonce is missing in id_token",
+                status="HIGH",
-                'description': "Nonce is present in the request but missing in the id_token.",
+                uri=flow.request.url
-                'uri': f"Original: {url}\nDecoded ID Token: {decoded}",
+            )
-            }]
-            save_report(report_data)
             return False
         else:
             return True

addon/pkce_check.py

@@ -1,10 +1,7 @@
 from urllib.parse import urlparse, parse_qs, urlencode, urlunparse
-import asyncio
 import httpx
 from typing import Dict, List
-
+from lib.report_vuln import report_vuln
-import lib.target as target
-from lib.report import save_report
 
 
 class PKCEDowngradeChecker:
@@ -58,27 +55,19 @@ class PKCEDowngradeChecker:
 
     async def report_missing_parameters(self, url: str, is_openid: bool):
         status = "MEDIUM" if is_openid else "LOW"
-        self.save(
+        report_vuln(
-            [
+            title="PKCE Parameters Missing",
-                self.make_report(
+            desc="PKCE parameters are missing or incomplete.",
-                    status,
+            status=status,
-                    "PKCE Parameters Missing",
+            uri=url,
-                    "PKCE parameters are missing or incomplete.",
-                    url,
-                )
-            ]
         )
 
     async def report_plain_method(self, url: str):
-        self.save(
+        report_vuln(
-            [
+            title="PKCE Plain Method",
-                self.make_report(
+            desc="PKCE method is set to 'plain'. Possible downgrade.",
-                    "CRITICAL",
+            status="CRITICAL",
-                    "PKCE Plain Method",
+            uri=url,
-                    "PKCE method is set to 'plain'. Possible downgrade.",
-                    url,
-                )
-            ]
         )
 
     def create_downgraded_url(self, parsed, query):
@@ -150,15 +139,11 @@ class PKCEDowngradeChecker:
         else:
             return  # Likely safe
 
-        self.save(
+        report_vuln(  
-            [
+            title=title,
-                self.make_report(
+            desc=description,
-                    status,
+            status=status,
-                    title,
+            uri=f"Original: {original_url}\nDowngraded: {downgraded_url}",
-                    description,
-                    f"Original: {original_url}\nDowngraded: {downgraded_url}",
-                )
-            ]
         )
 
     def same_redirect_destination(self, orig_loc, down_loc):
@@ -166,16 +151,3 @@ class PKCEDowngradeChecker:
         down = urlparse(down_loc)
         return orig.netloc == down.netloc and orig.path == down.path
 
-    def make_report(
-        self, status: str, title: str, description: str, uri: str
-    ) -> Dict[str, str]:
-        return {
-            "target": target.load(),
-            "status": status,
-            "title": title,
-            "description": description,
-            "uri": uri,
-        }
-
-    def save(self, report_data: List[Dict[str, str]]):
-        save_report(report_data)

addon/redirect_uri_check.py

@@ -1,202 +0,0 @@
-from mitmproxy import http
-import aiohttp
-from urllib.parse import urlparse, parse_qs, urlencode, urlunparse  
-import lib.target as target  
-from lib.report import save_report 
-
-class BypassPayload:
-    """ 우회 패턴 정의 """
-    def __init__(self, name: str, mutate_func, description: str):
-        self.name = name
-        self.mutate = mutate_func #우회 url 만드는 함수
-        self.description = description
-
-
-class RedirectBypassChecker:
-    def __init__(self):
-        """ 우회 페이로드 목록 """
-        self.bypass_payloads = [
-            BypassPayload(
-                name=r"@",
-                mutate_func=self._mutate_pattern1,
-                description=r"@ 기호를 이용한 호스트 우회 공격: evil.com@target.com"
-            ),
-            
-        ]
-        self.session = None
-
-    """ 우회 URL 생성 목록 """
-    # 1. @
-    def _mutate_pattern1(self, original: str) -> str:
-        parsed = urlparse(original)
-        mutated = f"https://evil.com@{parsed.netloc}{parsed.path}"
-        print(f"[redirect_uri_check] original: {original} → mutated: {mutated}")
-        return mutated
-
-    '''aiohttp 세션 생성 (재사용)'''
-    async def _get_session(self):
-        if self.session is None:
-            timeout = aiohttp.ClientTimeout(total=10)
-            self.session = aiohttp.ClientSession(timeout=timeout)
-        return self.session
-
-    '''세션 정리'''
-    async def close_session(self):
-        if self.session:
-            await self.session.close()
-            self.session = None
-
-    """ 우회된 URL에 GET 요청을 보내고, 서버 응답 정보 반환 """
-    async def _send_request(self, url, headers=None):
-        try:
-            session = await self._get_session() # 세션 준비
-            request_headers = headers or {} # 요청 헤더 설정 - headers가 주어지지 않았다면 빈 딕셔너리 사용
-            
-            # 서버에 GET 요청 전송 
-            async with session.get(url, allow_redirects=False, headers=request_headers) as response:
-                return {
-                    'status': response.status,
-                    'location': response.headers.get("Location", ""),
-                    'headers': dict(response.headers)
-                }
-        except Exception as e:
-            print(f"[ERROR] 요청 실패 ({url}): {e}")
-            return {'status': 500, 'location': '', 'headers': {}}
-
-    """ redirect_uri가 기준 도메인(baseUrl)에 속하는지 판단 """
-    def _is_baseline_valid(self, redirect_uri: str, base_url: str) -> bool:
-        try:
-            redirect_parsed = urlparse(redirect_uri)
-            base_parsed = urlparse(base_url)
-            
-            redirect_host = redirect_parsed.hostname
-            base_host = base_parsed.hostname
-            
-            if not redirect_host or not base_host:
-                return False
-            
-            if "@" in redirect_uri:
-                if redirect_host != base_host:
-                    print(f"[ALERT] 우회 공격 탐지: {redirect_host} != {base_host}")
-                    return False
-                
-                at_parts = redirect_uri.split('@')
-                if len(at_parts) > 1:
-                    before_at = at_parts[0]
-                    if '//' in before_at:
-                        potential_domain = before_at.split('//')[-1]
-                        if '.' in potential_domain and potential_domain != base_host:
-                            print(f"[CRITICAL] @ 우회 공격: {potential_domain}@{base_host}")
-                            return False
-            
-            is_valid = (redirect_host == base_host or redirect_host.endswith(f".{base_host}"))
-            return is_valid
-            
-        except Exception as e:
-            print(f"[ERROR] 도메인 검증 실패: {e}")
-            return False
-        
-    """ Location 헤더에서 authorization code 추출 """    
-    def _extract_code_from_location(self, location: str) -> str:
-        if not location:
-            return ""
-        
-        try:
-            parsed = urlparse(location)
-            query = parse_qs(parsed.query)
-            return query.get('code', [''])[0]
-        except:
-            return ""
-
-    """ 메인 테스트 함수 - mitmproxy flow 처리 """
-    async def test(self, flow: http.HTTPFlow):
-        url = flow.request.pretty_url
-        parsed = urlparse(url)
-        query = parse_qs(parsed.query)
-
-        if "redirect_uri" not in query:
-            return
-
-        original_redirect_uri = query["redirect_uri"][0]
-        print(f"[DEBUG] 원본 redirect_uri: {original_redirect_uri}")
-
-        for payload in self.bypass_payloads:
-            try:
-                await self._test_bypass_pattern(
-                    url, query, parsed, original_redirect_uri, payload, headers={}
-                )
-            except Exception as e:
-                print(f"[ERROR] 우회 패턴 테스트 실패 ({payload.name}): {e}")
-                continue
-
-    """ 개별 우회 패턴 테스트 """
-    async def _test_bypass_pattern(self, original_url, query, parsed_url, original_redirect_uri, payload, headers):
-        
-        print(f"[SCAN] 우회 패턴 테스트: {payload.name}")
-        
-        # 우회 URL 생성
-        bypassed_uri = payload.mutate(original_redirect_uri)
-        
-        # 새로운 쿼리 파라미터 구성
-        modified_query = query.copy()
-        modified_query["redirect_uri"] = [bypassed_uri]
-        new_query_string = urlencode(modified_query, doseq=True)
-        test_url = urlunparse(parsed_url._replace(query=new_query_string))
-        
-        # 요청 전송
-        response = await self._send_request(test_url, headers)
-
-        # 응답 분석
-        await self._analyze_response(original_url, test_url, bypassed_uri, response, payload)
-
-    """ 응답 분석 및 취약점 판단 """
-    async def _analyze_response(self, original_url, test_url, bypassed_uri, response, payload):
-        status = response['status']
-        location = response['location']
-        
-        # 리다이렉트 응답이 아니면 스킵
-        if status not in [301, 302, 303, 307, 308]:
-            return
-            
-        # Location 헤더에서 code 추출
-        auth_code = self._extract_code_from_location(location)
-        
-        if auth_code and not self._is_baseline_valid(bypassed_uri, original_url):
-            # 취약점 발견 시에만 로그
-            print(f"[🎯 VULNERABILITY] {payload.name} 우회 성공!")
-            await self._report_vulnerability(original_url, test_url, bypassed_uri, location, auth_code, payload)
-
-
-    """ 취약점 보고서 생성 """
-    async def _report_vulnerability(self, original_url, test_url, bypassed_uri, location, auth_code, payload):
-        # payload가 문자열인지 객체인지 확인
-        if hasattr(payload, 'name'):
-            pattern_name = payload.name
-            pattern_description = payload.description
-        else:
-            pattern_name = str(payload)
-            pattern_description = "Unknown bypass pattern"
-            
-        description = (
-            f"Redirect URI 우회 취약점 발견!\n\n"
-            f"-- 상세 정보 --:\n"
-            f"• 우회 패턴: {pattern_name}\n"
-            f"• 설명: {pattern_description}\n"
-            f"• 원본 URL: {original_url}\n"
-            f"• 우회된 redirect_uri: {bypassed_uri}\n"
-            f"• 테스트 URL: {test_url}\n"
-            f"• 리다이렉트 위치: {location}\n"
-            f"• 발급된 인가 코드: {auth_code[:10]}...\n\n"
-        )
-        
-        report_data = [{
-            "target": target.load(),
-            "status": "CRITICAL",  
-            "title": "Redirect URI Bypass Vulnerability",
-            "description": description,
-            "uri": test_url  # uri 필드 추가
-        }]
-        
-        save_report(report_data)
-        print(f"[🎯 CRITICAL] Redirect URI 우회 취약점 발견 및 보고 완료!")
-        print(f"[INFO] 패턴: {pattern_name}, 우회 URI: {bypassed_uri}")

addon/scope_detection.py

@@ -0,0 +1,32 @@
+from lib.report_vuln import report_vuln
+from lib.utils.is_oauth_uri import is_oauth_uri
+from urllib.parse import urlparse, parse_qs
+
+class ScopeDetection:
+    def get_scope_from_query(self, query: str) -> str | None:
+        if not query:
+            return None
+        parsed = parse_qs(query)
+        scope_values = parsed.get("scope", [])
+        if scope_values:
+            return scope_values[0]
+        return None
+
+    async def test(self, flow):
+        if not is_oauth_uri(flow.request.pretty_url):
+            return
+        
+        req = flow.request
+
+        parsed = urlparse(req.pretty_url)
+        query = parsed.query
+
+        query_scope = self.get_scope_from_query(query)
+
+        if query_scope in ["all", "*"]:
+            report_vuln(
+                title="OAuth Scope Value Issue",
+                desc=f"Scope value issue detected in request: {query_scope}",
+                status="WARNING",
+                uri=req.pretty_url
+            )

lib/false_true_varifing_task.py

@@ -0,0 +1,65 @@
+from typing import Any
+from copy import deepcopy
+
+class FalseTrueVarifingTask:
+    """
+    A singleton class representing a task that can be either false or true.
+    This class is used to handle tasks that require verification of their truth value.
+    """
+    
+    _instance = None
+
+    def __new__(cls):
+        if cls._instance is None:
+            cls._instance = super(FalseTrueVarifingTask, cls).__new__(cls)
+            cls._instance._initialized = False
+        return cls._instance
+
+    def __init__(self):
+        if self._initialized:
+            return
+        self._is_verifing = False
+        self.task_queue = []
+        self._initialized = True
+
+    def reset(self):
+        """
+        Reset the task queue and verification status.
+        """
+        self._is_verifing = False
+        self.task_queue.clear()
+        
+    # 각 addon의 검증 로직에서 해당 함수를 호출하여, 추후 오탐 검증을 위한 작업을 추가할 수 있습니다.
+    # TODO: 모델 지정해두기
+    def add_task(self, task_name: str, initial_uri: str, data: Any):
+        """
+        Add a task to the task queue.
+        :param task: The task to be added.
+        """
+        self.task_queue.append(
+            {
+                "task_name": task_name,
+                "initial_uri": initial_uri,
+                "data": data
+            }
+        )
+        
+    def start_verification(self):
+        """
+        Start the verification process for the tasks in the queue.
+        """
+        self._is_verifing = True
+    
+    def get_task_queue(self):
+        """
+        Get a copy of the current task queue.
+        :return: A copy of the task queue.
+        """
+        return deepcopy(self.task_queue)
+        
+    def is_verifing_false_true(self):
+        """
+        Get the current verification status.
+        :return: True if verification is in progress, False otherwise.
+        """
+        return self._is_verifing

lib/report_vuln.py

@@ -1,14 +1,16 @@
 # save as data/report.csv
 import os
 import csv
-from typing import List, Dict, Any
+from mitmproxy import http
+import lib.cur_target_url as cur_target_url
 
 # target, status, title, description, uri
 
 # file path는 'data/report.csv'로 고정
-def save_report(report_data: List[Dict[str, Any]], file_path: str = 'data/report.csv') -> None:
+def report_vuln(title: str, desc: str, status: str, uri: str) -> None:
-    os.makedirs(os.path.dirname(file_path), exist_ok=True)
+    file_path: str = 'data/report.csv'
     
+    os.makedirs(os.path.dirname(file_path), exist_ok=True)
 
     """
     report_data 안의 각 레포트를 한 줄씩 CSV에 추가로 저장합니다.
@@ -23,10 +25,10 @@ def save_report(report_data: List[Dict[str, Any]], file_path: str = 'data/report
         if not file_exists:
             writer.writeheader()
 
-        for row in report_data:
+        writer.writerow({
-            # None 방지 & 줄바꿈 이스케이프
+            'target': cur_target_url.load(),
-            escaped = {
+            'status': status,
-                k: str(v).replace('\n', '\\n') if v is not None else ''
+            'title': title,
-                for k, v in row.items()
+            'description': desc,
-            }
+            'uri': uri,
-            writer.writerow(escaped)
+        })

lib/utils/is_oauth_uri.py

@@ -0,0 +1,10 @@
+from urllib.parse import urlparse, parse_qs
+
+def is_oauth_uri(uri: str) -> bool:
+    qs = parse_qs(urlparse(uri).query)
+    qs_keys = [*qs]
+    
+    if "client_id" in qs_keys and any(p in qs_keys for p in (
+            "redirect_uri", "response_type", "grant_type", "scope", "state", "nonce")):
+        return True
+    return False

lib/utils/try_catch.py

@@ -0,0 +1,5 @@
+async def try_catch(coro):
+    try:
+        return await coro
+    except Exception as e:
+        print(f"[ERROR] {coro} failed: {e}")

runner/backend/__init__.py

@@ -1,17 +1,107 @@
 from fastapi import FastAPI, Query, HTTPException
 from fastapi.responses import Response
-import lib.target as target
+import lib.cur_target_url as cur_target_url
+from lib.false_true_varifing_task import FalseTrueVarifingTask
+from pydantic import BaseModel, Field
+from lib.report_vuln import report_vuln as save_vuln
+
+# Initialize the singleton task manager
+false_true_varifing_task = FalseTrueVarifingTask()
 
 app = FastAPI()
 
 
-@app.post("/start")
+
-async def start(url: str = Query(None)):
+@app.post(
-    if url:
+    "/start",
-        target.save(url)
+    summary="취약점 검증을 위한 대상 URL 설정",
-        print(f"Target URL set to: {url}")
+    description="""
+이 엔드포인트는 시스템이 취약점 검증 작업에 사용할 대상 URL을 설정합니다.
+
+유효한 URL이 제공되면:
+- 해당 URL이 저장됩니다.
+- 검증 작업 큐가 초기화됩니다.
+- 새로운 검증 작업을 시작할 준비가 완료됩니다.
+
+URL이 제공되지 않으면, 오류가 반환됩니다.
+"""
+,
+    tags=["1st STEP"]
+)
+async def start(url: str = Query(..., description="The URL to target for vulnerability verification")):
+    cur_target_url.save(url)
+    false_true_varifing_task.reset()
     return {"message": f"Target URL set to: {url}"}
-    return {"error": "No URL provided"}
+
+
+
+
+
+
+@app.post(
+    "/start-false-true-verifing",
+    summary="시스템에 오탐 검증 작업 시작을 알림",
+    description="""
+이 엔드포인트는 시스템에 오탐 검증 작업이 시작되었음을 알립니다.
+또한 시스템은 미리 준비된 오탐 검증 작업 목록을 반환합니다.
+
+```json
+{
+    "payload": [
+        {
+            "task_name": "pkce_task",                   # 검증 작업의 이름
+            "initial_uri": "http://auth.example.com",   # browser가 처음 접속할 URI
+            "data": any                                 # 추가 데이터
+        },
+        ...
+    ]
+}
+```
+""",
+    tags=["2nd STEP"]
+   )
+async def start_false_true_verifing():
+    false_true_varifing_task.start_verification()
+    task_queue = false_true_varifing_task.get_task_queue()
+    return {"payload": task_queue}
+    
+
+
+
+
+
+class VulnerabilityReport(BaseModel):
+    title: str = Field(..., description="Short title for the vulnerability")
+    url: str = Field(..., description="URL where the vulnerability was discovered")
+    status: str = Field(..., description="Status of the vulnerability (e.g., VERIFIED-CRITICAL)")
+    desc: str = Field(..., description="Detailed description of the issue")
+
+@app.post(
+    "/report-vuln",
+    summary="취약점 보고",
+    description="""
+정탐인 취약점을 시스템에 보고합니다.  
+보고 시 다음 정보를 포함해야 합니다:
+
+- **title**: 취약점의 간단한 이름
+- **url**: 취약점이 발견된 위치 (URL)
+- **status**: 심각도
+- **desc**: 취약점에 대한 상세 설명
+""",
+    tags=["3rd STEP"]
+)
+async def report_vuln(vuln: VulnerabilityReport):
+    save_vuln(
+        title=vuln.title,
+        desc=vuln.desc,
+        status=vuln.status,
+        uri=vuln.url
+    )
+    
+    return {"message": "Vulnerability reported successfully"}
+
+
+
 
 
 @app.exception_handler(404)