whs-authz-authn/oauth-backend
1
0
Fork 0
mirror of https://github.com/j93es/oauth-backend.git synced 2026-06-04 05:31:51 +09:00
Code Issues Projects Releases Packages Wiki Activity

Compare commits

base: whs-authz-authn:main
Branches Tags
whs-authz-authn:main
whs-authz-authn:gyu
whs-authz-authn:removal/google-login-hint
whs-authz-authn:fix/access-token
whs-authz-authn:feat/ignore
whs-authz-authn:refactor/access-token
whs-authz-authn:chore/env
whs-authz-authn:hotfix/google-login-hint
whs-authz-authn:readme
whs-authz-authn:feat/google-login-hint
whs-authz-authn:nonce_check
whs-authz-authn:tk
whs-authz-authn:feature/access-token
whs-authz-authn:imnyang
whs-authz-authn:yeon
..
compare: whs-authz-authn:readme
Branches Tags
whs-authz-authn:main
whs-authz-authn:gyu
whs-authz-authn:removal/google-login-hint
whs-authz-authn:fix/access-token
whs-authz-authn:feat/ignore
whs-authz-authn:refactor/access-token
whs-authz-authn:chore/env
whs-authz-authn:hotfix/google-login-hint
whs-authz-authn:readme
whs-authz-authn:feat/google-login-hint
whs-authz-authn:nonce_check
whs-authz-authn:tk
whs-authz-authn:feature/access-token
whs-authz-authn:imnyang
whs-authz-authn:yeon

No commits in common. "main" and "readme" have entirely different histories.
main ... readme

22 changed files with 570 additions and 2285 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.env
View file

@ -1,2 +1,2 @@
# Google OAuth 설정
GOOGLE_ID=whs.imnya.ng@gmail.com
GOOGLE_ID=bot.imnya.ng@gmail.com

2
.env.example Normal file
View file

@ -0,0 +1,2 @@
# Google OAuth 설정
GOOGLE_ID=bot.imnya.ng@gmail.com

2
.gitignore vendored
View file

@ -9,8 +9,6 @@ wheels/
# Virtual environments
.venv
.env
data/

65
README.md
View file

@ -20,23 +20,6 @@ venv와 패키지가 설치가 됩니다.
입력하지 않는다면 Google OAuth시 자동적으로 넘어가지 않을 수도 있습니다.
---
> [oauth-backend](https://github.com/j93es/oauth-backend) 프록시를 사용한다면 이 가이드에 따라 인증서 또한 설정되어야만 합니다.
>
> 그렇지 않으면 실행되지 않습니다.
>
> 윈도우 환경에서는 `sudo certutil -addstore root mitmproxy-ca-cert.cer`로 인증합니다.
>
> Sudo가 활성화되어있지 않은 환경에서는 관리자로 상향된 쉘에서 실행합니다.
>
> MacOS 환경에서는 `sudo security add-trusted-cert -d -p ssl -p basic -k /Library/Keychains/System.keychain ~/.mitmproxy/mitmproxy-ca-cert.pem`으로 인증합니다.
>
> 다른 플렛폼은 수동으로 설정되어야만 합니다.
> https://docs.mitmproxy.org/stable/concepts/certificates/
---
# 실행 방법
```
@ -51,44 +34,40 @@ http://localhost:11081로 백엔드 서버가 열리게 됩니다.
`./addon/init.py`
```py
...
async def request(self, flow: http.HTTPFlow):
if false_true_varifing_task.is_verifing_false_true():
return
from example_check import Example
class LoggerAddon:
def __init__(self):
self.checker = Example()
def request(self, flow: http.HTTPFlow): # 비동기가 필요할 경우 async def로 할 것
self.checker.test(flow)
def response(self, flow: http.HTTPFlow): # 비동기가 필요할 경우 async def로 할 것
self.checker.test(flow)
tasks = [
try_catch(self.google_login_hint.request(flow)) if self.google_login_hint else None,
try_catch(PKCEDowngradeChecker().test(flow)),
try_catch(Example().test(flow))
]
await asyncio.gather(*tasks)
...
```
`./addon/example.py`
```py
from lib.report_vuln import report_vuln
import lib.target as target
from lib.report import save_report
class Example:
async def test(self, flow):
req = flow.request
method = req.method
url = req.pretty_url
# data/report.csv에 저장
report_vuln(
title="PKCE Plain Method",
desc="PKCE method is set to 'plain'. Possible downgrade.",
status="CRITICAL",
uri=url,
)
report_data = [{
'target': target.load(),
'status': "CRITICAL",
'title': "PKCE Downgrade Vulnerability",
'description': "PKCE downgrade vulnerability detected! Both URLs returned authorization code.",
'uri': f"Original: {url}\nDowngraded: {downgraded_url}"
}]
save_report(report_data)
```
이러한 예제를 참고하여 작성하여주세요.
# 백엔드 API DOCS
`uv run main.py`으로 백엔드를 실행한 후에, 다음의 url에 접속합니다.
```
http://localhost:11081/redoc
```

8
addon/google_login_hint.py → addon/GoogleLoginHint.py
View file

@ -1,3 +1,5 @@
import lib.target as target
from lib.report import save_report
import os
from urllib.parse import urlparse, parse_qs, urlencode, urlunparse
from dotenv import load_dotenv
@ -14,6 +16,7 @@ class GoogleLoginHint:
async def request(self, flow):
"""Google OAuth 요청을 가로채서 login_hint를 추가하거나 수정"""
req = flow.request
method = req.method
url = req.pretty_url
# Google OAuth 인증 URL인지 확인
@ -42,10 +45,11 @@ class GoogleLoginHint:
parsed_url.fragment
))
# 요청 URL 수정 - URL과 호스트 모두 업데이트
flow.request.url = new_url
# 요청 URL 수정
flow.request.pretty_url = new_url
print(f"🔄 Modified URL: {new_url}")
def _is_google_oauth_url(self, url):
"""Google OAuth URL인지 확인"""
google_oauth_domains = [

53
addon/ScopeDetection.py Normal file
View file

@ -0,0 +1,53 @@
import lib.target as target
from lib.report import save_report
class ScopeDetection:
def get_scope_from_query(self, query: str) -> str | None:
if not query:
return None
import urllib.parse
parsed = urllib.parse.parse_qs(query)
scope_values = parsed.get("scope", [])
if scope_values:
return scope_values[0]
return None
async def check_scope(self, flow):
req = flow.request
res = flow.response
# req.query가 MultiDictView일 수 있으므로 문자열로 변환
if hasattr(req.query, "urlencode"):
query = req.query.urlencode()
else:
query = str(req.query) if req.query else ""
location = res.headers.get("location", "")
query_scope = self.get_scope_from_query(query)
location_scope = self.get_scope_from_query(location)
result = []
if query_scope in ["all", "*"]:
result.append(f"Scope value issue detected in request: {query_scope}")
if location_scope in ["all", "*"]:
result.append(f"Scope value issue detected in response location: {location_scope}")
return result if result else 0
async def test(self, flow):
req = flow.request
method = req.method
url = req.pretty_url
result = await self.check_scope(flow)
if result != 0:
report_data = [{
'target': target.load(),
'status': "WARNING",
'title': "OAuth scope value issue",
'description': f"{method} {url}: {', '.join(result)}",
'uri': url
}]
save_report(report_data)

126
addon/access_token.py
View file

@ -1,10 +1,23 @@
import re
import asyncio
from dataclasses import dataclass, asdict
from typing import List, Dict, Optional, Any
from typing import Optional, Any
from mitmproxy.http import HTTPFlow
from urllib.parse import urlparse, parse_qs
from lib.report_vuln import report_vuln
import lib.target as target
from lib.report import save_report
# 결과 리포트 저장용 데이터 클래스
@dataclass
class TokenLeakResult:
title: str
description: str
uri: str
status: str = "MEDIUM" # 기본 상태
def to_report(self, target_value) -> Dict[str, str]:
"""리포트 저장 포맷(dict)으로 변환"""
return {"target": target_value, **asdict(self)}
# 요청/응답에서 액세스 토큰 노출 여부를 검사하는 스캐너
@ -13,24 +26,31 @@ class AccessTokenScanner:
async def scan(self, flow: HTTPFlow) -> None:
"""단일 HTTPFlow(request + response)에 대해 요청과 응답을 모두 검사."""
print(f"[TOKENDEBUG] Request URL: {flow.request.url}")
findings: List[TokenLeakResult] = []
async_gather = []
async_gather.append(self._scan_request(flow.request))
async_gather.append(self._scan_response(flow.response, flow.request.url))
await asyncio.gather(*async_gather)
findings.extend(await self._scan_request(flow.request))
findings.extend(await self._scan_response(flow.response, flow.request.url))
if findings:
target_value = target.load()
save_report([f.to_report(target_value) for f in findings])
# 내부 구현
async def _scan_request(self, request: Any):
async def _scan_request(self, request: Any) -> List[TokenLeakResult]:
results: List[TokenLeakResult] = []
print("[TOKENDEBUG] ==scan request==")
# URL 검사
if self._is_implicit_flow(request.url):
print("[TOKENDEBUG] OAuth Implicit Flow detected.")
report_vuln(
token_result = self._extract_token(request.url)
if token_result:
token, has_bearer = token_result
results.append(
TokenLeakResult(
title="Token Leak in Request URL",
desc="취약한 Grant Type입니다 (Implicit Grant Type)",
status="MEDIUM",
uri=request.url
description=f"요청 URL에 토큰이 포함되어 있습니다 (앞 20자): {token[:20]}",
uri=request.url,
status="MEDIUM" if has_bearer else "LOW"
)
)
# Body 검사 (텍스트 컨텐츠인 경우)
@ -38,40 +58,54 @@ class AccessTokenScanner:
body_text = request.get_text(strict=False)
token_result = self._extract_token(body_text)
if token_result:
report_vuln(
token, has_bearer = token_result
results.append(
TokenLeakResult(
title="Token Leak in Request Body",
desc=f"요청 본문에 토큰이 포함되어 있습니다 (앞 20자): {token_result[:20]}",
status="LOW",
uri=request.url
description=f"요청 본문에 토큰이 포함되어 있습니다 (앞 20자): {token[:20]}",
uri=request.url,
status="MEDIUM" if has_bearer else "LOW"
)
)
async def _scan_response(self, response: Optional[Any], request_url: str):
if response is None:
return
return results
async def _scan_response(self, response: Optional[Any], request_url: str) -> List[TokenLeakResult]:
if response is None:
return []
results: List[TokenLeakResult] = []
print("[TOKENDEBUG] ==scan response==")
# Location 헤더 검사 (리다이렉트)
if location_header := response.headers.get("Location"):
token_result = self._extract_token(location_header)
if token_result:
report_vuln(
token, has_bearer = token_result
if has_bearer:
results.append(
TokenLeakResult(
title="Token Leak in Redirect URL (Location header)",
desc=f"Location 헤더에 토큰이 노출되었습니다 (앞 20자): {token_result[:20]}",
status="MEDIUM",
description=f"Location 헤더에 토큰이 노출되었습니다 (앞 20자): {token[:20]}",
uri=location_header,
)
)
# Body 검사 (텍스트 컨텐츠인 경우)
if response.content:
body_text = response.get_text(strict=False)
token_result = self._extract_token(body_text)
if token_result:
report_vuln(
token, has_bearer = token_result
if has_bearer:
results.append(
TokenLeakResult(
title="Token Leak in Response Body",
desc=f"응답 본문에 토큰이 노출되었습니다 (앞 20자): {token_result[:20]}",
status="LOW",
description=f"응답 본문에 토큰이 노출되었습니다 (앞 20자): {token[:20]}",
uri=request_url,
)
)
return results
# 토큰 탐지 키워드드
_TOKEN_KEYS = [
@ -81,6 +115,8 @@ class AccessTokenScanner:
"refreshtoken",
"auth_token",
"session_token",
"secret_token",
"ssoauth",
]
# "bearer" 표시가 동시에 존재할 때만 토큰으로 판단하여 false positive를 줄임
@ -114,38 +150,6 @@ class AccessTokenScanner:
if (m := pattern.search(text)) and m.group(1):
print(f"[TOKENDEBUG] token: {m.group(1)}")
print(f"[TOKENDEBUG] has_bearer: {has_bearer}")
if has_bearer:
return m.group(1)
return m.group(1), has_bearer
print("[TOKENDEBUG] No matched.")
return None
def _is_implicit_flow(self, request_url: str) -> bool:
"""
URL의 파라미터에서 OAuth Implicit Flow 패턴을 체크합니다.
Args:
request_url: 체크할 요청 URL
Returns:
bool: client_id, redirect_uri, response_type이 모두 존재하고
response_type 값이 'token' 경우 True, 그렇지 않으면 False
"""
try:
parsed_url = urlparse(request_url)
query_params = parse_qs(parsed_url.query)
# 필요한 파라미터들이 모두 존재하는지 확인
required_params = ['redirect_uri', 'response_type']
for param in required_params:
if param not in query_params:
return False
# response_type 값이 'token'인지 확인
response_type_values = query_params.get('response_type', [])
# response_type 파라미터가 존재하고 값 중에 'token'이 있는지 확인
return 'token' in response_type_values or 'id_token' in response_type_values
except Exception:
return False

29
addon/client_secret.py
View file

@ -1,29 +0,0 @@
from lib.report_vuln import report_vuln
from urllib.parse import urlparse, parse_qs
class ClientSecret:
def get_target_from_query(self, query: str, target: str) -> str | None:
if not query:
return None
parsed = parse_qs(query)
scope_values = parsed.get(target, [])
if scope_values:
return scope_values[0]
return None
async def test(self, flow):
req = flow.request
parsed = urlparse(req.pretty_url)
query = parsed.query
query_client_id = self.get_target_from_query(query, "client_id")
query_client_secret = self.get_target_from_query(query, "client_secret")
if query_client_id and query_client_secret:
report_vuln(
title="OAuth Client Secret Exposure",
desc=f"Client ID and Secret found in request: {query_client_id}, {query_client_secret}",
status="CRITICAL",
uri=req.pretty_url
)

87
addon/csrf_check.py
View file

@ -1,17 +1,26 @@
# csrf_check.py
from mitmproxy import http
from mitmproxy import http, ctx
from urllib.parse import urlparse, parse_qs, unquote
import httpx
from typing import Optional, Union, List
from lib.report_vuln import report_vuln
from lib.utils.is_oauth_uri import is_oauth_uri
import lib.target as target
from lib.report import save_report
class CsrfChecker:
nonce_params = {
"state", "nonce", "csrf_token", "csrf"
"state", "nonce", "as", "frame_id", "csrf_token", "csrf"
}
def is_oauth_uri(self, uri: str) -> bool:
qs = parse_qs(urlparse(uri).query)
qs_keys = [*qs]
if "client_id" in qs_keys and any(p in qs_keys for p in (
"redirect_uri", "response_type", "grant_type", "scope", "state", "nonce")):
return True
return False
def get_header(self, headers: http.Headers, name: str) -> Optional[str]:
# mitmproxy Headers는 case-insensitive
raw = headers.get(name)
@ -31,7 +40,7 @@ class CsrfChecker:
def is_oauth_redirect(self, flow: http.HTTPFlow) -> bool:
code = flow.response.status_code
loc = self.get_header(flow.response.headers, "location") or ""
return 300 <= code < 400 and is_oauth_uri(loc)
return 300 <= code < 400 and self.is_oauth_uri(loc)
def check_nonce_in_request(self, flow: http.HTTPFlow) -> bool:
qs = parse_qs(urlparse(flow.request.url).query)
@ -65,7 +74,7 @@ class CsrfChecker:
def check_redirect_nonce(self, flow: http.HTTPFlow) -> Union[List[str], int]:
# ① OAuth URI, ② 요청에 nonce, ③ 리다이렉트 응답
if not (is_oauth_uri(flow.request.url)
if not (self.is_oauth_uri(flow.request.url)
and self.check_nonce_in_request(flow)
and self.is_oauth_redirect(flow)):
return 0
@ -76,29 +85,18 @@ class CsrfChecker:
resp_nonce = self.get_query_param(loc, param) if param else None
if resp_nonce is None:
report_vuln(
title="CSRF Risk",
desc="Missing nonce in redirect response",
status="CRITICAL",
uri=flow.request.url
)
return 1
return ["Missing nonce in redirect"]
if orig_nonce != resp_nonce:
report_vuln(
title="CSRF Risk",
desc="Nonce mismatch request↔response",
status="HIGH",
uri=flow.request.url
)
return 1
return ["Nonce mismatch request↔response"]
return 0
async def check_nonce_reuse(self, flow: http.HTTPFlow) -> Union[int, List[str]]:
# OAuth Request가 아니면서, OAuth 리다이렉트 응답인 경우만 검사
if is_oauth_uri(flow.request.url) or not self.is_oauth_redirect(flow):
if self.is_oauth_uri(flow.request.url) or not self.is_oauth_redirect(flow):
return 0
loc0 = self.get_header(flow.response.headers, "location") or ""
param = self.find_nonce_param(loc0) or "state"
qs0 = parse_qs(urlparse(loc0).query)
@ -113,16 +111,10 @@ class CsrfChecker:
if new_nonce is None:
return 0
if new_nonce == orig_nonce:
report_vuln(
title="CSRF Risk",
desc="Nonce reused without cookies",
status="CRITICAL",
uri=flow.request.url
)
return 1
return ["Nonce reused without cookies"]
# (2) 두 번의 리다이렉트 비교
async with httpx.AsyncClient(follow_redirects=True) as cli:
async with httpx.AsyncClient(follow_redirects=False) as cli:
# 원본 쿼리
req1 = await cli.get(loc0, params=qs0, headers=flow.request.headers)
# nonce 교체 쿼리
@ -135,35 +127,42 @@ class CsrfChecker:
and urlparse(req1.headers.get("location", "")).path
== urlparse(req2.headers.get("location", "")).path
):
report_vuln(
title="CSRF Risk",
desc="Identical redirects on nonce swap → potential CSRF",
status="NOT-VERIFIED-HIGH",
uri=flow.request.url
)
return 1
return ["Identical redirects on nonce swap → potential CSRF"]
return 0
async def response(self, flow: http.HTTPFlow) -> None:
try:
msgs: List[str] = []
# 1) 요청에 nonce 없으면
if is_oauth_uri(flow.request.url) and not self.check_nonce_in_request(flow):
report_vuln(
title="CSRF Risk",
desc="Missing nonce in OAuth request",
status="CRITICAL",
uri=flow.request.url
)
return
if self.is_oauth_uri(flow.request.url) and not self.check_nonce_in_request(flow):
msgs.append("Missing state/nonce in request")
# 2) 리다이렉트에서 nonce 검사
r1 = self.check_redirect_nonce(flow)
if r1:
msgs.extend(r1 if isinstance(r1, list) else [])
# 3) nonce 재사용 검사
r2 = await self.check_nonce_reuse(flow)
if r2:
msgs.extend(r2 if isinstance(r2, list) else [])
if msgs:
desc = " | ".join(msgs)
status = "MEDIUM"
report_data = [{
'target': target.load(),
'status': status,
'title': "CSRF Risk",
'description': desc,
'uri': flow.request.url,
}]
save_report(report_data)
print(f"[INFO] CSRF Check: {desc}")
else:
pass
except Exception as e:
print(f"[ERROR] CSRF Check failed: {e}")
return

52
addon/google_response_type_token.py
View file

@ -1,52 +0,0 @@
from lib.report_vuln import report_vuln
import httpx
from lib.utils.is_oauth_uri import is_oauth_uri
from urllib.parse import urlparse, parse_qs
class GoogleResponseTypeToken:
def get_taregt_from_query(self, query: str, target: str) -> str | None:
if not query:
return None
parsed = parse_qs(query)
scope_values = parsed.get(target, [])
if scope_values:
return scope_values[0]
return None
async def test(self, flow):
req = flow.request
if not is_oauth_uri(req.pretty_url):
return
if req.pretty_host != "accounts.google.com":
return
if "response_type=token" in req.pretty_url:
return
url = f"{req.pretty_url}".replace("response_type=code", "response_type=token")
async with httpx.AsyncClient(follow_redirects=True) as cli:
response = await cli.request(
method=req.method,
url=url,
headers=req.headers,
content=req.get_content(),
)
if response.status_code >= 400:
return
if "<b>400.</b>" in response.text:
return
if "response_type=token" in str(response.url):
report_vuln(
"Google Response Type Token",
f"Response type token allowed in {req.pretty_url}",
"HIGH",
str(response.url)
)

167
addon/init.py
View file

@ -1,93 +1,110 @@
from mitmproxy import http
import asyncio
from pkce_check import PKCEDowngradeChecker
from addon.scope_detection import ScopeDetection
from ScopeDetection import ScopeDetection
from csrf_check import CsrfChecker
from client_secret import ClientSecret
from addon.open_redirect_check import OpenRedirectChecker
from nonce_check import NonceChecker
from redirect_uri_check import RedirectBypassChecker
from access_token import AccessTokenScanner
from addon.google_login_hint import GoogleLoginHint
from addon.google_response_type_token import GoogleResponseTypeToken
from GoogleLoginHint import GoogleLoginHint
import os
from dotenv import load_dotenv
from lib.utils.try_catch import try_catch
from lib.false_true_varifing_task import FalseTrueVarifingTask
# Initialize the singleton task manager
false_true_varifing_task = FalseTrueVarifingTask()
load_dotenv(override=True)
_open_redirect_checker = OpenRedirectChecker()
class AddonBase:
"""
Base class for addons.
Each addon should implement its own request or response method.
"""
def __init__(self) -> None:
if os.getenv('GOOGLE_ID'):
self.google_login_hint = GoogleLoginHint()
else:
self.google_login_hint = None
def should_ignore(self, flow: http.HTTPFlow) -> bool:
"""Check if the request should be ignored."""
ignore_domains = [
".googleapis.com",
"android.clients.google.com", # Added missing comma here
".adtrafficquality.google",
".googlesyndication.com",
"cdn.jsdelivr.net",
"update.googleapis.com",
".google-analytics.com",
".gstatic.com"
]
# Ignore .googleapis.com domains
for domain in ignore_domains:
if domain in flow.request.pretty_host:
return True
# Ignore static files (JS, CSS, fonts, images, etc.)
# Split on '?' to remove query parameters before checking extension
path = flow.request.path.split('?')[0].lower()
static_extensions = [
'.js', '.css', '.woff2', '.woff', '.ttf', '.otf', '.svg',
'.png', '.jpg', '.jpeg', '.gif', '.webp', '.ico', '.bmp',
'.tiff', '.tif', '.webm', '.mp4', '.avi', '.mov', '.pdf', '.md',
'.txt', '.csv'
]
if any(path.endswith(ext) for ext in static_extensions):
return True
return False
class PKCEAddon:
def __init__(self):
self.checker = PKCEDowngradeChecker()
async def request(self, flow: http.HTTPFlow):
if self.google_login_hint:
await try_catch(self.google_login_hint.request(flow))
print(
f"[DEBUG] Processing request: {flow.request.method} {flow.request.pretty_url}"
)
try:
await self.checker.test(flow)
except Exception as e:
print(f"[ERROR] Addon failed: {e}")
pass
if false_true_varifing_task.is_verifing_false_true():
return
tasks = [
try_catch(PKCEDowngradeChecker().test(flow)),
]
await asyncio.gather(*tasks)
class CsrfAddon:
def __init__(self):
self.checker = CsrfChecker()
async def response(self, flow: http.HTTPFlow):
if false_true_varifing_task.is_verifing_false_true() or self.should_ignore(flow):
try:
await self.checker.response(flow)
except Exception as e:
print(f"[ERROR] CSRF Addon failed: {e}")
pass
class ScopeAddon:
def __init__(self):
self.checker = ScopeDetection()
self._flow_map = {} # 요청 정보를 저장
async def request(self, flow: http.HTTPFlow):
self._flow_map[flow.id] = {
"method": flow.request.method,
"url": flow.request.pretty_url,
"query": flow.request.query,
}
async def response(self, flow: http.HTTPFlow):
try:
await self.checker.test(flow)
except Exception as e:
print(f"[ERROR] ScopeDetection failed: {e}")
class NonceAddon:
def __init__(self):
self.checker = NonceChecker()
async def response(self, flow: http.HTTPFlow):
try:
pass
# TODO id_token을 파싱하는 부분이 누락되어있습니다.
# await self.checker.check_nonce_in_id_token(flow)
except Exception as e:
print(f"[ERROR] NonceAddon failed: {e}")
pass
class AccessTokenAddon:
def __init__(self):
self.checker = AccessTokenScanner()
async def response(self, flow: http.HTTPFlow):
try:
await self.checker.scan(flow)
except Exception as e:
print(f"[ERROR] AccessToken Addon failed: {e}")
pass
class RedirectBypassAddon:
def __init__(self):
self.checker = RedirectBypassChecker()
# request 대신 response 로 바꿔 보세요:
async def response(self, flow: http.HTTPFlow):
try:
await self.checker.test(flow)
except Exception as e:
print(f"[ERROR] RedirectBypass Addon failed: {e}")
class GoogleLoginHintAddon():
def __init__(self) -> None:
if os.getenv('GOOGLE_ID'):
self.checker = GoogleLoginHint()
else:
self.checker = None
async def request(self, flow: http.HTTPFlow):
if self.checker is None:
return
try:
await self.checker.request(flow)
except Exception as e:
print(f"[ERROR] GoogleLoginHint Addon failed: {e}")
tasks = [
try_catch(CsrfChecker().response(flow)),
try_catch(ScopeDetection().test(flow)),
try_catch(ClientSecret().test(flow)),
try_catch(AccessTokenScanner().scan(flow)),
try_catch(GoogleResponseTypeToken().test(flow)),
try_catch(_open_redirect_checker.test(flow)),
]
await asyncio.gather(*tasks)
addons = [AddonBase()]
addons = [PKCEAddon(), ScopeAddon(), CsrfAddon(), NonceAddon(), AccessTokenAddon(), RedirectBypassAddon(), GoogleLoginHintAddon()]

20
addon/nonce_check.py
View file

@ -1,8 +1,10 @@
import jwt
from urllib.parse import urlparse, parse_qs
from typing import Union
import httpx
from lib.report_vuln import report_vuln
import lib.target as target
from lib.report import save_report
class NonceChecker:
def is_oidc_flow(self, flow) -> bool:
@ -70,13 +72,17 @@ class NonceChecker:
def check_nonce_in_id_token(self, flow, id_token: str) -> bool:
decoded = self.decode_id_token(id_token)
nonce = decoded.get("nonce")
req = flow.request
url = req.pretty_url
if not nonce:
report_vuln(
title="Nonce Check Failed",
desc="id_token에 nonce가 없습니다.",
status="HIGH",
uri=flow.request.url
)
report_data = [{
'target': target.load(),
'status': "CRITICAL",
'title': "nonce is missing in id_token",
'description': "Nonce is present in the request but missing in the id_token.",
'uri': f"Original: {url}\nDecoded ID Token: {decoded}",
}]
save_report(report_data)
return False
else:
return True

1722
addon/open_redirect_check.py
View file

File diff suppressed because it is too large Load diff

60
addon/pkce_check.py
View file

@ -1,7 +1,10 @@
from urllib.parse import urlparse, parse_qs, urlencode, urlunparse
import asyncio
import httpx
from typing import Dict, List
from lib.report_vuln import report_vuln
import lib.target as target
from lib.report import save_report
class PKCEDowngradeChecker:
@ -55,19 +58,27 @@ class PKCEDowngradeChecker:
async def report_missing_parameters(self, url: str, is_openid: bool):
status = "MEDIUM" if is_openid else "LOW"
report_vuln(
title="PKCE Parameters Missing",
desc="PKCE parameters are missing or incomplete.",
status=status,
uri=url,
self.save(
[
self.make_report(
status,
"PKCE Parameters Missing",
"PKCE parameters are missing or incomplete.",
url,
)
]
)
async def report_plain_method(self, url: str):
report_vuln(
title="PKCE Plain Method",
desc="PKCE method is set to 'plain'. Possible downgrade.",
status="CRITICAL",
uri=url,
self.save(
[
self.make_report(
"CRITICAL",
"PKCE Plain Method",
"PKCE method is set to 'plain'. Possible downgrade.",
url,
)
]
)
def create_downgraded_url(self, parsed, query):
@ -139,11 +150,15 @@ class PKCEDowngradeChecker:
else:
return # Likely safe
report_vuln(
title=title,
desc=description,
status=status,
uri=f"Original: {original_url}\nDowngraded: {downgraded_url}",
self.save(
[
self.make_report(
status,
title,
description,
f"Original: {original_url}\nDowngraded: {downgraded_url}",
)
]
)
def same_redirect_destination(self, orig_loc, down_loc):
@ -151,3 +166,16 @@ class PKCEDowngradeChecker:
down = urlparse(down_loc)
return orig.netloc == down.netloc and orig.path == down.path
def make_report(
self, status: str, title: str, description: str, uri: str
) -> Dict[str, str]:
return {
"target": target.load(),
"status": status,
"title": title,
"description": description,
"uri": uri,
}
def save(self, report_data: List[Dict[str, str]]):
save_report(report_data)

202
addon/redirect_uri_check.py Normal file
View file

@ -0,0 +1,202 @@
from mitmproxy import http
import aiohttp
from urllib.parse import urlparse, parse_qs, urlencode, urlunparse
import lib.target as target
from lib.report import save_report
class BypassPayload:
""" 우회 패턴 정의 """
def __init__(self, name: str, mutate_func, description: str):
self.name = name
self.mutate = mutate_func #우회 url 만드는 함수
self.description = description
class RedirectBypassChecker:
def __init__(self):
""" 우회 페이로드 목록 """
self.bypass_payloads = [
BypassPayload(
name=r"@",
mutate_func=self._mutate_pattern1,
description=r"@ 기호를 이용한 호스트 우회 공격: evil.com@target.com"
),
]
self.session = None
""" 우회 URL 생성 목록 """
# 1. @
def _mutate_pattern1(self, original: str) -> str:
parsed = urlparse(original)
mutated = f"https://evil.com@{parsed.netloc}{parsed.path}"
print(f"[redirect_uri_check] original: {original} → mutated: {mutated}")
return mutated
'''aiohttp 세션 생성 (재사용)'''
async def _get_session(self):
if self.session is None:
timeout = aiohttp.ClientTimeout(total=10)
self.session = aiohttp.ClientSession(timeout=timeout)
return self.session
'''세션 정리'''
async def close_session(self):
if self.session:
await self.session.close()
self.session = None
""" 우회된 URL에 GET 요청을 보내고, 서버 응답 정보 반환 """
async def _send_request(self, url, headers=None):
try:
session = await self._get_session() # 세션 준비
request_headers = headers or {} # 요청 헤더 설정 - headers가 주어지지 않았다면 빈 딕셔너리 사용
# 서버에 GET 요청 전송
async with session.get(url, allow_redirects=False, headers=request_headers) as response:
return {
'status': response.status,
'location': response.headers.get("Location", ""),
'headers': dict(response.headers)
}
except Exception as e:
print(f"[ERROR] 요청 실패 ({url}): {e}")
return {'status': 500, 'location': '', 'headers': {}}
""" redirect_uri가 기준 도메인(baseUrl)에 속하는지 판단 """
def _is_baseline_valid(self, redirect_uri: str, base_url: str) -> bool:
try:
redirect_parsed = urlparse(redirect_uri)
base_parsed = urlparse(base_url)
redirect_host = redirect_parsed.hostname
base_host = base_parsed.hostname
if not redirect_host or not base_host:
return False
if "@" in redirect_uri:
if redirect_host != base_host:
print(f"[ALERT] 우회 공격 탐지: {redirect_host} != {base_host}")
return False
at_parts = redirect_uri.split('@')
if len(at_parts) > 1:
before_at = at_parts[0]
if '//' in before_at:
potential_domain = before_at.split('//')[-1]
if '.' in potential_domain and potential_domain != base_host:
print(f"[CRITICAL] @ 우회 공격: {potential_domain}@{base_host}")
return False
is_valid = (redirect_host == base_host or redirect_host.endswith(f".{base_host}"))
return is_valid
except Exception as e:
print(f"[ERROR] 도메인 검증 실패: {e}")
return False
""" Location 헤더에서 authorization code 추출 """
def _extract_code_from_location(self, location: str) -> str:
if not location:
return ""
try:
parsed = urlparse(location)
query = parse_qs(parsed.query)
return query.get('code', [''])[0]
except:
return ""
""" 메인 테스트 함수 - mitmproxy flow 처리 """
async def test(self, flow: http.HTTPFlow):
url = flow.request.pretty_url
parsed = urlparse(url)
query = parse_qs(parsed.query)
if "redirect_uri" not in query:
return
original_redirect_uri = query["redirect_uri"][0]
print(f"[DEBUG] 원본 redirect_uri: {original_redirect_uri}")
for payload in self.bypass_payloads:
try:
await self._test_bypass_pattern(
url, query, parsed, original_redirect_uri, payload, headers={}
)
except Exception as e:
print(f"[ERROR] 우회 패턴 테스트 실패 ({payload.name}): {e}")
continue
""" 개별 우회 패턴 테스트 """
async def _test_bypass_pattern(self, original_url, query, parsed_url, original_redirect_uri, payload, headers):
print(f"[SCAN] 우회 패턴 테스트: {payload.name}")
# 우회 URL 생성
bypassed_uri = payload.mutate(original_redirect_uri)
# 새로운 쿼리 파라미터 구성
modified_query = query.copy()
modified_query["redirect_uri"] = [bypassed_uri]
new_query_string = urlencode(modified_query, doseq=True)
test_url = urlunparse(parsed_url._replace(query=new_query_string))
# 요청 전송
response = await self._send_request(test_url, headers)
# 응답 분석
await self._analyze_response(original_url, test_url, bypassed_uri, response, payload)
""" 응답 분석 및 취약점 판단 """
async def _analyze_response(self, original_url, test_url, bypassed_uri, response, payload):
status = response['status']
location = response['location']
# 리다이렉트 응답이 아니면 스킵
if status not in [301, 302, 303, 307, 308]:
return
# Location 헤더에서 code 추출
auth_code = self._extract_code_from_location(location)
if auth_code and not self._is_baseline_valid(bypassed_uri, original_url):
# 취약점 발견 시에만 로그
print(f"[🎯 VULNERABILITY] {payload.name} 우회 성공!")
await self._report_vulnerability(original_url, test_url, bypassed_uri, location, auth_code, payload)
""" 취약점 보고서 생성 """
async def _report_vulnerability(self, original_url, test_url, bypassed_uri, location, auth_code, payload):
# payload가 문자열인지 객체인지 확인
if hasattr(payload, 'name'):
pattern_name = payload.name
pattern_description = payload.description
else:
pattern_name = str(payload)
pattern_description = "Unknown bypass pattern"
description = (
f"Redirect URI 우회 취약점 발견!\n\n"
f"-- 상세 정보 --:\n"
f"• 우회 패턴: {pattern_name}\n"
f"• 설명: {pattern_description}\n"
f"• 원본 URL: {original_url}\n"
f"• 우회된 redirect_uri: {bypassed_uri}\n"
f"• 테스트 URL: {test_url}\n"
f"• 리다이렉트 위치: {location}\n"
f"• 발급된 인가 코드: {auth_code[:10]}...\n\n"
)
report_data = [{
"target": target.load(),
"status": "CRITICAL",
"title": "Redirect URI Bypass Vulnerability",
"description": description,
"uri": test_url # uri 필드 추가
}]
save_report(report_data)
print(f"[🎯 CRITICAL] Redirect URI 우회 취약점 발견 및 보고 완료!")
print(f"[INFO] 패턴: {pattern_name}, 우회 URI: {bypassed_uri}")

32
addon/scope_detection.py
View file

@ -1,32 +0,0 @@
from lib.report_vuln import report_vuln
from lib.utils.is_oauth_uri import is_oauth_uri
from urllib.parse import urlparse, parse_qs
class ScopeDetection:
def get_scope_from_query(self, query: str) -> str | None:
if not query:
return None
parsed = parse_qs(query)
scope_values = parsed.get("scope", [])
if scope_values:
return scope_values[0]
return None
async def test(self, flow):
if not is_oauth_uri(flow.request.pretty_url):
return
req = flow.request
parsed = urlparse(req.pretty_url)
query = parsed.query
query_scope = self.get_scope_from_query(query)
if query_scope in ["all", "*"]:
report_vuln(
title="OAuth Scope Value Issue",
desc=f"Scope value issue detected in request: {query_scope}",
status="WARNING",
uri=req.pretty_url
)

65
lib/false_true_varifing_task.py
View file

@ -1,65 +0,0 @@
from typing import Any
from copy import deepcopy
class FalseTrueVarifingTask:
"""
A singleton class representing a task that can be either false or true.
This class is used to handle tasks that require verification of their truth value.
"""
_instance = None
def __new__(cls):
if cls._instance is None:
cls._instance = super(FalseTrueVarifingTask, cls).__new__(cls)
cls._instance._initialized = False
return cls._instance
def __init__(self):
if self._initialized:
return
self._is_verifing = False
self.task_queue = []
self._initialized = True
def reset(self):
"""
Reset the task queue and verification status.
"""
self._is_verifing = False
self.task_queue.clear()
# 각 addon의 검증 로직에서 해당 함수를 호출하여, 추후 오탐 검증을 위한 작업을 추가할 수 있습니다.
# TODO: 모델 지정해두기
def add_task(self, task_name: str, initial_uri: str, data: Any):
"""
Add a task to the task queue.
:param task: The task to be added.
"""
self.task_queue.append(
{
"task_name": task_name,
"initial_uri": initial_uri,
"data": data
}
)
def start_verification(self):
"""
Start the verification process for the tasks in the queue.
"""
self._is_verifing = True
def get_task_queue(self):
"""
Get a copy of the current task queue.
:return: A copy of the task queue.
"""
return deepcopy(self.task_queue)
def is_verifing_false_true(self):
"""
Get the current verification status.
:return: True if verification is in progress, False otherwise.
"""
return self._is_verifing

22
lib/report_vuln.py → lib/report.py
View file

@ -1,17 +1,15 @@
# save as data/report.csv
import os
import csv
from mitmproxy import http
import lib.cur_target_url as cur_target_url
from typing import List, Dict, Any
# target, status, title, description, uri
# file path는 'data/report.csv'로 고정
def report_vuln(title: str, desc: str, status: str, uri: str) -> None:
file_path: str = 'data/report.csv'
def save_report(report_data: List[Dict[str, Any]], file_path: str = 'data/report.csv') -> None:
os.makedirs(os.path.dirname(file_path), exist_ok=True)
"""
report_data 안의 레포트를 줄씩 CSV에 추가로 저장합니다.
파일이 없으면 헤더를 먼저 쓰고, 있으면 레코드만 이어서 씁니다.
@ -25,10 +23,10 @@ def report_vuln(title: str, desc: str, status: str, uri: str) -> None:
if not file_exists:
writer.writeheader()
writer.writerow({
'target': cur_target_url.load(),
'status': status,
'title': title,
'description': desc,
'uri': uri,
})
for row in report_data:
# None 방지 & 줄바꿈 이스케이프
escaped = {
k: str(v).replace('\n', '\\n') if v is not None else ''
for k, v in row.items()
}
writer.writerow(escaped)

0
lib/cur_target_url.py → lib/target.py
View file

10
lib/utils/is_oauth_uri.py
View file

@ -1,10 +0,0 @@
from urllib.parse import urlparse, parse_qs
def is_oauth_uri(uri: str) -> bool:
qs = parse_qs(urlparse(uri).query)
qs_keys = [*qs]
if "client_id" in qs_keys and any(p in qs_keys for p in (
"redirect_uri", "response_type", "grant_type", "scope", "state", "nonce")):
return True
return False

5
lib/utils/try_catch.py
View file

@ -1,5 +0,0 @@
async def try_catch(coro):
try:
return await coro
except Exception as e:
print(f"[ERROR] {coro} failed: {e}")

104
runner/backend/__init__.py
View file

@ -1,107 +1,17 @@
from fastapi import FastAPI, Query, HTTPException
from fastapi.responses import Response
import lib.cur_target_url as cur_target_url
from lib.false_true_varifing_task import FalseTrueVarifingTask
from pydantic import BaseModel, Field
from lib.report_vuln import report_vuln as save_vuln
# Initialize the singleton task manager
false_true_varifing_task = FalseTrueVarifingTask()
import lib.target as target
app = FastAPI()
@app.post(
"/start",
summary="취약점 검증을 위한 대상 URL 설정",
description="""
엔드포인트는 시스템이 취약점 검증 작업에 사용할 대상 URL을 설정합니다.
유효한 URL이 제공되면:
- 해당 URL이 저장됩니다.
- 검증 작업 큐가 초기화됩니다.
- 새로운 검증 작업을 시작할 준비가 완료됩니다.
URL이 제공되지 않으면, 오류가 반환됩니다.
"""
,
tags=["1st STEP"]
)
async def start(url: str = Query(..., description="The URL to target for vulnerability verification")):
cur_target_url.save(url)
false_true_varifing_task.reset()
@app.post("/start")
async def start(url: str = Query(None)):
if url:
target.save(url)
print(f"Target URL set to: {url}")
return {"message": f"Target URL set to: {url}"}
@app.post(
"/start-false-true-verifing",
summary="시스템에 오탐 검증 작업 시작을 알림",
description="""
엔드포인트는 시스템에 오탐 검증 작업이 시작되었음을 알립니다.
또한 시스템은 미리 준비된 오탐 검증 작업 목록을 반환합니다.
```json
{
"payload": [
{
"task_name": "pkce_task", # 검증 작업의 이름
"initial_uri": "http://auth.example.com", # browser가 처음 접속할 URI
"data": any # 추가 데이터
},
...
]
}
```
""",
tags=["2nd STEP"]
)
async def start_false_true_verifing():
false_true_varifing_task.start_verification()
task_queue = false_true_varifing_task.get_task_queue()
return {"payload": task_queue}
class VulnerabilityReport(BaseModel):
title: str = Field(..., description="Short title for the vulnerability")
url: str = Field(..., description="URL where the vulnerability was discovered")
status: str = Field(..., description="Status of the vulnerability (e.g., VERIFIED-CRITICAL)")
desc: str = Field(..., description="Detailed description of the issue")
@app.post(
"/report-vuln",
summary="취약점 보고",
description="""
정탐인 취약점을 시스템에 보고합니다.
보고 다음 정보를 포함해야 합니다:
- **title**: 취약점의 간단한 이름
- **url**: 취약점이 발견된 위치 (URL)
- **status**: 심각도
- **desc**: 취약점에 대한 상세 설명
""",
tags=["3rd STEP"]
)
async def report_vuln(vuln: VulnerabilityReport):
save_vuln(
title=vuln.title,
desc=vuln.desc,
status=vuln.status,
uri=vuln.url
)
return {"message": "Vulnerability reported successfully"}
return {"error": "No URL provided"}
@app.exception_handler(404)