whs-authz-authn/oauth-backend
1
0
Fork 0
mirror of https://github.com/j93es/oauth-backend.git synced 2026-06-04 04:51:51 +09:00
Code Issues Projects Releases Packages Wiki Activity
oauth-backend/addon/client_secret.py

29 lines
1,010 B
Python
Raw Blame History

from lib.report_vuln import report_vuln
from urllib.parse import urlparse, parse_qs
class ClientSecret:
def get_target_from_query(self, query: str, target: str) -> str | None:
if not query:
return None
parsed = parse_qs(query)
scope_values = parsed.get(target, [])
if scope_values:
return scope_values[0]
return None
async def test(self, flow):
req = flow.request
parsed = urlparse(req.pretty_url)
query = parsed.query
query_client_id = self.get_target_from_query(query, "client_id")
query_client_secret = self.get_target_from_query(query, "client_secret")
if query_client_id and query_client_secret:
report_vuln(
title="OAuth Client Secret Exposure",
desc=f"Client ID and Secret found in request: {query_client_id}, {query_client_secret}",
status="CRITICAL",
uri=req.pretty_url
)
Reference in a new issue View git blame Copy permalink