Home

Awesome

BlazorTrafficProcessor (BTP)

A BurpSuite extension to aid pentesting web applications that use Blazor Server/BlazorPack. Primary functionality includes converting BlazorPack messages to JSON and vice versa, introduces tamperability for BlazorPack serialized messages.

Build

Prerequisites

Build Steps

  1. Clone the repository with git clone https://github.com/AonCyberLabs/BlazorTrafficProcessor
  2. cd BlazorTrafficProcessor
  3. gradle build
  4. The built JAR file will be located at BlazorTrafficProcessor/build/libs/BlazorTrafficProcessor-1.0.jar

Usage

Installing the extension in Burp

NOTE: it is recommended to check "Other Binary" in your Burp History filter, this will allow you to see data returned by the application.

Using the Extension

Downgrade Explained (WS -> HTTP)

Blazor server normally communicates via WebSockets, though it supports other protocols such as LongPolling over HTTP. During the connection initiation between your browser and the server, one of the first requests sent will look like the following:

POST /_blazor/negotiate?negotiateVersion=1 HTTP/1.1
Host: localhost:5003
[...]
X-Requested-With: XMLHttpRequest
X-SignalR-User-Agent: Microsoft SignalR/0.0 (0.0.0-DEV_BUILD; Unknown OS; Browser; Unknown Runtime Version)
[...]

The response will contain the available transports as follows:

HTTP/1.1 200 OK
Content-Length: 316
Connection: close
Content-Type: application/json
Date: Thu, 22 Sep 2022 13:30:17 GMT
Server: Kestrel

{"negotiateVersion":1,
  "connectionId":"XXX",
  "connectionToken":"XXX",
  "availableTransports":[
    {"transport":"WebSockets","transferFormats":["Text","Binary"]},
    {"transport":"ServerSentEvents","transferFormats":["Text"]},
    {"transport":"LongPolling","transferFormats":["Text","Binary"]}
  ]
}

This negotiation determines how the client and server will establish their connection. WebSockets is the preferred method but Burp previously didn't have the best support for WS extensions**, so we need to force the connection over HTTP in order to use the extension. Therefore, the browser (and JavaScript running in it) that you're proxying traffic through will see that websockets aren't supported and fall back to using HTTP ("LongPolling"). BTP will automatically perform this downgrade, observable via the Original/Modified versions of the Blazor negotiation HTTP response.

** Note: Support for BlazorPack over WS is currently under development as there are newer iterations of Burp's Montoya APIs being released frequently with improved WS functionality.

Example Requests

Change value of an Input Field

Request Body:

º•€À·BeginInvokeDotNetFromJS•¡2À²DispatchEventAsyncل[{"eventHandlerId":4,"eventName":"change","eventFieldInfo":{"componentId":27,"fieldValue":"asdfasdfasdf"}},{"value":"asdfasdfasdf"}]

Deserialized:

[
  {
    "Target":"BeginInvokeDotNetFromJS",
    "Headers":0,
    "Arguments":[
      "2","null","DispatchEventAsync",1, [
        {"eventFieldInfo": {"componentId":27,"fieldValue":"asdfasdfasdf"}, 
        "eventHandlerId":4,"eventName":"change"},
        {"value":"asdfasdfasdf"}
      ]
    ],
  "MessageType":1
  }
]

Update the rendered web page

Request body:

•€À±OnRenderCompleted’À

Deserialized:

[
  {
    "Target":"OnRenderCompleted",
    "Headers":0,
    "Arguments":[5,"null"],
    "MessageType":1
  }
]

End an invocation

Request body (What you'll see in Burp):

+•€ÀµEndInvokeJSFromDotNet“í[3,true,null]

Request body bytes (What you'll see in the "Inspector" tab if you highlight the request body)

\x2b\x95\x01\x80\xc0\xb5EndInvokeJSFromDotNet\x93\x03\xc3\xad[3,true,null]
[length][MessageType,Headers,InvocationId,Target,[Arguments]]
[\x2b][MessageType=\x01,Headers=\x80,InvocationId=\xc0,Target=\xb5EndInvokeJSFromDotNet,Arguments=[One=\x03,Two=\xc3,Three=\xad[3,true,null]]]

Byte Breakdown

InvocationMessage Encoding Spec

  1. \x2b - the size byte for this payload, value = 43
  2. \x95 - an array header, representing a 5-element array
  3. \x01 - integer w/ value of 1, representing the message type (Invocation)
  4. \x80 - Map of length 0, representing the headers (only seen empty map while testing)
  5. \xc0 - NIL, representing the invocationId is null
  6. \xb5 - Raw string header of length 21, representing the "Target"
  7. EndInvokeJSFromDotNet - the "Target" raw string
  8. \x93 - an array header, representing a 3-element array for the arguments
  9. \x03 - integer w/ value of 3, first argument to the "Target" function
  10. \xc3 - boolean w/ value of true, second argument to the "Target" function
  11. \xad - Raw string header of length 13, representing the third argument to the "Target" function
  12. [3,true,null] - the third argument raw string

Deserialized:

[
  {
    "Target":"EndInvokeJSFromDotNet",
    "Headers":0,
    "Arguments": [
      3,true,
      [3,true,null]
    ],
    "MessageType":1
  }
]

Copyright 2023 Aon plc