Pentesting gRPC-Web

Tip

Leer en oefen AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Leer en oefen GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Leer en oefen Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Ondersteun HackTricks

• Kyk na die subskripsie planne!
• Sluit aan by die 💬 Discord groep of die telegram groep of volg ons op Twitter 🐦 @hacktricks_live.
• Deel hacking truuks deur PRs in te dien na die HackTricks en HackTricks Cloud github repos.

Vinnige protocol‑opsomming en attack surface

• Transport: gRPC‑Web speaks a browser‑compatible variant of gRPC over HTTP/1.1 or HTTP/2 via a proxy (Envoy/APISIX/grpcwebproxy/etc.). Slegs unary en server‑streaming calls word ondersteun.
• Content-Types you will see:
• application/grpc-web (binary framing)
• application/grpc-web-text (base64-encoded framing for HTTP/1.1 streaming)
• Framing: elke boodskap word voorafgegaan deur ’n 5‑byte gRPC header (1‑byte flags + 4‑byte length). In gRPC‑Web word trailers (grpc-status, grpc-message, …) binne die body gestuur as ’n spesiale frame: eerste byte met MSB gestel (0x80) gevolg deur ’n lengte en ’n HTTP/1.1‑styl headerblok.
• Common request headers: x-grpc-web: 1, x-user-agent: grpc-web-javascript/…, grpc-timeout, grpc-encoding. Responses openbaar grpc-status/grpc-message via trailers/body frames en dikwels via Access-Control-Expose-Headers vir browsers.
• Sekuriteit‑relevante middleware wat dikwels teenwoordig is:
• Envoy grpc_web filter and gRPC‑JSON transcoder (HTTP<->gRPC bridge)
• Nginx/APISIX gRPC‑Web plugins
• CORS policies on the proxy

Wat dit beteken vir attackers:

• Jy kan requests met die hand saamstel (binary of base64 teks), of laat tooling dit genereer/encode.
• CORS‑foute op die proxy kan cross‑site, geauthentiseerde gRPC‑Web calls toelaat (soortgelyk aan klassieke CORS‑kwessies).
• JSON transcoding bridges kan per ongeluk gRPC‑metodes blootstel as ongeauthentiseerde HTTP endpoints indien routes/auth verkeerd gekonfigureer is.

Testing gRPC‑Web from the CLI

Eenvoudigste: buf curl (ondersteun gRPC‑Web natief)

• Lys met metodes via reflection (indien geaktiveer):

# list methods (uses reflection)
buf curl --protocol grpcweb https://host.tld --list-methods

• Roep ’n metode op met JSON-invoer, wat outomaties gRPC‑Web framering en headers hanteer:

buf curl --protocol grpcweb \
-H 'Origin: https://example.com' \
-d '{"field":"value"}' \
https://host.tld/pkg.svc.v1.Service/Method

• As reflection gedeaktiveer is, verskaf ’n schema/descriptor set met –schema of wys na plaaslike .proto-lêers. Sien buf help curl.

Rou met curl (handmatige headers + framed body)

Vir binêre modus (application/grpc-web), stuur ’n geframeerde payload (5‑byte prefix + protobuf message). Vir teksmodus, base64‑encode die geframeerde payload.

# Build a protobuf message, then gRPC-frame it (1 flag byte + 4 length + msg)
# Example using protoscope to compose/edit the message and base64 for grpc-web-text
protoscope -s msg.txt | python3 grpc-coder.py --encode --type grpc-web-text | \
tee body.b64

curl -i https://host.tld/pkg.svc.v1.Service/Method \
-H 'Content-Type: application/grpc-web-text' \
-H 'X-Grpc-Web: 1' \
-H 'X-User-Agent: grpc-web-javascript/0.1' \
--data-binary @body.b64

Wenk: Forceer base64/text-modus met application/grpc-web-text wanneer HTTP/1.1 tussengangers binêre streaming breek.

Kontroleer CORS-gedrag (preflight + response)

• Preflight:

curl -i -X OPTIONS https://host.tld/pkg.svc.v1.Service/Method \
-H 'Origin: https://evil.tld' \
-H 'Access-Control-Request-Method: POST' \
-H 'Access-Control-Request-Headers: content-type,x-grpc-web,x-user-agent,grpc-timeout'

• ’n kwesbare opstelling weerspieël dikwels arbitrêre Origin en stuur Access-Control-Allow-Credentials: true, wat cross-site geauthentiseerde oproepe toelaat. Kontroleer ook of Access-Control-Expose-Headers grpc-status, grpc-message insluit (baie implementasies stel hierdie vir client libs bloot).

For generic techniques to abuse CORS, check CORS - Misconfigurations & Bypass.

Manipulasie van gRPC‑Web payloads

gRPC‑Web gebruik Content-Type: application/grpc-web-text as ’n base64‑ingepakte gRPC frame-stream vir blaaier‑kompatibiliteit. Jy kan frames decode/modify/encode om met velde te knoei, flags om te skakel, of payloads te inject.

Gebruik die gprc-coder tool (en die Burp extension) om round‑trips te versnel.

Handmatig met gGRPC Coder Tool

1. Decode die payload:

echo "AAAAABYSC0FtaW4gTmFzaXJpGDY6BVhlbm9u" | python3 grpc-coder.py --decode --type grpc-web-text | protoscope > out.txt

2. Wysig die inhoud van die gedekodeerde payload

nano out.txt
2: {"Amin Nasiri Xenon GRPC"}
3: 54
7: {"<script>alert(origin)</script>"}

3. Enkodeer die nuwe payload

protoscope -s out.txt | python3 grpc-coder.py --encode --type grpc-web-text

4. Gebruik output in Burp interceptor:

AAAAADoSFkFtaW4gTmFzaXJpIFhlbm9uIEdSUEMYNjoePHNjcmlwdD5hbGVydChvcmlnaW4pPC9zY3JpcHQ+

Handleiding vir gRPC‑Web Coder Burp Suite Extension

Jy kan gRPC‑Web Coder Burp Suite Extension gebruik in gRPC‑Web Pentest Suite wat makliker is. Lees die installasie- en gebruiksaanwysings in die repo.

Ontleding van gRPC‑Web JavaScript-lêers

Web-apps wat gRPC‑Web gebruik stuur ten minste een gegenereerde JS/TS-bundel. Reverseer dit om dienste, metodes en boodskapstrukture te onttrek.

• Probeer gRPC-Scan om bundels te ontleed.
• Soek na method paths soos /./, boodskapveldnommers/-tipes, en custom interceptors wat auth headers byvoeg.

1. Laai die JavaScript gRPC‑Web-lêer af
2. Skandeer dit met grpc-scan.py:

python3 grpc-scan.py --file main.js

3. Analiseer die output en toets die nuwe endpoints en nuwe services:

Output:
Found Endpoints:
/grpc.gateway.testing.EchoService/Echo
/grpc.gateway.testing.EchoService/EchoAbort
/grpc.gateway.testing.EchoService/NoOp
/grpc.gateway.testing.EchoService/ServerStreamingEcho
/grpc.gateway.testing.EchoService/ServerStreamingEchoAbort

Found Messages:

grpc.gateway.testing.EchoRequest:
+------------+--------------------+--------------+
| Field Name |     Field Type     | Field Number |
+============+====================+==============+
| Message    | Proto3StringField  | 1            |
+------------+--------------------+--------------+
| Name       | Proto3StringField  | 2            |
+------------+--------------------+--------------+
| Age        | Proto3IntField     | 3            |
+------------+--------------------+--------------+
| IsAdmin    | Proto3BooleanField | 4            |
+------------+--------------------+--------------+
| Weight     | Proto3FloatField   | 5            |
+------------+--------------------+--------------+
| Test       | Proto3StringField  | 6            |
+------------+--------------------+--------------+
| Test2      | Proto3StringField  | 7            |
+------------+--------------------+--------------+
| Test3      | Proto3StringField  | 16           |
+------------+--------------------+--------------+
| Test4      | Proto3StringField  | 20           |
+------------+--------------------+--------------+

grpc.gateway.testing.EchoResponse:
+--------------+--------------------+--------------+
|  Field Name  |     Field Type     | Field Number |
+==============+====================+==============+
| Message      | Proto3StringField  | 1            |
+--------------+--------------------+--------------+
| Name         | Proto3StringField  | 2            |
+--------------+--------------------+--------------+
| Age          | Proto3IntField     | 3            |
+--------------+--------------------+--------------+
| IsAdmin      | Proto3BooleanField | 4            |
+--------------+--------------------+--------------+
| Weight       | Proto3FloatField   | 5            |
+--------------+--------------------+--------------+
| Test         | Proto3StringField  | 6            |
+--------------+--------------------+--------------+
| Test2        | Proto3StringField  | 7            |
+--------------+--------------------+--------------+
| Test3        | Proto3StringField  | 16           |
+--------------+--------------------+--------------+
| Test4        | Proto3StringField  | 20           |
+--------------+--------------------+--------------+
| MessageCount | Proto3IntField     | 8            |
+--------------+--------------------+--------------+

grpc.gateway.testing.ServerStreamingEchoRequest:
+-----------------+-------------------+--------------+
|   Field Name    |    Field Type     | Field Number |
+=================+===================+==============+
| Message         | Proto3StringField | 1            |
+-----------------+-------------------+--------------+
| MessageCount    | Proto3IntField    | 2            |
+-----------------+-------------------+--------------+
| MessageInterval | Proto3IntField    | 3            |
+-----------------+-------------------+--------------+

grpc.gateway.testing.ServerStreamingEchoResponse:
+------------+-------------------+--------------+
| Field Name |    Field Type     | Field Number |
+============+===================+==============+
| Message    | Proto3StringField | 1            |
+------------+-------------------+--------------+

grpc.gateway.testing.ClientStreamingEchoRequest:
+------------+-------------------+--------------+
| Field Name |    Field Type     | Field Number |
+============+===================+==============+
| Message    | Proto3StringField | 1            |
+------------+-------------------+--------------+

grpc.gateway.testing.ClientStreamingEchoResponse:
+--------------+----------------+--------------+
|  Field Name  |   Field Type   | Field Number |
+==============+================+==============+
| MessageCount | Proto3IntField | 1            |
+--------------+----------------+--------------+

Brug- en JSON-transkodering valkuils

Baie implementasies plaas ’n Envoy (of soortgelyk) proxy voor die gRPC-bediener:

• grpc_web filter vertaal HTTP/1.1 POSTs na HTTP/2 gRPC.
• gRPC‑JSON Transcoder maak gRPC methods as HTTP JSON endpoints beskikbaar wanneer .proto options (google.api.http) teenwoordig is.

Vanuit ’n pentesting-perspektief:

• Probeer direkte HTTP JSON-oproepe na /./ met application/json wanneer ’n transcoder aangeskakel is (auth/route-wedstrydighede kom dikwels voor):

curl -i https://host.tld/pkg.svc.v1.Service/Method \
-H 'Content-Type: application/json' \
-d '{"field":"value"}'

• Kontroleer of onbekende methods/parameters verwerp word of deurgegee word. Sommige configs stuur paths wat nie ooreenstem nie upstream deur, en kan soms auth of request validation omseil.
• Let op x-envoy-original-path en verwante headers wat deur proxies bygevoeg word. Upstreams wat hierdie vertrou kan misbruikbaar wees as die proxy daarin faal om dit te sanitiseer.

Verwysings

• Hacking into gRPC‑Web Article by Amin Nasiri
• gRPC‑Web Pentest Suite
• gRPC‑Web protocol notes (PROTOCOL‑WEB.md)

Tip

Leer en oefen AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Leer en oefen GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Leer en oefen Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Ondersteun HackTricks

• Kyk na die subskripsie planne!
• Sluit aan by die 💬 Discord groep of die telegram groep of volg ons op Twitter 🐦 @hacktricks_live.
• Deel hacking truuks deur PRs in te dien na die HackTricks en HackTricks Cloud github repos.