Pentesting gRPC-Web

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Muhtasari mfupi wa protokoli na uso wa mashambulizi

• Usafirishaji: gRPC‑Web inatumia toleo la gRPC linalofaa kwa browser juu ya HTTP/1.1 au HTTP/2 kupitia proxy (Envoy/APISIX/grpcwebproxy/etc.). Only unary and server‑streaming calls are supported.
• Content-Types utakazoziona:
• application/grpc-web (ufungaji wa binary)
• application/grpc-web-text (ufungaji uliobadilishwa kwa base64 kwa streaming ya HTTP/1.1)
• Framing: kila ujumbe unaoanza na kichwa cha gRPC cha bait 5 (1‑byte flags + 4‑byte length). Katika gRPC‑Web, trailers (grpc-status, grpc-message, …) hutumwa ndani ya body kama frame maalum: bait ya kwanza na MSB imewekwa (0x80) ikifuatiwa na urefu na block ya header ya mtindo wa HTTP/1.1.
• Vichwa vya maombi vinavyotumika kawaida: x-grpc-web: 1, x-user-agent: grpc-web-javascript/…, grpc-timeout, grpc-encoding. Majibu yanaonyesha grpc-status/grpc-message kupitia trailers/body frames na mara nyingi kupitia Access-Control-Expose-Headers kwa browsers.
• Middleware zinazohusiana na usalama mara nyingi zipo:
• Envoy grpc_web filter and gRPC‑JSON transcoder (HTTP<->gRPC bridge)
• Nginx/APISIX gRPC‑Web plugins
• CORS policies on the proxy

Hii inamaanisha nini kwa wadukuzi:

• Unaweza kutengeneza maombi kwa mikono (binary au base64 text), au tumia zana kuzalisha/kuencode.
• Makosa ya CORS kwenye proxy yanaweza kuruhusu cross‑site, authenticated gRPC‑Web calls (sawa na matatizo ya kawaida ya CORS).
• JSON transcoding bridges zinaweza kwa bahati mbaya kufichua gRPC methods kama endpoints za HTTP zisizoidhinishwa ikiwa routes/auth zimewekwa vibaya.

Testing gRPC‑Web from the CLI

Easiest: buf curl (speaks gRPC‑Web natively)

• List methods via reflection (if enabled):

# list methods (uses reflection)
buf curl --protocol grpcweb https://host.tld --list-methods

• Ita method kwa JSON input, ikishughulikia moja kwa moja gRPC‑Web framing and headers:

buf curl --protocol grpcweb \
-H 'Origin: https://example.com' \
-d '{"field":"value"}' \
https://host.tld/pkg.svc.v1.Service/Method

• Ikiwa reflection imezimwa, toa schema/descriptor set kwa –schema au elekeza kwenye faili za .proto za eneo. Angalia buf help curl.

Mbichi na curl (headers za mkono + mwili uliopangwa kwa fremu)

Kwa mode ya binary (application/grpc-web), tuma framed payload (5‑byte prefix + protobuf message). Kwa mode ya text, base64‑encode framed payload.

# Build a protobuf message, then gRPC-frame it (1 flag byte + 4 length + msg)
# Example using protoscope to compose/edit the message and base64 for grpc-web-text
protoscope -s msg.txt | python3 grpc-coder.py --encode --type grpc-web-text | \
tee body.b64

curl -i https://host.tld/pkg.svc.v1.Service/Method \
-H 'Content-Type: application/grpc-web-text' \
-H 'X-Grpc-Web: 1' \
-H 'X-User-Agent: grpc-web-javascript/0.1' \
--data-binary @body.b64

Kidokezo: Lazimisha mtindo wa base64/text kwa application/grpc-web-text wakati mawakala wa kati wa HTTP/1.1 wanapovunja mtiririko wa binary.

Angalia tabia ya CORS (preflight + response)

• Preflight:

curl -i -X OPTIONS https://host.tld/pkg.svc.v1.Service/Method \
-H 'Origin: https://evil.tld' \
-H 'Access-Control-Request-Method: POST' \
-H 'Access-Control-Request-Headers: content-type,x-grpc-web,x-user-agent,grpc-timeout'

• Mipangilio yenye udhaifu mara nyingi huakisi Origin isiyotengwa na kutuma Access-Control-Allow-Credentials: true, ikiruhusu maombi yaliyothibitishwa kutoka cross‑site. Pia angalia Access-Control-Expose-Headers ikiwa inajumuisha grpc-status, grpc-message (mipangilio mingi huonyesha hizi kwa maktaba za mteja).

For generic techniques to abuse CORS, check CORS - Misconfigurations & Bypass.

Kudhibiti payloads za gRPC‑Web

gRPC‑Web inatumia Content-Type: application/grpc-web-text kama mfululizo wa fremu za gRPC zilizofunikwa kwa base64 kwa ajili ya ulinganifu na vivinjari. Unaweza kufasiri, kubadilisha na kuandika upya frames ili kuharibu fields, kubadili flags, au kuingiza payloads.

Tumia zana ya gprc-coder (na extension yake ya Burp) ili kuharakisha mizunguko.

Mwongozo kwa kutumia gGRPC Coder Tool

1. Fumbua payload:

echo "AAAAABYSC0FtaW4gTmFzaXJpGDY6BVhlbm9u" | python3 grpc-coder.py --decode --type grpc-web-text | protoscope > out.txt

2. Hariri maudhui ya decoded payload

nano out.txt
2: {"Amin Nasiri Xenon GRPC"}
3: 54
7: {"<script>alert(origin)</script>"}

3. Enkode payload mpya

protoscope -s out.txt | python3 grpc-coder.py --encode --type grpc-web-text

4. Tumia matokeo katika Burp interceptor:

AAAAADoSFkFtaW4gTmFzaXJpIFhlbm9uIEdSUEMYNjoePHNjcmlwdD5hbGVydChvcmlnaW4pPC9zY3JpcHQ+

Mwongozo na gRPC‑Web Coder Burp Suite Extension

Unaweza kutumia gRPC‑Web Coder Burp Suite Extension katika gRPC‑Web Pentest Suite ambayo ni rahisi. Unaweza kusoma maelekezo ya usakinishaji na matumizi kwenye repo yake.

Kuchanganua faili za JavaScript za gRPC‑Web

Programu za wavuti zinazotumia gRPC‑Web huleta angalau bundle moja la JS/TS lililotengenezwa. Reverse yao ili kutoa services, methods, na message shapes.

• Jaribu kutumia gRPC-Scan kuchambua bundles.
• Tafuta method paths kama /./, message field numbers/types, na custom interceptors ambazo zinaongeza auth headers.

1. Pakua faili la JavaScript la gRPC‑Web
2. Scan kwa grpc-scan.py:

python3 grpc-scan.py --file main.js

3. Chambua matokeo na jaribu endpoints na services mpya:

Output:
Found Endpoints:
/grpc.gateway.testing.EchoService/Echo
/grpc.gateway.testing.EchoService/EchoAbort
/grpc.gateway.testing.EchoService/NoOp
/grpc.gateway.testing.EchoService/ServerStreamingEcho
/grpc.gateway.testing.EchoService/ServerStreamingEchoAbort

Found Messages:

grpc.gateway.testing.EchoRequest:
+------------+--------------------+--------------+
| Field Name |     Field Type     | Field Number |
+============+====================+==============+
| Message    | Proto3StringField  | 1            |
+------------+--------------------+--------------+
| Name       | Proto3StringField  | 2            |
+------------+--------------------+--------------+
| Age        | Proto3IntField     | 3            |
+------------+--------------------+--------------+
| IsAdmin    | Proto3BooleanField | 4            |
+------------+--------------------+--------------+
| Weight     | Proto3FloatField   | 5            |
+------------+--------------------+--------------+
| Test       | Proto3StringField  | 6            |
+------------+--------------------+--------------+
| Test2      | Proto3StringField  | 7            |
+------------+--------------------+--------------+
| Test3      | Proto3StringField  | 16           |
+------------+--------------------+--------------+
| Test4      | Proto3StringField  | 20           |
+------------+--------------------+--------------+

grpc.gateway.testing.EchoResponse:
+--------------+--------------------+--------------+
|  Field Name  |     Field Type     | Field Number |
+==============+====================+==============+
| Message      | Proto3StringField  | 1            |
+--------------+--------------------+--------------+
| Name         | Proto3StringField  | 2            |
+--------------+--------------------+--------------+
| Age          | Proto3IntField     | 3            |
+--------------+--------------------+--------------+
| IsAdmin      | Proto3BooleanField | 4            |
+--------------+--------------------+--------------+
| Weight       | Proto3FloatField   | 5            |
+--------------+--------------------+--------------+
| Test         | Proto3StringField  | 6            |
+--------------+--------------------+--------------+
| Test2        | Proto3StringField  | 7            |
+--------------+--------------------+--------------+
| Test3        | Proto3StringField  | 16           |
+--------------+--------------------+--------------+
| Test4        | Proto3StringField  | 20           |
+--------------+--------------------+--------------+
| MessageCount | Proto3IntField     | 8            |
+--------------+--------------------+--------------+

grpc.gateway.testing.ServerStreamingEchoRequest:
+-----------------+-------------------+--------------+
|   Field Name    |    Field Type     | Field Number |
+=================+===================+==============+
| Message         | Proto3StringField | 1            |
+-----------------+-------------------+--------------+
| MessageCount    | Proto3IntField    | 2            |
+-----------------+-------------------+--------------+
| MessageInterval | Proto3IntField    | 3            |
+-----------------+-------------------+--------------+

grpc.gateway.testing.ServerStreamingEchoResponse:
+------------+-------------------+--------------+
| Field Name |    Field Type     | Field Number |
+============+===================+==============+
| Message    | Proto3StringField | 1            |
+------------+-------------------+--------------+

grpc.gateway.testing.ClientStreamingEchoRequest:
+------------+-------------------+--------------+
| Field Name |    Field Type     | Field Number |
+============+===================+==============+
| Message    | Proto3StringField | 1            |
+------------+-------------------+--------------+

grpc.gateway.testing.ClientStreamingEchoResponse:
+--------------+----------------+--------------+
|  Field Name  |   Field Type   | Field Number |
+==============+================+==============+
| MessageCount | Proto3IntField | 1            |
+--------------+----------------+--------------+

Bridging na JSON transcoding — mambo ya kuzingatia

Utekelezaji mwingi huweka Envoy (au sawa) proxy mbele ya seva ya gRPC:

• grpc_web filter hubadilisha HTTP/1.1 POSTs kuwa HTTP/2 gRPC.
• gRPC‑JSON Transcoder hutoa method za gRPC kama endpoints za HTTP JSON wakati .proto options (google.api.http) zipo.

Kwa mtazamo wa pentesting:

• Jaribu simu za moja kwa moja za HTTP JSON kwenda /./ na application/json wakati transcoder imewezeshwa (auth/route mismatches are common):

curl -i https://host.tld/pkg.svc.v1.Service/Method \
-H 'Content-Type: application/json' \
-d '{"field":"value"}'

• Kagua kama methods/parameters zisizojulikana zinakataliwa au zinapitishwa. Baadhi ya configs hupeleka unmatched paths upstream, mara nyingine hukwepa auth au request validation.
• Angalia x-envoy-original-path na headers zinazohusiana zinazoongezwa na proxies. Upstreams zinazowaamini hizi zinaweza kutumiwa vibaya ikiwa proxy haitofanya sanitize.

Marejeo

• Hacking into gRPC‑Web Article by Amin Nasiri
• gRPC‑Web Pentest Suite
• gRPC‑Web protocol notes (PROTOCOL‑WEB.md)

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.