dillonfranke / protoburp Goto Github PK

Not seeing a way that I can use this for websocket connectivity

Support for Compiled Definitions

I've recently been working with protobuf and I feel a complete tool is missing out there right now. Let me share a few observations and ideas.
I played with this mitm-proxy extension: https://github.com/aarnaut/mitmproxy-grpc, which is now also part of the core of mitm-proxy. I didn't use the core component, but rather adapted the extension to my use case for simplicity.
Few takeaways:

• (Opensource/White Box) Using compiled protobuf definitions helps in complex scenarios where build theme requires some effort, e.g. many dependencies or sub-modules, setting up the environment and build everything on your own is easier than having a extension do it for you. Example of loading protobuf compiled definition: https://github.com/aarnaut/mitmproxy-grpc/blob/c73eeea63d98d815620c5f7bb5c02ca0fd728235/protobuf_modification.py#L22
• How to ensure all dependencies and .proto files are embedded in one file: protoc [...] --include_source_info --include_imports --descriptor_set_out=descriptor.pb $(PROTO_FILES), [...] means whatever option you were using before, PROTO_FILES is the list of all the .proto files. This way, you get a single pb file containing all the compiled .proto and their dependencies, which is really convenient for not having to change files constantly.

Support for Automatic Decoding

One could check the content type of requests and replies to apply automatic decoding. The extension I indicated above adds a custom view to mitm-proxy that does just that by deserialising protobuf/grpc messages based on the content type and path of the request.
Deserialize: https://github.com/aarnaut/mitmproxy-grpc/blob/c73eeea63d98d815620c5f7bb5c02ca0fd728235/protobuf_modification.py#L30
Find the right method: https://github.com/aarnaut/mitmproxy-grpc/blob/c73eeea63d98d815620c5f7bb5c02ca0fd728235/protobuf_modification.py#L103

An additional step would also be to support the editing of messages, again the extension already has code to do this, support for some edge case needs to be added.
Serialize: https://github.com/aarnaut/mitmproxy-grpc/blob/c73eeea63d98d815620c5f7bb5c02ca0fd728235/protobuf_modification.py#L65

grpc WEB

grpc-WEB has some differences from protobuf/grpc to come to grips with the fact that not all browsers support the same functionality or protocols. Supporting this specification also theoretically requires little effort, see link below.
https://github.com/grpc/grpc/blob/master/doc/PROTOCOL-WEB.md

I hope that these considerations and information can contribute to the development of the tool. I would also be happy to contribute by writing some of the code/documentation.

Cheers ✌️

Hi,

can protoburp extension be used to proxy gRPC requests in Burp. I tried it with the steps from the blog in repo and failed.