Giter Site home page Giter Site logo

dillonfranke / protoburp Goto Github PK

View Code? Open in Web Editor NEW
30.0 1.0 7.0 414 KB

Encode and Fuzz Custom Protobuf Messages in Burp Suite

Home Page: https://dillonfrankesecurity.com/posts/protoburp-encode-custom-protobuf-messages-in-burp/

Python 99.70% Shell 0.30%

protoburp's Introduction

ProtoBurp

Check out my blog post detailing the wonderful things you can do with ProtoBurp! https://dillonfrankesecurity.com/posts/protoburp-encode-custom-protobuf-messages-in-burp/

Description

ProtoBurp is a Burp Suite extension that enables security researchers to encode and fuzz custom Protobuf messages. It allows users to automatically convert JSON data into a Protobuf message based on a provided protobuf definition file. This opens up opportunities for fuzzing inputs using Burp's Repeater and Intruder tools, as well as proxy traffic from other tools (e.g. sqlmap).

Installation

1. Clone the ProtoBurp repository and its submodules

git clone --recursive https://github.com/dillonfranke/protoburp.git

Make sure to add the --recursive option

2. Install the protoc utility, which you'll need to compile Protobuf defintion (.proto) files

Mac:

brew install protobuf

Debian Linux:

sudo apt-get update
sudo apt-get install protobuf-compiler

Windows: https://github.com/protocolbuffers/protobuf/releases

3. Run the setup.sh script

This will install Google's protobuf module so it can be used by the extension

sudo ./setup.sh

Usage

1. Compile the .proto file you want to convert into Python format

Several example .proto files are contained in the test_app folder

protoc --python_out=. addressbook.proto

2. Load the ProtoBurp extension and select your compiled .proto file

  • Click 'Enable ProtoBurp'
  • Select the Python Protobuf definition file you just compiled

3. Set the ProtoBurp header on your requests, and your requests will be transformed from JSON to Protobuf!

Generating a JSON payload

You might be wondering: "How can I generate a JSON object from a .proto file to use with ProtoBurp?"

Easy, I wrote a script that, given a .proto file, will fill in placeholder values to generate a JSON payload. You can then use the JSON payload with ProtoBurp. Here's how you use the script:

❯ python3 json-generator.py
Usage: python3 json-generator.py <compiled_proto_definition_pb2.py> <MessageName>
❯ python3 json-generator.py test_app/addressbook_pb2.py AddressBook
{
  "people": [
    {
      "name": "example",
      "id": 1,
      "email": "example",
      "phones": [
        {
          "number": "example",
          "type": "PHONE_TYPE_UNSPECIFIED"
        },
        {
          "number": "example",
          "type": "PHONE_TYPE_UNSPECIFIED"
        }
      ]
    },
    {
      "name": "example",
      "id": 1,
      "email": "example",
      "phones": [
        {
          "number": "example",
          "type": "PHONE_TYPE_UNSPECIFIED"
        },
        {
          "number": "example",
          "type": "PHONE_TYPE_UNSPECIFIED"
        }
      ]
    }
  ]
}

Use Cases

Please see my blog post, where I talk about how you can use ProtoBurp with Repeater, Intruder, and external security utilities like sqlmap!

Bugs and Feature Requests

Please use the issues tab for any bugs or feature requests.

Happy Hunting!

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.