# Pentesting gRPC-Web
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
## **Manipulating gRPC-Web Payloads** gRPC-Web uses Content-Type: `application/grpc-web-text` in requests which is kind of protobuf in base64 encoded form, you can use [gprc-coder](https://github.com/nxenon/grpc-pentest-suite) tool ,and you can also install its [Burp Suite Extension](https://github.com/nxenon/grpc-pentest-suite). ### **Manual with gGRPC Coder Tool** 1. First decode the payload: ```bash echo "AAAAABYSC0FtaW4gTmFzaXJpGDY6BVhlbm9u" | python3 grpc-coder.py --decode --type grpc-web-text | protoscope > out.txt ``` 2. Edit the content of decoded payload ``` nano out.txt 2: {"Amin Nasiri Xenon GRPC"} 3: 54 7: {""} ``` 3. Encode the new payload ```bash protoscope -s out.txt | python3 grpc-coder.py --encode --type grpc-web-text ``` 4. Use output in Burp interceptor: ``` AAAAADoSFkFtaW4gTmFzaXJpIFhlbm9uIEdSUEMYNjoePHNjcmlwdD5hbGVydChvcmlnaW4pPC9zY3JpcHQ+ ``` ### **Manual with gRPC-Web Coder Burp Suite Extension** You can use gRPC-Web Coder Burp Suite Extension in [gRPC-Web Pentest Suite](https://github.com/nxenon/grpc-pentest-suite) which is easier. You can read the installation and usage instruction in its repo. ## **Analysing gRPC-Web Javascript Files** There is at least one Javascript file in every gRPC-Web application. You can analyse the file to find new messages, endpoints and services. Try using [gRPC-Scan](https://github.com/nxenon/grpc-pentest-suite) tool. 1. Download the Javascript gRPC-Web File 2. Scan it with grpc-scan.py: ```bash python3 grpc-scan.py --file main.js ``` 3. Analyse output and test the new endpoints and new services: ``` Output: Found Endpoints: /grpc.gateway.testing.EchoService/Echo /grpc.gateway.testing.EchoService/EchoAbort /grpc.gateway.testing.EchoService/NoOp /grpc.gateway.testing.EchoService/ServerStreamingEcho /grpc.gateway.testing.EchoService/ServerStreamingEchoAbort Found Messages: grpc.gateway.testing.EchoRequest: +------------+--------------------+--------------+ | Field Name | Field Type | Field Number | +============+====================+==============+ | Message | Proto3StringField | 1 | +------------+--------------------+--------------+ | Name | Proto3StringField | 2 | +------------+--------------------+--------------+ | Age | Proto3IntField | 3 | +------------+--------------------+--------------+ | IsAdmin | Proto3BooleanField | 4 | +------------+--------------------+--------------+ | Weight | Proto3FloatField | 5 | +------------+--------------------+--------------+ | Test | Proto3StringField | 6 | +------------+--------------------+--------------+ | Test2 | Proto3StringField | 7 | +------------+--------------------+--------------+ | Test3 | Proto3StringField | 16 | +------------+--------------------+--------------+ | Test4 | Proto3StringField | 20 | +------------+--------------------+--------------+ grpc.gateway.testing.EchoResponse: +--------------+--------------------+--------------+ | Field Name | Field Type | Field Number | +==============+====================+==============+ | Message | Proto3StringField | 1 | +--------------+--------------------+--------------+ | Name | Proto3StringField | 2 | +--------------+--------------------+--------------+ | Age | Proto3IntField | 3 | +--------------+--------------------+--------------+ | IsAdmin | Proto3BooleanField | 4 | +--------------+--------------------+--------------+ | Weight | Proto3FloatField | 5 | +--------------+--------------------+--------------+ | Test | Proto3StringField | 6 | +--------------+--------------------+--------------+ | Test2 | Proto3StringField | 7 | +--------------+--------------------+--------------+ | Test3 | Proto3StringField | 16 | +--------------+--------------------+--------------+ | Test4 | Proto3StringField | 20 | +--------------+--------------------+--------------+ | MessageCount | Proto3IntField | 8 | +--------------+--------------------+--------------+ grpc.gateway.testing.ServerStreamingEchoRequest: +-----------------+-------------------+--------------+ | Field Name | Field Type | Field Number | +=================+===================+==============+ | Message | Proto3StringField | 1 | +-----------------+-------------------+--------------+ | MessageCount | Proto3IntField | 2 | +-----------------+-------------------+--------------+ | MessageInterval | Proto3IntField | 3 | +-----------------+-------------------+--------------+ grpc.gateway.testing.ServerStreamingEchoResponse: +------------+-------------------+--------------+ | Field Name | Field Type | Field Number | +============+===================+==============+ | Message | Proto3StringField | 1 | +------------+-------------------+--------------+ grpc.gateway.testing.ClientStreamingEchoRequest: +------------+-------------------+--------------+ | Field Name | Field Type | Field Number | +============+===================+==============+ | Message | Proto3StringField | 1 | +------------+-------------------+--------------+ grpc.gateway.testing.ClientStreamingEchoResponse: +--------------+----------------+--------------+ | Field Name | Field Type | Field Number | +==============+================+==============+ | MessageCount | Proto3IntField | 1 | +--------------+----------------+--------------+ ``` ## References * [Hacking into gRPC-Web Article by Amin Nasiri](https://infosecwriteups.com/hacking-into-grpc-web-a54053757a45) * [gRPC-Web Pentest Suite](https://github.com/nxenon/grpc-pentest-suite)
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)! Other ways to support HackTricks: * If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! * Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) * Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) * **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.** * **Share your hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.