# Pentesting gRPC-Web {% hint style="success" %} Aprenda e pratique Hacking AWS:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ Aprenda e pratique Hacking GCP: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks * Confira os [**planos de assinatura**](https://github.com/sponsors/carlospolop)! * **Junte-se ao** 💬 [**grupo do Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo do telegram**](https://t.me/peass) ou **siga**-nos no **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Compartilhe truques de hacking enviando PRs para os repositórios do** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud).
{% endhint %} ## **Manipulando Payloads gRPC-Web** gRPC-Web usa Content-Type: `application/grpc-web-text` em requisições, que é uma espécie de protobuf em forma codificada em base64. Você pode usar a ferramenta [gprc-coder](https://github.com/nxenon/grpc-pentest-suite) e também pode instalar sua [Extensão do Burp Suite](https://github.com/nxenon/grpc-pentest-suite). ### **Manual com a Ferramenta gGRPC Coder** 1. Primeiro decodifique o payload: ```bash echo "AAAAABYSC0FtaW4gTmFzaXJpGDY6BVhlbm9u" | python3 grpc-coder.py --decode --type grpc-web-text | protoscope > out.txt ``` 2. Edite o conteúdo da carga útil decodificada ``` nano out.txt 2: {"Amin Nasiri Xenon GRPC"} 3: 54 7: {""} ``` 3. Codifique a nova carga útil ```bash protoscope -s out.txt | python3 grpc-coder.py --encode --type grpc-web-text ``` 4. Use o output no interceptador do Burp: ``` AAAAADoSFkFtaW4gTmFzaXJpIFhlbm9uIEdSUEMYNjoePHNjcmlwdD5hbGVydChvcmlnaW4pPC9zY3JpcHQ+ ``` ### **Manual com a Extensão gRPC-Web Coder Burp Suite** Você pode usar a Extensão gRPC-Web Coder Burp Suite no [gRPC-Web Pentest Suite](https://github.com/nxenon/grpc-pentest-suite), que é mais fácil. Você pode ler as instruções de instalação e uso em seu repositório. ## **Analisando Arquivos Javascript gRPC-Web** Há pelo menos um arquivo Javascript em cada aplicação gRPC-Web. Você pode analisar o arquivo para encontrar novas mensagens, endpoints e serviços. Tente usar a ferramenta [gRPC-Scan](https://github.com/nxenon/grpc-pentest-suite). 1. Baixe o Arquivo Javascript gRPC-Web 2. Escaneie-o com grpc-scan.py: ```bash python3 grpc-scan.py --file main.js ``` 3. Analise a saída e teste os novos endpoints e novos serviços: ``` Output: Found Endpoints: /grpc.gateway.testing.EchoService/Echo /grpc.gateway.testing.EchoService/EchoAbort /grpc.gateway.testing.EchoService/NoOp /grpc.gateway.testing.EchoService/ServerStreamingEcho /grpc.gateway.testing.EchoService/ServerStreamingEchoAbort Found Messages: grpc.gateway.testing.EchoRequest: +------------+--------------------+--------------+ | Field Name | Field Type | Field Number | +============+====================+==============+ | Message | Proto3StringField | 1 | +------------+--------------------+--------------+ | Name | Proto3StringField | 2 | +------------+--------------------+--------------+ | Age | Proto3IntField | 3 | +------------+--------------------+--------------+ | IsAdmin | Proto3BooleanField | 4 | +------------+--------------------+--------------+ | Weight | Proto3FloatField | 5 | +------------+--------------------+--------------+ | Test | Proto3StringField | 6 | +------------+--------------------+--------------+ | Test2 | Proto3StringField | 7 | +------------+--------------------+--------------+ | Test3 | Proto3StringField | 16 | +------------+--------------------+--------------+ | Test4 | Proto3StringField | 20 | +------------+--------------------+--------------+ grpc.gateway.testing.EchoResponse: +--------------+--------------------+--------------+ | Field Name | Field Type | Field Number | +==============+====================+==============+ | Message | Proto3StringField | 1 | +--------------+--------------------+--------------+ | Name | Proto3StringField | 2 | +--------------+--------------------+--------------+ | Age | Proto3IntField | 3 | +--------------+--------------------+--------------+ | IsAdmin | Proto3BooleanField | 4 | +--------------+--------------------+--------------+ | Weight | Proto3FloatField | 5 | +--------------+--------------------+--------------+ | Test | Proto3StringField | 6 | +--------------+--------------------+--------------+ | Test2 | Proto3StringField | 7 | +--------------+--------------------+--------------+ | Test3 | Proto3StringField | 16 | +--------------+--------------------+--------------+ | Test4 | Proto3StringField | 20 | +--------------+--------------------+--------------+ | MessageCount | Proto3IntField | 8 | +--------------+--------------------+--------------+ grpc.gateway.testing.ServerStreamingEchoRequest: +-----------------+-------------------+--------------+ | Field Name | Field Type | Field Number | +=================+===================+==============+ | Message | Proto3StringField | 1 | +-----------------+-------------------+--------------+ | MessageCount | Proto3IntField | 2 | +-----------------+-------------------+--------------+ | MessageInterval | Proto3IntField | 3 | +-----------------+-------------------+--------------+ grpc.gateway.testing.ServerStreamingEchoResponse: +------------+-------------------+--------------+ | Field Name | Field Type | Field Number | +============+===================+==============+ | Message | Proto3StringField | 1 | +------------+-------------------+--------------+ grpc.gateway.testing.ClientStreamingEchoRequest: +------------+-------------------+--------------+ | Field Name | Field Type | Field Number | +============+===================+==============+ | Message | Proto3StringField | 1 | +------------+-------------------+--------------+ grpc.gateway.testing.ClientStreamingEchoResponse: +--------------+----------------+--------------+ | Field Name | Field Type | Field Number | +==============+================+==============+ | MessageCount | Proto3IntField | 1 | +--------------+----------------+--------------+ ``` ## Referências * [Hacking into gRPC-Web Artigo de Amin Nasiri](https://infosecwriteups.com/hacking-into-grpc-web-a54053757a45) * [gRPC-Web Pentest Suite](https://github.com/nxenon/grpc-pentest-suite) {% hint style="success" %} Aprenda e pratique Hacking AWS:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ Aprenda e pratique Hacking GCP: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks * Confira os [**planos de assinatura**](https://github.com/sponsors/carlospolop)! * **Junte-se ao** 💬 [**grupo do Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo do telegram**](https://t.me/peass) ou **siga**-nos no **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Compartilhe truques de hacking enviando PRs para o** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repositórios do github.
{% endhint %}