Pentesting Blazor Server Apps using Zaproxy
1,014 views
Skip to first unread message
Najam Ul Saqib
Feb 27, 2024, 7:42:21 AM2/27/24
to ZAP User Group
Does ZAP support Blazor apps? Blazor communicates primarily through SignalR (web-sockets) in binary opCode, will ZAP be able to scan them? I see one addon i.e. BTP on burp but that is not very feature-rich. Pentesting blazor apps seems surprisingly challenging.
Message has been deleted
thc...@gmail.com
Feb 29, 2024, 3:43:28 PM2/29/24
to zaprox...@googlegroups.com
Hi,
The WebSockets add-on allows you to intercept (and decode, if you know
how, e.g. WebSocket Sender script) the binary messages.
You can also create new connections and fuzz them, there's not active
scan support of WebSockets yet though.
Best regards.
The WebSockets add-on allows you to intercept (and decode, if you know
how, e.g. WebSocket Sender script) the binary messages.
You can also create new connections and fuzz them, there's not active
scan support of WebSockets yet though.
Best regards.
Najam Ul Saqib
Feb 29, 2024, 11:00:37 PM2/29/24
to ZAP User Group
Yes, but Blazor Server uses MessagePack binary format which is unreadable/non-editable; we can intercept the messages through web sockets but can't change them or see whats going on.
thc...@gmail.com
Mar 1, 2024, 3:23:19 AM3/1/24
to zaprox...@googlegroups.com
You can, decode/encode it to read/edit it:
https://github.com/msgpack/msgpack/blob/master/spec.md
(There are libraries available if you don't want to write an en/decoder
from scratch.)
Best regards.
https://github.com/msgpack/msgpack/blob/master/spec.md
(There are libraries available if you don't want to write an en/decoder
from scratch.)
Best regards.
Najam Ul Saqib
Mar 1, 2024, 3:32:47 AM3/1/24
to ZAP User Group
How can this be integrated with ZAP?
thc...@gmail.com
Mar 4, 2024, 2:59:43 AM3/4/24
to zaprox...@googlegroups.com
Depends on how you want to do it, either you create a little Java add-on
or through scripting (e.g. GraalVM JavaScript allows to import libraries).
Best regards.
or through scripting (e.g. GraalVM JavaScript allows to import libraries).
Best regards.
Najam Ul Saqib
Mar 8, 2024, 2:18:06 AM3/8/24
to ZAP User Group
As per https://www.aon.com/cyber-solutions/aon_cyber_labs/new_burp_suite_extension_blazortrafficprocessor/
The msgpack library wont work with Blazor messages.
thc...@gmail.com
Mar 8, 2024, 3:06:16 AM3/8/24
to zaprox...@googlegroups.com
"We’ll need a customized MessagePack parser to properly read these
messages."
There you have it, customize the MessagePack parser.
messages."
Best regards.
On 08/03/2024 07:18, Najam Ul Saqib wrote:
> As per
> https://www.aon.com/cyber-solutions/aon_cyber_labs/new_burp_suite_extension_blazortrafficprocessor/
>
>
> "While Blazor server uses MessagePack, the traffic is specifically
> formatted according to Blazor’s own Hub Protocol specification. Therefore,
> generic MessagePack parsers like the Burp Suite MessagePack extension
> available from the BApp Store
> not work with Blazor traffic. Take the following BlazorPack message for
> example. If we use the MessagePack extension on this message, the result is
> just 25 and the rest of the message is ignored. This is because \x00 - \x7f
> represent positive integers in the MessagePack specification
> <https://github.com/msgpack/msgpack/blob/master/spec.md#overview>. The
> example. If we use the MessagePack extension on this message, the result is
> just 25 and the rest of the message is ignored. This is because \x00 - \x7f
> represent positive integers in the MessagePack specification
Reply all
Reply to author
Forward
0 new messages