Burp Suite Pro Failed Me :(
Burp Suite Pro Failed Me :(
Nav. Sec. Issue #02
Yoo. Welcome to Issue #02 of Navigating Security.
🍃Quote of the week:
Do you see a man who is wise in his own eyes? There is more hope for a fool than for him ~ Proverbs 26:12
TLDWTR 🙄
Burp Suite fails to properly intercept WS messages using Blazor SignalR
What even is Blazor?
APIs and Business Logic - Four of the top five OWASP API attack vectors are related to this cluster of vulnerabilities
⏱️ Incase you missed the previous issue, here you go:
This Week’s YouTube Video:
Burp Suite Vs Blazor & SignalR 💻
While I was doing some hacking this week I bumped into one of the weirdest functionality I’ve seen in a minute on a web application built on the Blazor framework. It has to do with adding real-time functionality into web applications and its implementation seemed wonky at first, then I realized Burp Suite was the culprit.
What even is Blazor?? 🤷🏾♂️
As I said, the web app was built using the Blazor framework, but what even is that?
Blazor is a free and open-source web framework that enables developers to create web applications using C# and HTML, without requiring JavaScript. It's part of the ASP.NET Core framework and allows for building interactive web UIs with .NET.
SignalR is a library for ASP.NET developers that simplifies the process of adding real-time web functionality to applications - a nightmare for anyone testing the application. Real-time web functionality is the ability to have server-side code push content to connected clients instantly as it happens, rather than having the server wait for a client to request new data. This is kinda like WebSockets, but it’s not raw WebSockets.
The problem 🙄
While this implementation makes life better for devs, it was an issue when I was trying to test the application. Burp Suite fails to properly intercept and modify WebSocket messages in this context, falling back to HTTP requests and leading to malformed, unreadable requests. This problem seems unique to Blazor SignalR WebSocket traffic, as other WebSocket communications work fine.
Well, what can you do then?
This thread is a discussion about someone who faced the same issue, but it seems there was never a solid conclusion.
I also found an extension that serializes/deserializes Blazor messages. It highlights all BlazorPack-enabled requests or responses in cyan in the history tab.
APIs and business logic 💼
Business logic flaws are rampant in APIs. These vulnerabilities are essentially legitimate API functions being exploited in ways not intended by the devs. They can range from authorization bypasses, to improper input handling, to excessive trust in client-side controls. There isn’t much a team can do to combat business logic flaws unless they employ a comprehensive test strategy and maybe a zero-trust model. You can read more from APIsec university: https://www.apisec.ai/blog/business-logic-vulnerabilities
Suggestions
Hit me up on Discord or LinkedIn if you have anything you feel would be cool to include. Thanks, Cheers.