tssci security

Decoding and Tampering Protobuf Serialized Messages in Burp

If you've ever assessed or poked at an application that uses Google Protocol Buffers, you know how painstaking the whole process can be. When you're lucky enough to have a corresponding .proto, crafting messages via generated API's is tedious. When you don't, you have to resort to reversing the protocol format by hand and/or extracting the proto file descriptor out of the application. Otherwise, you're left dumb-fuzzing the protocol and never diving into the application itself.

Out of necessity, I wrote a Burp Extension that would decode raw protobuf messages even when a .proto was not available. After loading a .proto, the extension features the ability to modify and tamper with protobuf messages. In my extension, you can also manually specify what message type to deserialize a given protobuf message as. You can download my extension at

The following set of screenshots should give you a quick overview of what it's capable of:

We start off with a view of what a simple, raw protobuf message looks like in Burp. If you've ever tried to tamper this right here, you'd probably find yourself reading and re-reading protocol buffer encoding.

A raw, serialized protobuf message

Here's what that message looks like when decoded using protoc --decode_raw:

Example use of --raw_decode on a protobuf message

Another request that looks to be adding a serialized user object. Note, the burp-protobuf-decoder extension identifies protobuf messages by an HTTP Content-Type request or response header equal to application/x-protobuf . If the application you're looking at does things a bit differently, have a look at modifying isEnabled() , getMessage() and setMessage() of protoburp.py.

Adding a serialized Person protobuf

And again, what it looks like after protoc --decode_raw:

Raw decoded Person protobuf

If we're lucky enough to have a .proto that defines what this message looks like, we can load it from here:

Load .proto right-click menu

Find our addressbook.proto (taken from the protobuf example applications):

Load .proto file

We can then manually deserialize the message as a Person. Next time a request comes through, the extension will automatically deserialize the message. Note, an attempt will be made to deserialize as all types until one is found to deserialize with all required fields initialized (this could result in some false positives).

Deserialize as Person

That looks much better...

Deserialized Person message

But wait, how about we tamper it?

Tampered Person message

The extension will reserialize our message and we can send it on its way. If any errors occur (such as required fields missing), an alert dialog will pop up letting you know.

Tamper and reserialize as Person

And the response from the server confirms our message was tampered succesfully.

Confirm our tampered Person was added

Hopefully my extension will make testing protobuf based applications much easier from now on.

Posted by Marcin on Thursday, May 30, 2013 in Security.

blog comments powered by Disqus
blog comments powered by Disqus