Penetration testing

Penetration Testing Apache Thrift Applications

During a recent mobile application assessment, MDSec’s mobile team encountered a binary protocol over HTTP used for server communication. Analysis of this protocol revealed it to be Apache Thrift, which is used to easily build RPC clients and servers regardless of programming languages used on each side. The web interception tool of choice at MDSec is Burp Suite, so it follows suit that we wanted to continue using Burp during the assessment. Unfortunately, there are no Burp extensions out there (at least that we know of) for Thrift encoded data, so we decided to make our own.

Using the thrift python library and thrift-tools, with some custom modifications, we created our very own ThriftDecoder extension for Burp Suite. You can find the code on the MDSec github page.

To use the extension, clone the code from GitHub and then add it to your Burp installation by selecting the file. We are working on adding the extension to the BApp Store to further integrate this in to Burp.

Normally a request with thrift encoded data looks like this in Burp:

As you can see in the above image the data is not completely unrecognisable, with chunks of strings that can be easily identified. Unfortunately, if you tried to fuzz one of the above strings you would encounter decoding errors on the server side because the strings are prepended with a 32-bit integer indicating their size.

You probably noticed the new “Thrift Decoder” tab in the above image. The tab is created by the ThriftDecoder extension when it detects Thrift encoded data. When viewed this tab decodes the thrift data in a more readable format:

With the data in this pseudo JSON format it is easy to identify the fields that you would normally try to fuzz. You can edit directly in the “Thrift Decoder” tab and any changes would be automatically re-encoded when you submit the request in Repeater.

When changing the data in the “Thrift Decoder” tab to an invalid format, the extension will not be able to re-encode the data and the “Raw” tab will contain the same data as “Thrift Decoder” tab. This makes it easy to identify any erroneous modifications before submitting the request.

It is also possible to make use of the powerful intruder and scanner in Burp Suite. Right clicking the request message the context menu will contain new options to send the Thrift request to Intruder or to start an active scan.

ThriftDecoder will automatically set the payload positions in Intruder and Scanner:

This is done for string fields only as the other field types are not normally injectable by the nature of Thrift protocol. Most Burp payloads are strings which are not compatible with other fields such as integer or double. Of course, if you wish you can scan any field type and ThriftDecoder will try to encode the payload. This could prove very useful when trying to enumerate an ID or checking for integer overflows. Additionally, it is also possible to change the field type for example from an integer to a string and ThriftDecoder will do it’s best to encode the payload. However, this may prove futile as the Thrift protocol makes use of interface definitions and you may end up with a generic error as a server response or if you’re lucky a stack trace.

For any issues, requests, or questions please create an issue on GitHub.

This extension and blog post were authored by Razvan Sima.

written by

MDSec Research

Ready to engage
with MDSec?

Copyright 2021 MDSec