Full Report
TL;DR: I couldn’t make a custom BlazorPack editor work in Burp, so I used Mallet instead. From an indecipherable binary mess to this, in about 100 lines: Decoded BlazorPack messages For details on how to do this yourself, even for other protocols, read on! On a recent assessment, Marianka ran into a website using BlazorPack. As Microsoft describes it: “Today’s modern apps are expected to deliver up-to-date information without hitting a refresh button. Add real-time functionality to your dashboards, maps, games and more.”
Analysis Summary
# Tool/Technique: Mallet (for BlazorPack interception)
## Overview
Mallet is a framework developed by SensePost primarily designed for proxying and intercepting arbitrary network protocols. In this context, it was used successfully to decode and manipulate traffic related to Microsoft's Blazor Server-Side communication protocol, known as BlazorPack, which traditionally uses a difficult-to-read binary format over WebSockets.
## Technical Details
- Type: Tool (Protocol Interception Framework)
- Platform: Implementation uses Java/Netty; the tool's scripts (e.g., Groovy) are used to handle the target application's traffic (likely running in a browser environment communicating with a .NET server).
- Capabilities: Proxying and interception of HTTP/1.0, HTTP/1.1, and WebSockets; decoding and encoding JSON messages; ability to extend functionality via scripting (Groovy, Jython, JavaScript) using the Netty framework.
- First Seen: The article mentions Mallet has been under development for several years, but this specific application demonstrating BlazorPack decoding was published on **22 February 2023**.
## MITRE ATT&CK Mapping
The focus of the technique described is on understanding and manipulating application traffic during an assessment.
- **TA0006 - Credential Access** (Potentially, if credentials were being analyzed/stolen, although the article focuses on protocol dissection)
- T1090 - Proxy: Attacker abuses a connection proxy to direct network traffic between victim systems and an adversary-controlled infrastructure. (Mallet acts as an interception proxy here.)
- **TA0015 - Collection**
- T1005 - Data from Local System (If the intelligence gathered informs data collection targets)
*(Note: Direct malware TTPs are not applicable as Mallet is used here as an assessment/analysis tool, not an offensive malware payload.)*
## Functionality
### Core Capabilities
- **WebSocket Frame Aggregation:** Crucially, Mallet successfully handles WebSocket Continuation Frames, aggregating fragmented messages larger than Burp's typical 4096-byte limit, which was necessary for processing full BlazorPack messages.
- **BlazorPack Decoding Pipeline:** Implemented necessary handlers in about 100 lines of Groovy script to convert the binary stream into understandable data.
- **JSON Protocol Handling:** Supports decoding and encoding the initial JSON-formatted protocol negotiation used by Blazor applications.
### Advanced Features
- **Protobuf Varint Decoding:** Utilized Netty's `ProtobufVarint32FrameDecoder` to break the stream into message-sized chunks based on the preceding Varint32 length field.
- **MessagePack Decoding:** Implemented logic to decode the actual message body, which was MessagePack-encoded data.
- **Scriptable Handler Architecture:** Allows rapid development of custom protocol handlers (using Groovy, Java libraries, etc.) that reload automatically upon connection establishment.
- **Binary WebSocket Frame Handling:** Included a `BinaryWebSocketFrameCodec` to unwrap and rewrap raw bytes from `BinaryWebSocketFrames`.
## Indicators of Compromise
*This section is largely irrelevant as this report details the creation of an analysis tool, not a specific malware sample.*
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: N/A
## Associated Threat Actors
- Rogan Dawes and SensePost researchers (Using the tool for security assessment).
## Detection Methods
*Detection methods apply to the BlazorPack protocol itself being used maliciously, rather than the Mallet tool.*
- **Signature-based detection:** Signatures could target known BlazorPack/MessagePack payloads if they were associated with known C2 traffic patterns.
- **Behavioral detection:** Monitoring for unusual WebSocket traffic patterns that align with the binary data structure used by BlazorPack.
- **YARA rules:** N/A specific to the analysis workflow.
## Mitigation Strategies
Mitigation strategies focus on securing the Blazor application infrastructure:
- **Secure Protocol Implementation:** Ensuring Blazor Server-Side implementations use expected security controls.
- **Traffic Analysis:** Employing network monitoring that can handle and inspect fragmented WebSocket traffic to detect unauthorized manipulation or unexpected commands.
## Related Tools/Techniques
- **Burp Suite:** The initial tool the author attempted to use, highlighting its limitation regarding WebSocket continuation frames.
- **BlazorPack:** The specific target protocol being analyzed, which is a binary serialization scheme built on Protobuf-style length prefixing and MessagePack encoding.
- **Netty:** The underlying asynchronous event-driven network application framework used to build Mallet's components (e.g., frame decoders/encoders).