Blazor Traffic Processor

A BurpSuite extension to aid pentesting web applications that use Blazor Server/BlazorPack. Primary functionality includes converting BlazorPack messages to JSON and vice versa, introduces tamperability for BlazorPack serialized messages.

Usage

• All BlazorPack-enabled requests or responses will be highlighted as Cyan within the "HTTP History" tab in Burpsuite.
• The "BTP" request/response editor tab, which appears on each in-scope request or response that contains BlazorPack messages.
  • Clicking on this tab will convert the serialized data from BlazorPack to JSON.
  • After editing the JSON (either in Intercept or Repeater), click the "Raw" tab to re-serialize with your payloads
• The "BTP" Burpsuite tab, which allows for ad-hoc conversions of Blazor->JSON and JSON->Blazor
  • The left-hand editor is for your input (JSON or raw Blazor)
  • The right-hand editor is for the results of the conversion
  • A drop-down menu on the bottom of the window lets you select "Blazor->JSON" or "JSON->Blazor"
  • The Serialize/Deserialize button at the top is how you trigger the conversion
• Right-click menu option called "Send body to BTP tab"
  • You can right-click any request or response and select "Extensions" -> "BlazorTrafficProcessor" -> "Send body to BTP tab"
  • This sends either the selected request or response body to the BTP tab, so you don't have to worry about copying/pasting raw bytes