Workflow · Security engineers

Burp for the non-HTTP protocols — on your terms

You're auditing an API surface that spans gRPC, GraphQL, MQTT, SignalR — protocols where classic DAST tools stop being useful.

Bowire's discovery, recording, and replay primitives extend into vulnerability scanning. The same recording format you'd use for an integration test becomes a vulnerability template; the same workbench you'd use to drive a call becomes a CA-trusted intercepting proxy.

Recordings as vulnerability templates

A captured probe + a predicate that says "this is what bad looks like" is a template. Drop it into a corpus, ship it with the service.

bowire scan — replay each template, emit SARIF

Three seed templates cover the obvious wins today: gRPC Server-Reflection in production, GraphQL __schema introspection in production, REST endpoints missing baseline security headers. The corpus is plain JSON, copy-paste-friendly, version-controlled.

Each scan call returns a SARIF 2.1.0 report you can hand to GitHub Code Scanning (alerts land in your Security tab), GitLab (the Security Dashboard reads SARIF), Azure DevOps, or any tool with a SARIF importer. Built-in passive checks add TLS-version enumeration, version-disclosing headers, and verbose-error fingerprinting on top of the template corpus.

The security solution overview →
bash 
# scan a target, write SARIF for CI dashboards
$ bowire scan \
    --target https://api.example.com \
    --templates docs/security/examples \
    --severity low \
    --out findings.sarif

  6 template(s) processed:
  [ok]   BWR-GRPC-001           high     gRPC Server-Reflection
  [VULN] BWR-REST-001           low      Missing baseline headers
  [VULN] BWR-BUILTIN-BANNER     low      Version-disclosing header

  SARIF report → findings.sarif

Intercepting proxy with HTTPS MITM

Self-minted root CA, leaf-cert cache, workbench-side live flow view. The Burp / ZAP muscle memory transfers.

CONNECT hijack, SslStream, leaf-cert minted per host

Start bowire proxy, install the printed CA, point your client at it. Every request flows through the proxy — including HTTPS, fully decrypted, with the leaf cert minted on the fly per hostname and cached for the session.

The workbench Proxy view subscribes to the flow stream over SSE and renders each captured request/response live. One-click "send to recording" converts a captured flow into a template you can then run through bowire scan. The CA lives at ~/.bowire/proxy-ca.{pfx,crt} and stays untouched across restarts.

Intercepting proxy in detail →
Workbench Proxy view — live flow list with detail pane Workbench Proxy view — live flow list with detail pane

JWT toolkit + multi-protocol attack templates

Two CLI subcommands cover the boring-but-essential JWT work: decode the header / payload, tamper-test the signature surface.

bowire jwt decode + bowire jwt tamper

decode splits the header / payload / signature, validates exp / nbf / iat, lists the present claims. tamper probes alg: none acceptance, signs with a chosen secret, and lets you override individual claims — the standard JWT smoke-test sequence in one shell pass.

The toolkit is shipped alongside the scan engine, not separately — it lives in the same CLI binary your CI is already calling. Same goes for the seed corpus: the per-protocol attack templates (gRPC Server-Reflection, GraphQL introspection, REST baseline headers) get loaded out of docs/security/examples/ in the source tree, no separate distribution.

Browse the seed corpus →

Reusable GitHub Action

One uses: line in any consuming repo — SARIF lands in their Security tab as Code Scanning alerts.

uses: Kuestenlogik/Bowire/.github/workflows/scan-template.yml@main

The reusable workflow installs the bowire CLI, runs the scan against a target you pass in, uploads the SARIF as both a build artefact (for GitLab mirrors / Azure DevOps re-imports / manual review) and to GitHub Code Scanning (so each finding becomes a stable-rule-ID alert).

Inputs: target, corpus (defaults to the seed corpus in this repo), severity, dotnet-version, tool-version. Findings are the scan's product, not its failure mode — the workflow exits 0 even with vulnerabilities so the SARIF upload pipeline stays linear; gating happens via Code Scanning branch-protection rules, not the scan step itself.

scan-template.yml on GitHub →

Audit what's actually on the wire

Read the ADR, pull the seed templates, point bowire scan at staging.

Security solution overview Read the ADR