🔥 Advanced

Modern Protocols

The network landscape is evolving. New protocols prioritize performance and privacy, but they also introduce new attack surfaces and defensive challenges.

Rapidly Evolving

Modern protocols are actively developed. Always check for the latest security research and tool updates.

QUIC & HTTP/3

What is QUIC?

UDP-based transport protocol developed by Google. Combines TCP reliability with TLS 1.3 encryption. Foundation of HTTP/3.

  • • Built-in encryption (no separate TLS handshake)
  • • Connection migration (change IPs)
  • • Multiplexed streams without head-of-line blocking
  • • 0-RTT connection resumption

Security Implications

  • Hard to inspect: Encrypted by default, traditional firewalls can't see content
  • UDP-based: May bypass TCP-focused security controls
  • 0-RTT replay: Early data can be replayed by attackers
  • Harder to MITM: TLS 1.3 integrated into protocol

Detect QUIC Traffic

quic-detect.sh
bash 
# QUIC uses UDP port 443
tcpdump -i eth0 'udp port 443'

# Wireshark filter
quic

# Check if site supports HTTP/3
curl -I --http3 https://example.com
# QUIC uses UDP port 443
tcpdump -i eth0 'udp port 443'

# Wireshark filter
quic

# Check if site supports HTTP/3
curl -I --http3 https://example.com

gRPC

Overview

Google's RPC framework using Protocol Buffers over HTTP/2. Common in microservices and cloud-native apps.

  • • Binary format (not human-readable)
  • • Strongly typed with .proto definitions
  • • Bidirectional streaming
  • • Common on ports 443, 50051

Attack Surface

  • • Reflection attacks (list available methods)
  • • Lack of authentication on internal services
  • • Deserialization vulnerabilities
  • • Message tampering if not encrypted
  • • Rate limiting bypass

gRPC Enumeration

grpc-enum.sh
bash 
# grpcurl - curl for gRPC
# List services (if reflection enabled)
grpcurl -plaintext localhost:50051 list

# Describe a service
grpcurl -plaintext localhost:50051 describe MyService

# Call a method
grpcurl -plaintext -d '{"name": "test"}' localhost:50051 MyService/GetData

# With TLS
grpcurl target.com:443 list
# grpcurl - curl for gRPC
# List services (if reflection enabled)
grpcurl -plaintext localhost:50051 list

# Describe a service
grpcurl -plaintext localhost:50051 describe MyService

# Call a method
grpcurl -plaintext -d '{"name": "test"}' localhost:50051 MyService/GetData

# With TLS
grpcurl target.com:443 list

WebSockets

What are WebSockets?

Full-duplex communication over a single TCP connection. Upgrades from HTTP. Used for real-time apps.

  • • Starts with HTTP upgrade request
  • • Persistent bidirectional connection
  • • ws:// (plaintext) or wss:// (TLS)
  • • Common for chat, gaming, trading

Security Issues

  • CSWSH: Cross-Site WebSocket Hijacking
  • • Missing origin validation
  • • Injection through messages
  • • Session fixation via cookies
  • • Insecure message handling
  • • DoS through connection exhaustion

WebSocket Testing

websocket-test.sh
bash 
# wscat - WebSocket CLI
npm install -g wscat
wscat -c wss://target.com/socket

# In browser devtools
ws = new WebSocket('wss://target.com/socket');
ws.onmessage = (e) => console.log(e.data);
ws.send('{"type":"test"}');

# Burp Suite
# Proxy → WebSockets history
# Can intercept and modify messages
# wscat - WebSocket CLI
npm install -g wscat
wscat -c wss://target.com/socket

# In browser devtools
ws = new WebSocket('wss://target.com/socket');
ws.onmessage = (e) => console.log(e.data);
ws.send('{"type":"test"}');

# Burp Suite
# Proxy → WebSockets history
# Can intercept and modify messages

Encrypted DNS (DoH / DoT)

Protocol Port Transport Detection
DNS (Traditional) 53 UDP/TCP plaintext Easy - visible queries
DoT (DNS over TLS) 853 TLS encrypted Detectable by port
DoH (DNS over HTTPS) 443 HTTPS Hard - blends with HTTPS

Offensive Use

  • C2 channels: Hide DNS beaconing in HTTPS
  • Data exfiltration: Tunnel data via DNS queries
  • Bypass security: Evade DNS-based filtering
  • Privacy: Hide queries from network monitoring

Defensive Challenges

  • • Can't inspect encrypted DNS queries
  • • Bypasses corporate DNS policies
  • • Malware can use public DoH (Cloudflare, Google)
  • • Must block DoH endpoints or use TLS inspection

DoH/DoT Commands

encrypted-dns.sh
bash 
# Query via DoH (curl)
curl -H 'accept: application/dns-json'   'https://cloudflare-dns.com/dns-query?name=example.com&type=A'

# Query via DoT (kdig)
kdig +tls @1.1.1.1 example.com

# Detect DoH traffic (look for known resolvers)
# Cloudflare: 1.1.1.1, cloudflare-dns.com
# Google: 8.8.8.8, dns.google
# Block these to force traditional DNS
# Query via DoH (curl)
curl -H 'accept: application/dns-json'   'https://cloudflare-dns.com/dns-query?name=example.com&type=A'

# Query via DoT (kdig)
kdig +tls @1.1.1.1 example.com

# Detect DoH traffic (look for known resolvers)
# Cloudflare: 1.1.1.1, cloudflare-dns.com
# Google: 8.8.8.8, dns.google
# Block these to force traditional DNS

Other Notable Protocols

WireGuard

Modern VPN protocol. Simpler than OpenVPN/IPSec. Uses UDP, minimal attack surface. Look for port 51820.

MQTT

IoT messaging protocol. Ports 1883 (plaintext), 8883 (TLS). Common misconfig: anonymous access.

GraphQL

Query language for APIs. Single endpoint, introspection can leak schema. Test for IDOR, injection.

Stay Current

Follow security research on these protocols. New attacks are regularly discovered as adoption grows.

Related Topics

API Pentesting

Testing REST, GraphQL, and gRPC APIs.

Protocols & Ports

Classic protocol fundamentals.

Web Pentesting

Web application security testing.

Firewalls & Defense

How modern protocols evade controls.