gRPC is an open-source framework developed by Google for building high-performance, scalable, and efficient microservices. It uses Protocol Buffers as its data serialization format, and HTTP/2 as its transport protocol. gRPC applications are becoming increasingly popular due to their performance benefits and ease of use. However, like any other application, gRPC applications are also susceptible to security vulnerabilities. Therefore, it is important to test gRPC applications for security vulnerabilities using a dynamic application security scanner like Hawkscan.
Configuring Hawkscan for scanning gRPC applications
To scan a gRPC application using Hawkscan, you need to configure the scanner with the appropriate options. The following yaml configuration can be used to configure Hawkscan for scanning a gRPC application:
app: grpcConf: path: 'localhost:9001' customVariables: - field: name values: - customValue1 - customValue2
The above example uses reflection to obtain the schema for the application via the
path field. This value is usually the same as the appHost without the prefix. If the target application does not have reflection enabled, a file descriptor set can also be supplied to Hawkscan via the
filePath field. This file must be generated before the scan takes place. In order to generate this file,
generateDescriptorSet must be enabled in the build spec and a path should be supplied that you can point the scanner to. It is worth noting that at this time, not all frameworks/languages support generating the descriptor set for gRPC, and reflection will need to be used. Once the descriptor set file has been generated, it can be supplied to the scanner as such:
app: grpcConf: filePath: '/resources/main/descriptor_set.pb' customVariables: - field: name values: - customValue1 - customValue2
Currently TLS/auth is not supported for gRPC applications, but could be in the future.
Using Custom Variable Injection
You can configure HawkScan to use custom values for any parameters that exist in your
gRPC schema. Using custom values allows you to scan operations that
can potentially access real data and exercise more branches of your application’s
code than default static values that may not exist in the context of your application.
To provide custom values for your gRPC schema’s params, include the
app.grpcConf.customVariables parameter in your
The following is an example configuration using custom values:
# in the "app" config... app: grpcConf: filePath: '/resources/main/descriptor_set.pb' customVariables: # List of custom variables and a list of possible values to use for each of them. customVariables: - field: firstName values: - customFirstName1 - customFirstName2 - field: lastName values: - customLastName1 - customLastName2 - field: username values: - customUsername1 - customUsername2 - customUsername3
If you provide a list of values for a custom variable, the scanner will select one
randomly for each operations that the custom variable belongs to. If you provide
a single value in the list for a variable, that value will be used. For any parameters
in the gRPC schema that you do not provide custom values for in the
stackhawk.yml file, HawkScan will fall back on default logic and use static values
based on their type.
Generating Smart Values for Parameters
By leveraging the Java Faker library, HawkScan can generate smarter values when the proper information is supplied in the gRPC schema.
You can then configure which parameters will get generated smart values in the
stackhawk.yml file in the graphqlConf section, by using the faker prefix ($faker)
and a format as a custom value for a given parameter. For example:
# in the "app" config... app: grpcConf: filePath: '/resources/main/descriptor_set.pb' customVariables: # List of custom variables and a list of possible values to use for each of them. customVariables: - field: customerEmail values: - $faker:email - field: customerPhone values: - $faker:phone - field: customerId values: - $faker:uuid
This configuration will randomly generate a properly formatted and random email address
customerEmail, phone number for
customerPhone, and uuid for
Running the scan
Once the scanner is configured with the appropriate options, you can run the scan like another other application type using the following command:
The scanner will connect to the gRPC endpoint specified in the configuration and scan for security vulnerabilities.