gRPC Configuration
Introduction
gRPC is an open-source framework developed by Google for building high-performance, scalable, and efficient microservices. It uses Protocol Buffers as its data serialization format, and HTTP/2 as its transport protocol. gRPC applications are becoming increasingly popular due to their performance benefits and ease of use. However, like any other application, gRPC applications are also susceptible to security vulnerabilities. Therefore, it is important to test gRPC applications for security vulnerabilities using a dynamic application security scanner like HawkScan.
Configuring HawkScan for scanning gRPC applications
To scan a gRPC application using HawkScan, you need to configure the scanner with the appropriate options. The following YAML configuration can be used to configure HawkScan for scanning a gRPC application:
# stackhawk.yml
app:
grpcConf:
path: 'localhost:9001'
customVariables:
- field: name
values:
- customValue1
- customValue2The above example uses reflection to obtain the schema for the application via the path field. This value is usually the same as the appHost without the prefix. If the target application does not have reflection enabled, a file descriptor set can also be supplied to HawkScan via the filePath field. This file must be generated before the scan takes place. In order to generate this file, generateDescriptorSet must be enabled in the build spec and a path should be supplied that you can point the scanner to. It is worth noting that at this time, not all frameworks/languages support generating the descriptor set for gRPC, and reflection will need to be used. Once the descriptor set file has been generated, it can be supplied to the scanner as such:
# stackhawk.yml
app:
grpcConf:
filePath: '/resources/main/descriptor_set.pb'
customVariables:
- field: name
values:
- customValue1
- customValue2Currently TLS/auth is not supported for gRPC applications, but could be in the future.
Using Custom Variable Injection
The following is an example configuration using custom values:
# in the "app" config...
app:
grpcConf:
filePath: '/resources/main/descriptor_set.pb'
# List of custom variables and a list of possible values to use for each of them.
customVariables:
- field: firstName
values:
- customFirstName1
- customFirstName2
- field: lastName
values:
- customLastName1
- customLastName2
- field: username
values:
- customUsername1
- customUsername2
- customUsername3Generating Smart Values for Parameters
By leveraging the Java Faker library, HawkScan can generate smarter values when the proper information is supplied in the gRPC schema. You can configure which parameters will get generated smart values in the stackhawk.yml file in the grpcConf section, by using the faker prefix ($faker) and a format as a custom value for a given parameter. For example:
# in the "app" config...
app:
grpcConf:
filePath: '/resources/main/descriptor_set.pb'
# List of custom variables and a list of possible values to use for each of them.
customVariables:
- field: customerEmail
values:
- $faker:email
- field: customerPhone
values:
- $faker:phone
- field: customerId
values:
- $faker:uuidThis configuration will randomly generate a properly formatted and random email address for customerEmail, phone number for customerPhone, and uuid for customerId.
Running the scan
Once the scanner is configured with the appropriate options, you can run the scan like any other application type using the following command:
hawk scanThe scanner will connect to the gRPC endpoint specified in the configuration and scan for security vulnerabilities.