StackHawk
๏ƒ‰

gRPC Security: How StackHawk Tests gRPC Services

Austin Pearigen and Dana White   |   Oct 18, 2023

Share on LinkedIn
Share on X
Share on Facebook
Share on Reddit
Send us an email

In a time where API security is paramount, the adoption of gRPC (gRPC Remote Procedure Calls) is on the rise, offering advantages like performance gains and language-agnostic interfaces. However, the security aspects of gRPC remain a challenge and a mystery.

In this blog post, StackHawk engineers Dana White and Austin Pearigen break down the challenges of securing gRPC services and provide solutions through the lens of Dynamic Application Security Testing (DAST).

What is DAST?

Dynamic Application Security Testing (DAST) is a technique that mimics a hacker’s actions to identify vulnerabilities in a live application. It explores the full surface of your application, checking for issues like SQL injection, among others. At StackHawk, we’ve developed a tool that enables this kind of testing, allowing engineers to shift security left in the development process.

Challenges in gRPC Security

Authentication

Authentication is always a challenge, especially when it’s designed not to be automated. Legacy systems often have complex authentication mechanisms that are poorly documented. To address this, we’ve built a developer tool, Hawk Perch , that uses gRPC to iterate quickly on authentication configurations. This tool provides real-time feedback, making it easier to test and adjust authentication mechanisms. See how it works below.

https://fast.wistia.net/embed/iframe/Ky8vzq7jmq

Scanning gRPC Services

Traditionally, DAST tools have been limited to HTTP/1-based services. However, gRPC runs over HTTP/2, which presents a challenge for traditional scanners. We’ve extended our tool to support gRPC, allowing us to test these services directly.

How We Scan gRPC Services

File Descriptor Set

To understand a gRPC service, we use a file descriptor set, which can be generated from the service itself or accessed via reflection. This descriptor set provides us with the information we need to understand the service’s schema.

Dynamic Messages

We use gRPC’s Dynamic Message class to construct messages at runtime. This allows us to generate messages based on the file descriptor set, which we can then send to the gRPC service for testing.

gRPC Security: How StackHawk Scans gRPC Services - Pic - Dynamic messages

Custom Variable Injection

Our tool supports custom variable injection, allowing you to specify particular values for certain fields. This is useful for testing different logic branches in your code. Below is an example configuration using custom values:

# in the "app" config...
app:
  grpcConf:
    filePath: '/resources/main/descriptor_set.pb'
    customVariables:
    # List of custom variables and a list of possible values to use for each of them.
    customVariables:
      - field: firstName
        values:
          - customFirstName1
          - customFirstName2
      - field: lastName
        values:
          - customLastName1
          - customLastName2
      - field: username
        values:
          - customUsername1
          - customUsername2
          - customUsername3

Scanning gRPC Services with StackHawk

In this video, we demonstrate how the StackHawk platform works, showing a scan against a vulnerable gRPC application. The scan identifies various vulnerabilities, including SQL injection. Our platform provides detailed information on each vulnerability, along with remediation steps.

https://youtube.com/watch?v=gZvXAj7WZu8%3Fsi%3DxgM_67tPbLgFPP_9%26%23038%3Bt%3D829%2520

FAQs

  • Does StackHawk scan for vulnerabilities other than SQL injection? Yes, our tool checks for a wide range of vulnerabilities, including all the OWASP Top 10.

  • Is an agent required? No, as long as we can access the application, we can scan it. We recommend running the scanner as close to the application as possible for latency reasons.

  • Is it free to get started? Yes, we offer a free trial account where you can scan a single application as much as you want.


Watch a Demo Blog Banner

Wrapping it up!

Security is a critical aspect of any application, and gRPC services are no exception. With the right tools and practices, you can identify and fix vulnerabilities before they become a problem. At StackHawk, we’re committed to making this process as seamless as possible, helping you secure your applications effectively.

Dana White and Austin Pearigen are Software Engineers at StackHawk

Get started today :

More Hawksome Posts

Discover the Best API Discovery Tools in 2025

Discover the Best API Discovery Tools in 2025

APIs power todayโ€™s software, but with AI tools accelerating development, many organizations donโ€™t even know how many APIs they haveโ€”or how secure they are. Shadow, zombie, and rogue APIs can quietly expand your attack surface, leaving critical vulnerabilities unchecked. Thatโ€™s why modern API discovery tools are essential. This guide breaks down what API discovery is, why it matters more than ever in 2025, and how to choose the right tool to secure your entire API landscape.