Hamburger Icon

gRPC Security:
How StackHawk Tests
gRPC Services

Austin and Dana

Austin Pearigen and Dana White|October 18, 2023

In the dynamic world of microservices, gRPC stands out for its effective and swift communication protocols, but security testing can be a challenge. Learn how StackHawk uses DAST to test and secure gRPC APIs.

In a time where API security is paramount, the adoption of gRPC (gRPC Remote Procedure Calls) is on the rise, offering advantages like performance gains and language-agnostic interfaces. However, the security aspects of gRPC remain a challenge and a mystery.

In this blog post, StackHawk engineers Dana White and Austin Pearigen break down the challenges of securing gRPC services and provide solutions through the lens of Dynamic Application Security Testing (DAST).

What is DAST?

Dynamic Application Security Testing (DAST) is a technique that mimics a hacker's actions to identify vulnerabilities in a live application. It explores the full surface of your application, checking for issues like SQL injection, among others. At StackHawk, we've developed a tool that enables this kind of testing, allowing engineers to shift security left in the development process.

Challenges in gRPC Security


Authentication is always a challenge, especially when it's designed not to be automated. Legacy systems often have complex authentication mechanisms that are poorly documented. To address this, we've built a developer tool, Hawk Perch, that uses gRPC to iterate quickly on authentication configurations. This tool provides real-time feedback, making it easier to test and adjust authentication mechanisms. See how it works below.

Scanning gRPC Services

Traditionally, DAST tools have been limited to HTTP/1-based services. However, gRPC runs over HTTP/2, which presents a challenge for traditional scanners. We've extended our tool to support gRPC, allowing us to test these services directly.

How We Scan gRPC Services

File Descriptor Set

To understand a gRPC service, we use a file descriptor set, which can be generated from the service itself or accessed via reflection. This descriptor set provides us with the information we need to understand the service's schema.

Dynamic Messages

We use gRPC's Dynamic Message class to construct messages at runtime. This allows us to generate messages based on the file descriptor set, which we can then send to the gRPC service for testing.

Dynamic messages image

Custom Variable Injection

Our tool supports custom variable injection, allowing you to specify particular values for certain fields. This is useful for testing different logic branches in your code. Below is an example configuration using custom values:

# in the "app" config...
    filePath: '/resources/main/descriptor_set.pb'
    # List of custom variables and a list of possible values to use for each of them.
      - field: firstName
          - customFirstName1
          - customFirstName2
      - field: lastName
          - customLastName1
          - customLastName2
      - field: username
          - customUsername1
          - customUsername2
          - customUsername3

Scanning gRPC Services with StackHawk

In this video, we demonstrate how the StackHawk platform works, showing a scan against a vulnerable gRPC application. The scan identifies various vulnerabilities, including SQL injection. Our platform provides detailed information on each vulnerability, along with remediation steps.


  • Does StackHawk scan for vulnerabilities other than SQL injection?
    Yes, our tool checks for a wide range of vulnerabilities, including all the OWASP Top 10.

  • Is an agent required?
    No, as long as we can access the application, we can scan it. We recommend running the scanner as close to the application as possible for latency reasons.

  • Is it free to get started?
    Yes, we offer a free trial account where you can scan a single application as much as you want.

Watch a demo to see StackHawk in flight

Wrapping it up!

Security is a critical aspect of any application, and gRPC services are no exception. With the right tools and practices, you can identify and fix vulnerabilities before they become a problem. At StackHawk, we're committed to making this process as seamless as possible, helping you secure your applications effectively.

Dana White and Austin Pearigen are Software Engineers at StackHawk

Get started today:

Austin Pearigen and Dana White  |  October 18, 2023

Read More

Understanding gRPC Security: How StackHawk Keeps Your APIs Protected

Understanding gRPC Security:How StackHawk Keeps YourAPIs Protected

StackHawk ❤️ APIs

StackHawk ❤️ APIs

Kotlin & Protobuf Tips & Tricks

Kotlin & ProtobufTips & Tricks