API Security API8

gRPC Pentesting

gRPC uses Protocol Buffers (Protobuf) for serialization and HTTP/2 for transport. Testing requires tools that can understand the binary format and interact with the service definitions.

Service Discovery & Reflection

gRPC Reflection allows clients to query the server for the services it exposes.

Using grpcurl

Check if reflection is enabled and list services.

Check if reflection is enabled:

bash 
grpcurl -plaintext localhost:50051 list

List services:

bash 
grpcurl -plaintext localhost:50051 list

Describe a service:

bash 
grpcurl -plaintext localhost:50051 describe grpc.reflection.v1alpha.ServerReflection

Without Reflection

If reflection is disabled, you need to find the .proto files. Look in mobile app packages, web assets, or public repositories. You can also try to reconstruct them from binary traffic using protoc --decode_raw.

Interacting with gRPC

Invoking Methods

Call methods using grpcurl or Postman.

bash 
grpcurl -plaintext -d '{"id": 1}' localhost:50051 com.example.UserService/GetUser

Intercepting Traffic

Burp Suite requires extensions to handle gRPC traffic effectively.

Burp-gRPC Extension

Allows decoding and encoding of Protobuf messages within Burp.

gRPC-UI

A web-based UI for interacting with gRPC services, similar to Swagger UI.

bash 
grpcui -plaintext localhost:50051

Remediation

Defense Strategies

  • Disable gRPC Reflection in production environments.
  • Enforce TLS (gRPC over HTTPS) to prevent eavesdropping.
  • Implement authentication (e.g., mTLS, JWT) for all services.
  • Validate all input fields defined in the Protobuf messages.

Related Topics

← Back to API Pentesting

Overview of API security testing

GraphQL Testing

Alternative API protocol

API Testing Tools

gRPC-specific tools

Authentication Testing

mTLS and JWT testing