Introduction
gRPC is an open-source framework developed by Google for building high-performance, scalable, and efficient microservices. It uses Protocol Buffers as its data serialization format, and HTTP/2 as its transport protocol. gRPC applications are becoming increasingly popular due to their performance benefits and ease of use. However, like any other application, gRPC applications are also susceptible to security vulnerabilities. Therefore, it is important to test gRPC applications for security vulnerabilities using a dynamic application security scanner like HawkScan.
Before You Begin
Using HawkScan to secure gRPC applications during our Beta requires a gRPC application running in a local or pre-production environment with the following:
Protocol Buffer Schema via Reflection or File Descriptor Set:
Reflection (recommended) - allows HawkScan to obtain a gRPC schema directly from the running application.
File Descriptor Set - encoded schema file generated dynamically as part of your build-process.
No authentication via TLS/mTLS (HawkScan does not yet support TLS auth for gRPC - though we are looking for feedback on what authentication methods you are using with gRPC for future improvements)
Once you've confirmed these requirements, you can move on to setting up HawkScan.
Installing HawkScan 3.0
In order to start scanning gRPC applications with HawkScan you'll need to update to the latest build of HawkScan (3.0 or later). You can check the currently installed version as follows:
$ hawk version
v3.0.0
Configuring HawkScan for gRPC
To scan a gRPC application using HawkScan, you need to configure the scanner with the appropriate options. The following yaml configuration can be used to configure HawkScan for scanning a gRPC application:
app:
grpcConf:
path: 'localhost:9001'
The above example uses reflection to obtain the schema for the application via the path
field. This value is usually the same as the appHost
without the prefix. If the target application does not have reflection enabled, a file descriptor set can also be supplied to HawkScan via the filePath
field. This file must be generated before the scan takes place. In order to generate this file, generateDescriptorSet
must be enabled in the build spec and a path should be supplied that you can point the scanner to. It is worth noting that at this time, not all frameworks/languages support generating the descriptor set for gRPC, and in those cases, reflection will be required. Once the descriptor set file has been generated, it can be supplied to the scanner as such:
app:
grpcConf:
filePath: '/resources/main/descriptor_set.pb'
NOTE: Currently TLS/auth is not supported for gRPC applications, but could be in the future.
Scanning with HawkScan
Once the scanner is configured with the appropriate options, you can run the scan like any other application type using the following command:
hawk scan
The scanner will connect to the gRPC endpoint specified in the configuration and scan for security vulnerabilities.
Optimizing gRPC Applications
You may notice longer than expected scan times for gRPC applications especially those with many services and methods. To reduce scan time we recommend you set the OpenAPI/REST API scan policy to avoid plugins not relevant to gRPC applications. You can do so from the Application settings screen under 'Application Scan Policies'. Update the Applied Policy as follows:
Viewing Results in the StackHawk Platform
Once the scan is complete you view the results in the terminal and then can navigate to the StackHawk Platform to see more details. Applications with successful gRPC scans will show up as follows in the Applications screen:
Guide to Scanning gRPC Applications with StackHawk
Don't have a gRPC application or want to see how this all works before you try it? Watch our guide to scanning gRPC applications with StackHawk here:
Conclusion
Scanning gRPC applications for security vulnerabilities is important to ensure that they are secure and do not pose a threat to the users. HawkScan provides support for scanning gRPC applications and can be configured using yaml configuration files. By using the configuration options provided by HawkScan, you can customize the scanning process and ensure that your gRPC application is secure.