gRPC is an open-source framework developed by Google for building high-performance, scalable, and efficient microservices. It uses Protocol Buffers as its data serialization format, and HTTP/2 as its transport protocol. gRPC applications are becoming increasingly popular due to their performance benefits and ease of use. However, like any other application, gRPC applications are also susceptible to security vulnerabilities. Therefore, it is important to test gRPC applications for security vulnerabilities using a dynamic application security scanner like HawkScan.
Before You Begin
Using HawkScan to secure gRPC applications during our Beta requires a gRPC application running in a local or pre-production environment with the following:
Protocol Buffer Schema via Reflection or File Descriptor Set:
Reflection (recommended) - allows HawkScan to obtain a gRPC schema directly from the running application.
File Descriptor Set - encoded schema file generated dynamically as part of your build-process.
No authentication via TLS/mTLS (HawkScan does not yet support TLS auth for gRPC - though we are looking for feedback on what authentication methods you are using with gRPC for future improvements)
Once you've confirmed these requirements, you can move on to setting up HawkScan.
Installing HawkScan 3.0
In order to start scanning gRPC applications with HawkScan you'll need to update to the latest build of HawkScan (3.0 or later). You can check the currently installed version as follows:
$ hawk version
Configuring HawkScan for gRPC
To scan a gRPC application using HawkScan, you need to configure the scanner with the appropriate options. The following yaml configuration can be used to configure HawkScan for scanning a gRPC application:
The above example uses reflection to obtain the schema for the application via the
path field. This value is usually the same as the
appHost without the prefix. If the target application does not have reflection enabled, a file descriptor set can also be supplied to HawkScan via the
filePath field. This file must be generated before the scan takes place. In order to generate this file,
generateDescriptorSet must be enabled in the build spec and a path should be supplied that you can point the scanner to. It is worth noting that at this time, not all frameworks/languages support generating the descriptor set for gRPC, and in those cases, reflection will be required. Once the descriptor set file has been generated, it can be supplied to the scanner as such:
Scanning with HawkScan
Once the scanner is configured with the appropriate options, you can run the scan like any other application type using the following command:
The scanner will connect to the gRPC endpoint specified in the configuration and scan for security vulnerabilities.
Optimizing gRPC Applications
You may notice longer than expected scan times for gRPC applications especially those with many services and methods. To reduce scan time we recommend you set the OpenAPI/REST API scan policy to avoid plugins not relevant to gRPC applications. You can do so from the Application settings screen under 'Application Scan Policies'. Update the Applied Policy as follows:
Viewing Results in the StackHawk Platform
Once the scan is complete you view the results in the terminal and then can navigate to the StackHawk Platform to see more details. Applications with successful gRPC scans will show up as follows in the Applications screen:
Guide to Scanning gRPC Applications with StackHawk
Don't have a gRPC application or want to see how this all works before you try it? Watch our guide to scanning gRPC applications with StackHawk here:
Scanning gRPC applications for security vulnerabilities is important to ensure that they are secure and do not pose a threat to the users. HawkScan provides support for scanning gRPC applications and can be configured using yaml configuration files. By using the configuration options provided by HawkScan, you can customize the scanning process and ensure that your gRPC application is secure.