Vulnerability testing of gRPC

29 views
Skip to first unread message

Aleksandr Yeganov

unread,
Apr 22, 2021, 11:09:37 AMApr 22
to grpc.io
In my organization we have pretty stringent requirements on security, and all of our http endpoints get tested with the BURP suite from PortSwigger.net. My service is accepting bi-directional streaming requests and now it needs to be tested. Like i mentioned the default tool is BURP and the only mention of gRPC I could find is this https://forum.portswigger.net/thread/http-2-and-grpc-support-52da4c5677b4.

Has anyone done this kind of testing? If so, could you please share how you did it?

The question to gRPC devs - how do you validate and perform vulnerability scans on gRPC endpoints? What is the best way to address this need?

Sincerely,
Aleks

Jiangtao Li

unread,
Apr 23, 2021, 3:41:51 PMApr 23
to grpc.io
Hi Aleks,

We have done third party vulnerability testing in gRPC C++. The results are here: https://github.com/grpc/grpc/blob/master/doc/grpc_security_audit.pdf.
We also have extensive fuzzing and scanners set up in Chrome OSS fuzzing. See https://bugs.chromium.org/p/oss-fuzz/issues/list?q=grpc&can=2

We have not done any vulnerability testing using BURP. Feel free to try test yourself and report vulnerabilities if you find anything interesting. Please use https://github.com/grpc/proposal/blob/master/P4-grpc-cve-process.md to report bugs/vulnerabilities to us.

Best,
Jiangtao

Robert Ficcaglia

unread,
Apr 30, 2021, 3:09:29 PMApr 30
to grpc.io
so for examples like:

do those get reported as CVEs automatically, or is a human required to "groom" a CVE report per the noted process?  put another way, are the (reproducible) issues listed in oss-fuzz "latent" CVEs that no human has had a chance to review and put together a human reviewable report? Or are they triaged and reviewed regularly by the project and deemed NOT to be real issues worthy of a CVE?

Reply all
Reply to author
Forward
0 new messages