Vulnerability testing of gRPC

[Aleksandr Yeganov]

In my organization we have pretty stringent requirements on security, and all of our http endpoints get tested with the BURP suite from PortSwigger.net. My service is accepting bi-directional streaming requests and now it needs to be tested. Like i mentioned the default tool is BURP and the only mention of gRPC I could find is this https://forum.portswigger.net/thread/http-2-and-grpc-support-52da4c5677b4.

Has anyone done this kind of testing? If so, could you please share how you did it?

The question to gRPC devs - how do you validate and perform vulnerability scans on gRPC endpoints? What is the best way to address this need?

Sincerely,

Aleks

[Jiangtao Li]

Hi Aleks,

We have done third party vulnerability testing in gRPC C++. The results are here: https://github.com/grpc/grpc/blob/master/doc/grpc_security_audit.pdf.

We also have extensive fuzzing and scanners set up in Chrome OSS fuzzing. See https://bugs.chromium.org/p/oss-fuzz/issues/list?q=grpc&can=2

We have not done any vulnerability testing using BURP. Feel free to try test yourself and report vulnerabilities if you find anything interesting. Please use https://github.com/grpc/proposal/blob/master/P4-grpc-cve-process.md to report bugs/vulnerabilities to us.

Best,

Jiangtao

[Robert Ficcaglia]

so for examples like:

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=23645&q=grpc&can=2

do those get reported as CVEs automatically, or is a human required to "groom" a CVE report per the noted process?  put another way, are the (reproducible) issues listed in oss-fuzz "latent" CVEs that no human has had a chance to review and put together a human reviewable report? Or are they triaged and reviewed regularly by the project and deemed NOT to be real issues worthy of a CVE?