Vulnerability testing of gRPC

Skip to first unread message

Aleksandr Yeganov

Apr 22, 2021, 11:09:37 AMApr 22
In my organization we have pretty stringent requirements on security, and all of our http endpoints get tested with the BURP suite from My service is accepting bi-directional streaming requests and now it needs to be tested. Like i mentioned the default tool is BURP and the only mention of gRPC I could find is this

Has anyone done this kind of testing? If so, could you please share how you did it?

The question to gRPC devs - how do you validate and perform vulnerability scans on gRPC endpoints? What is the best way to address this need?


Jiangtao Li

Apr 23, 2021, 3:41:51 PMApr 23
Hi Aleks,

We have done third party vulnerability testing in gRPC C++. The results are here:
We also have extensive fuzzing and scanners set up in Chrome OSS fuzzing. See

We have not done any vulnerability testing using BURP. Feel free to try test yourself and report vulnerabilities if you find anything interesting. Please use to report bugs/vulnerabilities to us.


Robert Ficcaglia

Apr 30, 2021, 3:09:29 PMApr 30
so for examples like:

do those get reported as CVEs automatically, or is a human required to "groom" a CVE report per the noted process?  put another way, are the (reproducible) issues listed in oss-fuzz "latent" CVEs that no human has had a chance to review and put together a human reviewable report? Or are they triaged and reviewed regularly by the project and deemed NOT to be real issues worthy of a CVE?

Reply all
Reply to author
0 new messages