gRPC Pentesting: Reflection, Interceptors, TLS, and Proto Fuzzing
Cybersecurity
Pentesting gRPC services covering server reflection, mTLS bypass, interceptor abuse, protobuf fuzzing, and tooling for binary RPC traffic capture.
By Arjun Raghavan, Security & Systems Lead, BIPI · December 23, 2024 · 9 min read
gRPC traffic is HTTP/2 with protobuf payloads. Burp does not natively decode it, and developers often assume that opacity equals security. It does not. With grpcurl, ghz, and a captured .proto file, you can pentest gRPC like any other RPC.
Discovery and Reflection
If server reflection is enabled, grpcurl -plaintext host:50051 list dumps every service. grpcurl describe gives field types and message structures. Reflection is convenient for dev tooling, dangerous in production. Disable it at the server, or gate it behind mTLS-only access.
- grpcurl -plaintext host:50051 list, then describe each service for full schema
- Without reflection, get the .proto from mobile binaries, jadx the APK, search for FileDescriptorProto bytes
- Tools like grpc-tools and bloomrpc help craft requests against arbitrary services
- Wireshark with the grpc-web dissector decodes web-grpc transport, useful for browser-facing services
Interceptors and Auth
gRPC metadata (the gRPC equivalent of headers) carries auth tokens. Replay attacks, JWT tampering, and metadata smuggling all work. Common bug: an interceptor checks authorization for unary calls but forgets streaming calls, or checks for a specific service but skips reflection or health check services.
mTLS and Plaintext Fallback
Production gRPC should be mTLS. Test plaintext on the same port (some servers accept ALPN negotiation downgrade), and test cleartext on the next 100 ports (engineers often leave a debug listener at 50052 or 9090). For mTLS, harvest the client cert from mobile binaries, sometimes a single pinned client cert is shared across millions of installs.
Pinned client certificates baked into mobile binaries are bearer tokens with extra steps. We have extracted three in 2024 alone, two from Android banking apps and one from a fintech wallet.
Protobuf Fuzzing
Once you have the .proto, build a harness with python grpc_tools and feed AFL-generated mutations. The decoder library protobuf-mutator generates structurally-valid protobufs from grammar, perfect for coverage-guided fuzzing of gRPC servers. Honggfuzz with protobuf-mutator found several CVEs in Envoy and Istio in 2023 and 2024.
Capturing Traffic
- mitmproxy with the grpc addon decodes protobuf if you load the .proto
- Burp Suite needs the Protobuf-Decoder extension and a schema file to render messages
- For mobile, hook the gRPC channel in Frida and dump request/response bytes before encryption
- tcpdump with HTTP/2 awareness via Wireshark works against plaintext gRPC
Common Findings
- BOLA on RPC method arguments, same as REST, just a different transport
- Streaming endpoints with no per-message auth checks, only initial handshake
- Reflection enabled in production, full schema leak to unauthenticated callers
- Verbose error details leaking stack traces in google.rpc.Status detail messages
- Mass assignment in nested message types where server uses ParseFromString into a domain object
Notable CVEs
- CVE-2024-7254 protobuf-java DoS via deeply nested unknown fields
- CVE-2023-44487 HTTP/2 Rapid Reset hit every major gRPC implementation, mitigations rolled out 2024
- Envoy CVE-2024-23323 regex DoS in gRPC route matcher
Defense
- Disable reflection in production, enforce mTLS, use SPIFFE or short-lived workload certificates
- Per-RPC authorization, including streaming and per-message checks for long-lived streams
- Resource limits: max message size, max concurrent streams, max metadata size on the channel
- Treat protobuf parsing as untrusted input, do not pass parsed messages to ORM mass-assign helpers
gRPC is just RPC. The binary wire format adds friction, not security. Once you can decode the wire, every REST finding category applies.
Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.