Hi Aleks, We have done third party vulnerability testing in gRPC C++. The results are here: https://github.com/grpc/grpc/blob/master/doc/grpc_security_audit.pdf. We also have extensive fuzzing and scanners set up in Chrome OSS fuzzing. See https://bugs.chromium.org/p/oss-fuzz/issues/list?q=grpc&can=2
We have not done any vulnerability testing using BURP. Feel free to try test yourself and report vulnerabilities if you find anything interesting. Please use https://github.com/grpc/proposal/blob/master/P4-grpc-cve-process.md to report bugs/vulnerabilities to us. Best, Jiangtao On Thursday, April 22, 2021 at 8:09:37 AM UTC-7 [email protected] wrote: > In my organization we have pretty stringent requirements on security, and > all of our http endpoints get tested with the BURP suite from > PortSwigger.net. My service is accepting bi-directional streaming requests > and now it needs to be tested. Like i mentioned the default tool is BURP > and the only mention of gRPC I could find is this > https://forum.portswigger.net/thread/http-2-and-grpc-support-52da4c5677b4. > > Has anyone done this kind of testing? If so, could you please share how > you did it? > > The question to gRPC devs - how do you validate and perform vulnerability > scans on gRPC endpoints? What is the best way to address this need? > > Sincerely, > Aleks > -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/ec096c32-1d08-4786-b1cc-156d15eb3e5bn%40googlegroups.com.
