gRPC and gRPC-Web lab for testing purposes. I made this repo for pentesting gRPC-Web and researching on it.
See the gRPC-Pentest-Suite Repo. I made 2 tools:
- grpc-coder.py which makes the manipulating gRPC-Web payloads easy
- +burp suite extension for using this script easy
- grpc-scan.py which scans gRPC-Web Javascript Webpacked files for finding messages and endpoints
the examples directory in this repo, has these examples:
- Echo: simple echo app with grpc-web
- Hello World: simple hello world grpc app
- Vulnerable XSS Echo: app using grpc-web which is vulnerable to xss ,but it has client protections
- Vulnerable XSS Multi Parameter Echo: app using grpc-web which is vulnerable to xss ,but it has client protections and uses multiple parameters instead of one
- XSS Secured: XSS Secured --> the input gets encoded in server
- Hidden SQLi: gRPC-Web Lab which has 2 hidden SQLi vulnerability.
Read Protoc Readme
Read gRPC-Web Readme
If you have .proto file read grpcui README
All Examples are examples in main gRPC-Web Github repo with some specific changes.