Scanning gRPC API Web Services with Invicti Standard
gRPC (Remote Procedure Call) is a modern, high-performance framework that enables efficient communication between services in distributed systems. Unlike traditional RESTful APIs, which typically use JSON over HTTP, gRPC uses protocol buffers as its Interface Definition Language (IDL) and HTTP/2 for transport. This combination offers benefits such as improved performance, built-in support for streaming, and strong typing. This document describes how to scan gRPC API Web services with Invicti Standard.
PREREQUISITES:
For instructions on how to set the parameters in points 1 and 2, refer to Configuring Invicti Standard Settings - Advanced Options. |
How to scan gRPC API Web Services
The process involves preparing a new scan and uploading a .proto file. For detailed instructions, follow these steps:
- Log in to Invicti Standard.
- From the Home menu, click New.
- Select the Target Website or Web Service URL.
- From the Scan Settings, select Links/API Definitions.
- In the Links / API Definitions > From File section, select gRPC Proto.
- In the gRPC Proto Import window, enter the gRPC endpoint URL in the Definition File URL field and click OK.
NOTE: Invicti Standard does not support multiple .proto files. While multiple .proto files can be imported through the UI, Invicti Standard only utilizes a single .proto file. |
- In the Import Links window that opens up, locate and select the .proto file, and click Open.
- The All imported Links section is updated with the .proto file you uploaded.
- If the Target Website or Web Service URL is different from the gRPC endpoint URL from step 6, you need to add this URL in Scan Settings > Additional Websites. If you don't specify the gRPC endpoint URL as an additional website, Invicti Standard will not target this service.
- Click Start Scan at the bottom of the page to start scanning with the gRPC Service.