gRPC Scanning Guide

NAT can scan gRPC services for security vulnerabilities and functional issues by parsing .proto files and generating tests for all four RPC types. It supports TLS connections and includes security fuzzing with malformed protobuf payloads.

gRPC scanning was shipped in v1.4.0. See the Changelog for details.

Prerequisites

Install the gRPC Python libraries alongside nat-engine:

pip install nat-engine grpcio grpcio-tools

You will also need:

A running gRPC server
The .proto file(s) that define its service(s)

Quick start

nat scan \
  --protocol grpc \
  --grpc-endpoint localhost:50051 \
  --proto service.proto

NAT parses the .proto file, discovers all RPC methods, generates test cases, and streams results to your terminal.

CLI flags

Flag	Description	Default
`--protocol grpc`	Enable gRPC scanning mode	—
`--grpc-endpoint <host:port>`	Address of the gRPC server	—
`--proto <path>`	Path to the `.proto` file (repeatable for multiple files)	—
`--grpc-use-tls`	Connect over TLS	`false`

Full CLI example

nat scan \
  --protocol grpc \
  --grpc-endpoint grpc.example.com:443 \
  --proto api/v1/user_service.proto \
  --proto api/v1/payment_service.proto \
  --grpc-use-tls \
  --output report.html

Supported RPC types

NAT tests all four gRPC communication patterns:

RPC type	Description
Unary	Single request → single response. Most common pattern.
Server streaming	Single request → stream of responses.
Client streaming	Stream of requests → single response.
Bidi streaming	Stream of requests → stream of responses.

For streaming RPCs, NAT sends a configurable number of messages per stream (default: 5) and checks for authorization flaws, information disclosure, and error handling issues across the entire stream.

.proto file parsing

NAT uses grpcio-tools to compile .proto files at scan time. It:

Resolves imports relative to the directory of the supplied .proto file
Reflects message schemas to generate realistic request payloads
Discovers all service definitions and their RPC methods automatically
Uses the fully-qualified service and method names for reflection-based scanning when a live server reflection endpoint is available

If your .proto files use imports from a shared proto/ directory, pass the root directory with --proto-path:

nat scan --protocol grpc --grpc-endpoint localhost:50051 \
  --proto services/user.proto --proto-path proto/

TLS options

Enable TLS with --grpc-use-tls:

nat scan \
  --protocol grpc \
  --grpc-endpoint grpc.example.com:443 \
  --proto service.proto \
  --grpc-use-tls

For mutual TLS (mTLS), provide client certificates via environment variables:

Variable	Description
`NAT_GRPC_CA_CERT`	Path to the CA certificate file
`NAT_GRPC_CLIENT_CERT`	Path to the client certificate file
`NAT_GRPC_CLIENT_KEY`	Path to the client private key file

Security fuzzing

NAT automatically generates malformed protobuf payloads to probe for:

Type confusion — sending the wrong wire type for a field
Oversized messages — messages that exceed server-side size limits
Negative / overflow values — integer fields set to INT64_MIN, INT64_MAX, and other boundary values
Missing required fields — omitting required fields to test server-side validation
Authorization bypass — probing whether unauthenticated calls succeed for methods that require auth
Metadata injection — injecting malicious values in gRPC metadata headers

⚠️

Security fuzzing sends intentionally malformed requests. Only run against test or staging environments — never against production gRPC services.

Example output

NAT gRPC Scan — grpc.example.com:443
Proto: service.proto
Services: UserService (3 methods), PaymentService (4 methods)
─────────────────────────────────────────────────────────────
[HIGH]    UserService.GetUser — Missing authorization check
          Unauthenticated call returned 200 OK with user data
          Fix: Enforce auth interceptor on all UserService methods

[MEDIUM]  PaymentService.StreamTransactions — Information disclosure
          Error response reveals internal database schema
          Fix: Use generic error messages; log detail server-side only

[INFO]    UserService.UpdateUser — Input validation present
          Server correctly rejected malformed protobuf payloads

─────────────────────────────────────────────────────────────
2 findings — 1 HIGH, 1 MEDIUM
Report saved to: nat-report.html

Authentication

Pass authentication metadata using --auth-type as with REST scanning:

nat scan \
  --protocol grpc \
  --grpc-endpoint localhost:50051 \
  --proto service.proto \
  --auth-type bearer \
  --auth-token "$GRPC_TOKEN"

Known limitations

Reflection-only mode (no .proto file) is not yet supported — a .proto file is required for schema-aware test generation.
Bidirectional streaming fuzzing sends a fixed number of messages; dynamic conversation flows are not yet modeled.
Compressed messages (gzip/snappy) are supported for unary RPCs only.
gRPC-Web (browser-based gRPC over HTTP/1.1) is not currently supported.

REST API Testing
GraphQL Testing
CLI Reference
Changelog — v1.4.0 gRPC release notes

Was this helpful?

GraphQL Testing Security Scanning