grpc-web-pentest

Official

Identify and exploit gRPC-Web service vulnerabilities.

Authordreadnode
Version1.0.0
Installs0

System Documentation

What problem does it solve?

gRPC-Web services rely on translation layers like Envoy, APISIX, or grpcwebproxy to bridge browser clients and native gRPC backends, introducing unique attack surfaces that standard gRPC pentesting methodologies fail to cover, leaving these services exposed to undetected vulnerabilities that attackers can exploit.

Core Features & Use Cases

  • Service Detection: Identify gRPC-Web endpoints via content type headers, JavaScript bundle analysis, and Envoy proxy fingerprinting.
  • CORS Abuse Testing: Exploit misconfigured CORS policies on gRPC-Web proxies to enable cross-origin authenticated requests from attacker-controlled domains.
  • Payload Manipulation: Craft custom protobuf payloads to test for field injection, type confusion, and proxy header injection vulnerabilities.
  • Use Case: A security tester assessing a customer-facing web app that uses gRPC-Web can use this skill to quickly identify if the Envoy proxy has overly permissive CORS settings or if the JSON transcoder path bypasses authentication controls present in the native gRPC flow.

Quick Start

Use the grpc-web-pentest skill to test the target gRPC-Web service at https://api.example.com for CORS misconfigurations and JSON transcoder authentication bypasses.

Dependency Matrix

Required Modules

None required

Components

Standard package

💻 Claude Code Installation

Recommended: Let Claude install automatically. Simply copy and paste the text below to Claude Code.

Please help me install this Skill:
Name: grpc-web-pentest
Download link: https://github.com/dreadnode/capabilities/archive/main.zip#grpc-web-pentest

Please download this .zip file, extract it, and install it in the .claude/skills/ directory.
View Source Repository

Agent Skills Search Helper

Install a tiny helper to your Agent, search and equip skill from 536,000+ vetted skills library on demand.