Skip to main content
This document is for:
Invicti Standard

Scan gRPC API in Invicti Standard

gRPC (Remote Procedure Call) is a modern, high-performance framework that enables efficient communication between services in distributed systems. Unlike traditional RESTful APIs, which typically use JSON over HTTP, gRPC uses protocol buffers as its Interface Definition Language (IDL) and HTTP/2 for transport. This combination offers benefits such as improved performance, built-in support for streaming, and strong typing.

This document describes how to prepare a new scan and upload a .proto file to scan gRPC API Web services with Invicti Standard.

Prerequisites
  • Configure the following parameters in the Invicti Standard Settings:
    • Set the UseHttp2 parameter to True.
    • Set the UseHttpClientLibrary parameter to True.
  • Ensure your gRPC endpoint is configured to run over HTTPS.
  • Have a .proto file ready. For instructions on how to set the parameters, refer to Configuring Invicti Standard Settings - Advanced Options.

Scan gRPC API web services

  1. Click New in the Home tab.
  2. Select Target Website or Web Service URL.
  3. Click Links/API Definitions in the Scan Settings menu.
  4. Select gRPC Proto in the Links/API Definitions > From File section.
gRPC proto from file option in Invicti Standard.
  1. In the gRPC Proto Import window, enter the gRPC endpoint URL in the Definition File URL field and click OK.
gRPC proto import in Invicti Standard.

note

If your .proto file depends on other .proto files, it's crucial that the dependent .proto files are located in the same directory.

  • For example, if an imported .proto file contains workers/manager.proto, then Invicti Standard searches for the manager.proto file in the workers folder. Dependent files must be present in the related directory, otherwise Invicti Standard can't import them.
  1. In the Import Links window that opens up, locate and select the .proto file, and click Open.
  2. The Imported Links section is updated with the .proto file you uploaded.
Imported links updated in Invicti Standard.
  1. If the Target Website or Web Service URL is different from the gRPC endpoint URL from step 5, you need to add this URL in Scan Settings > Additional Websites. If you don't specify the gRPC endpoint URL as an additional website, Invicti Standard doesn't target this service.
Additional websites in Invicti Standard.
  1. Click Start Scan at the bottom of the page to start scanning with the gRPC Service.

Need help?

Invicti Support team is ready to provide you with technical help. Go to Help Center

Was this page useful?