Javascript Grpc Insecure Credentials
Description
Detects when gRPC clients are configured with insecure credentials, allowing anonymous access without encryption or authentication. This exposes the gRPC service to potential unauthorized access and man-in-the-middle attacks since communication is not encrypted.
Detection Strategy
• Look for gRPC client initialization code in JavaScript/TypeScript files
• Identify calls creating gRPC credentials/channels without security options
• Report vulnerability when credentials are created using insecure methods like grpc.credentials.createInsecure()
• Flag cases where gRPC connections don't use TLS/SSL certificates or authentication mechanisms
Vulnerable code example
const grpc = require('grpc');
// Vulnerability: Using insecure credentials exposes communication to MITM attacks
const client = new grpc.Client(
'api.example.com:50051',
grpc.credentials.createInsecure()
);
client.makeRequest();✅ Secure code example
const grpc = require('grpc');
const fs = require('fs');
// Create secure credentials using SSL/TLS certificates
const credentials = grpc.credentials.createSsl(
fs.readFileSync('path/to/ca.pem'), // Root CA certificate
fs.readFileSync('path/to/client.key'), // Client private key
fs.readFileSync('path/to/client.crt') // Client certificate...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.