Typescript Grpc Insecure Credentials
Description
Detects gRPC connections configured with insecure credentials that enable anonymous access. This vulnerability allows unauthenticated clients to connect to gRPC services, potentially exposing sensitive functionality or data to unauthorized users.
Detection Strategy
• Identifies gRPC client connection configurations in the code
• Checks for use of insecure credential options or settings in gRPC setup
• Reports a vulnerability when gRPC connections are configured without proper authentication mechanisms
• Flags instances where insecure channel credentials are used with anonymous access enabled
Vulnerable code example
import * as grpc from 'grpc';
function connectToService() {
// Vulnerable: Using insecure credentials exposes communication to MITM attacks
const credentials = grpc.credentials.createInsecure();
const client = new grpc.Client('example.com:50051', credentials);
client.makeRequest();
}✅ Secure code example
import * as grpc from 'grpc';
import * as fs from 'fs';
function connectToService() {
// Secure: Using SSL credentials with proper certificate verification
const ca = fs.readFileSync(process.env.GRPC_ROOT_CA_PATH);
const credentials = grpc.credentials.createSsl(ca);
const client = new grpc.Client('example.com:50051', credentials);...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.