How to Security Test Your JSON-RPC APIs with StackHawk

StackHawk has introduced support for JSON-RPC API security testing, addressing a gap in traditional security tools that often overlook this protocol. JSON-RPC, a lightweight remote procedure call protocol using JSON, is popular for its simplicity, but it shares common vulnerabilities with other APIs, such as SQL injection and cross-site scripting. JSON-RPC uses a single endpoint architecture, making it challenging for conventional scanners to detect method-specific vulnerabilities. StackHawk provides a solution by integrating JSON-RPC security testing into existing development workflows. The process involves configuring StackHawk to scan JSON-RPC APIs, running a scan, and reviewing findings, with the tool utilizing an OpenRPC schema to map the API's methods and parameters. The tutorial includes setting up a vulnerable JSON-RPC application for testing, creating a StackHawk application, configuring a YAML file for JSON-RPC, and running the scan using HawkScan. After the scan, results can be reviewed on the StackHawk platform, offering insights into vulnerabilities and providing remediation guidance. This advancement allows developers to include JSON-RPC security testing in their CI/CD pipelines alongside REST and GraphQL services.