Route-Detect – Find Authentication (Authn) And Authorization (Authz) Security Bugs In Web Application Routes

By /

Find authentication (authn) and authorization (authz) security bugs in web application routes:

Web application HTTP route authn and authz bugs are some of the most common security issues found today. These industry standard resources highlight the severity of the issue:

2021 OWASP Top 10 #1 – Broken Access Control 2021 OWASP Top 10 #7 – Identification and Authentication Failures (formerly Broken Authentication) 2023 OWASP API Top 10 #1 – Broken Object Level Authorization 2023 OWASP API Top 10 #2 – Broken Authentication 2023 OWASP API Top 10 #5 – Broken Function Level Authorization 2023 CWE Top 25 #11 – CWE-862: Missing Authorization 2023 CWE Top 25 #13 – CWE-287: Improper Authentication 2023 CWE Top 25 #20 – CWE-306: Missing Authentication for Critical Function 2023 CWE Top 25 #24 – CWE-863: Incorrect Authorization

Supported web frameworks (route-detect IDs in parentheses):

Python: Django (django, django-rest-framework), Flask (flask), Sanic (sanic) PHP: Laravel (laravel), Symfony (symfony), CakePHP (cakephp) Ruby: Rails* (rails), Grape (grape) Java: JAX-RS (jax-rs), Spring (spring) Go: Gorilla (gorilla), Gin (gin), Chi (chi) JavaScript/TypeScript: Express (express), React (react), Angular (angular)

*Rails support is limited. Please see this issue for more information.

Installing

Use pip to install route-detect:

$ python -m pip install –upgrade route-detect

You can check that route-detect is installed correctly with the following command:

$ echo ‘print(1 == 1)’ | semgrep –config $(routes which test-route-detect) –
Scanning 1 file.

Findings:

/tmp/stdin
routes.rules.test-route-detect
Found ‘1 == 1’, your route-detect installation is working correctly

1┆ print(1 == 1)

Ran 1 rule on 1 file: 1 finding.

Using

route-detect provides the routes CLI command and uses semgrep to search for routes.

Use the which subcommand to point semgrep at the correct web application rules:

$ semgrep –config $(routes which django) path/to/django/code

Use the viz subcommand to visualize route information in your browser:

$ semgrep –json –config $(routes which django) –output routes.json path/to/django/code
$ routes viz –browser routes.json

If you’re not sure which framework to look for, you can use the special all ID to check everything:

$ semgrep –json –config $(routes which all) –output routes.json path/to/code

If you have custom authn or authz logic, you can copy route-detect’s rules:

$ cp $(routes which django) my-django.yml

Then you can modify the rule as necessary and run it like above:

$ semgrep –json –config my-django.yml –output routes.json path/to/django/code
$ routes viz –browser routes.json

Contributing

route-detect uses poetry for dependency and configuration management.

Before proceeding, install project dependencies with the following command:

$ poetry install –with dev

Linting

Lint all project files with the following command:

$ poetry run pre-commit run –all-files

Testing

Run Python tests with the following command:

$ poetry run pytest –cov

Run Semgrep rule tests with the following command:

$ poetry run semgrep –test –config routes/rules/ tests/test_rules/

Related Posts