Find web application HTTP route authn and authz security bugs in your code.
Project description
route-detect
Web application HTTP route authentication (authn) and authorization (authz) bugs are some of the most common security issues found today. These industry standard resources highlight the severity of the issue:
- 2021 OWASP Top 10 #1 - Broken Access Control
- 2021 OWASP Top 10 #7 - Identification and Authentication Failures (formerly Broken Authentication)
- 2019 OWASP API Top 10 #2 - Broken User Authentication
- 2019 OWASP API Top 10 #5 - Broken Function Level Authorization
- 2022 CWE Top 25 #14 - CWE-287: Improper Authentication
- 2022 CWE Top 25 #16 - CWE-862: Missing Authorization
- 2022 CWE Top 25 #18 - CWE-306: Missing Authentication for Critical Function
- #21 most CVEs by CWE - CWE-284: Access Control (Authorization) Issues
- #47 most CVEs by CWE - CWE-639: Access Control Bypass Through User-Controlled Key
Of course, not all authn and authz bugs are due to route issues, but route-detect seeks to automate detection of this vulnerability subclass.
Routes from koel streaming server
Supported web frameworks (route-detect IDs in parentheses):
- Python: Django (
django,django-rest-framework), Flask (flask), Sanic (sanic) - PHP: Laravel (
laravel), Symfony (symfony), CakePHP (cakephp) - Ruby: Rails (
rails), Grape (grape) - Java: JAX-RS (
jax-rs), Spring (spring) - Go: Gorilla (
gorilla), Gin (gin), Chi (chi) - JavaScript/TypeScript: Express (
express), React (react), Angular (angular)
Installing
Use pip to install route-detect:
$ python -m pip install --upgrade route-detect
You can check that route-detect is installed correctly with the following command:
$ echo 'print(1 == 1)' | semgrep --config $(routes which test-route-detect) -
Scanning 1 file.
Findings:
/tmp/stdin
routes.rules.test-route-detect
Found '1 == 1', your route-detect installation is working correctly
1┆ print(1 == 1)
Ran 1 rule on 1 file: 1 finding.
Using
route-detect uses semgrep to search for routes.
Use the which command to point semgrep at the correct web application rules:
$ semgrep --config $(routes which django) path/to/django/code
Use the viz command to visualize route information in your browser:
$ semgrep --json --config $(routes which django) path/to/django/code > routes.json
$ routes viz --browser routes.json
Contributing
route-detect uses poetry for dependency and configuration management.
Before proceeding, install project dependencies with the following command:
$ poetry install --with dev
Linting
Lint all project files with the following command:
$ poetry run pre-commit run --all-files
Testing
Run Python tests with the following command:
$ poetry run pytest --cov
Run Semgrep rule tests with the following command:
$ poetry run semgrep --test --config routes/rules/ tests/test_rules/
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file route_detect-0.5.0.tar.gz.
File metadata
- Download URL: route_detect-0.5.0.tar.gz
- Upload date:
- Size: 18.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/1.3.2 CPython/3.7.16 Linux/4.15.0-206-generic
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 692e89af2c16410140daaa9beb0671517bea5cd3f56a9112ae9d6c2cbb9de789 |
|
| MD5 | 6a168e1d60225d72136e92b691f9ba66 |
|
| BLAKE2b-256 | d39fadf2593ee97c0f1a5c82b4a5431f21c7363ed6974062880cf96a47177d3c |
File details
Details for the file route_detect-0.5.0-py3-none-any.whl.
File metadata
- Download URL: route_detect-0.5.0-py3-none-any.whl
- Upload date:
- Size: 25.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: poetry/1.3.2 CPython/3.7.16 Linux/4.15.0-206-generic
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | f785f02199c3e9d5cbec52ac6509c816d14e25370a8f8cc27997dd5a4cd7cf7b |
|
| MD5 | 585059cf349a066addaafd1cdc002bb5 |
|
| BLAKE2b-256 | f330e529efd3f8855311db99797c93c5f731b18d94b43cfb51856720bbfd6f12 |
