- Notifications
You must be signed in to change notification settings - Fork14
Find authentication (authn) and authorization (authz) security bugs in web application routes.
License
mschwager/route-detect
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
Find authentication (authn) and authorization (authz) security bugs in web application routes:
Important
The Semgrep functionalityroute-detect depends on to display code snippets has been moved behind their cloud app. For more information see#10762. However, earlier versions of Semgrep still support this behavior. When usingroute-detect, make sure to install a version of Semgrep before1.97.0. This can be accomplished with the following command:python -m pip install 'semgrep<1.97.0'.
Routes fromkoel streaming server
Web application HTTP route authn and authz bugs are some of the most common security issues found today. These industry standard resources highlight the severity of the issue:
- 2021 OWASP Top 10 #1 -Broken Access Control
- 2021 OWASP Top 10 #7 -Identification and Authentication Failures (formerly Broken Authentication)
- 2023 OWASP API Top 10 #1 -Broken Object Level Authorization
- 2023 OWASP API Top 10 #2 -Broken Authentication
- 2023 OWASP API Top 10 #5 -Broken Function Level Authorization
- 2023 CWE Top 25 #11 -CWE-862: Missing Authorization
- 2023 CWE Top 25 #13 -CWE-287: Improper Authentication
- 2023 CWE Top 25 #20 -CWE-306: Missing Authentication for Critical Function
- 2023 CWE Top 25 #24 -CWE-863: Incorrect Authorization
Supported web frameworks (route-detect IDs in parentheses):
- Python: Django (
django,django-rest-framework), Flask (flask), Sanic (sanic), FastAPI (fastapi) - PHP: Laravel (
laravel), Symfony (symfony), CakePHP (cakephp) - Ruby: Rails* (
rails), Grape (grape) - Java: JAX-RS (
jax-rs), Spring (spring) - Go: Gorilla (
gorilla), Gin (gin), Chi (chi) - JavaScript/TypeScript: Express (
express), React (react), Angular (angular)
*Rails support is limited. Please seethis issue for more information.
Usepip to installroute-detect:
$ python -m pip install --upgrade route-detectYou can check thatroute-detect is installed correctly with the following command:
$ echo 'print(1 == 1)' | semgrep --config $(routes which test-route-detect) -Scanning 1 file.Findings: /tmp/stdin routes.rules.test-route-detect Found '1 == 1', your route-detect installation is working correctly 1┆ print(1 == 1)Ran 1 rule on 1 file: 1 finding.route-detect provides theroutes CLI command and usessemgrep to search for routes.
Use thewhich subcommand to pointsemgrep at the correct web application rules:
$ semgrep --config $(routes which django) path/to/django/codeUse theviz subcommand to visualize route information in your browser:
$ semgrep --json --config $(routes which django) --output routes.json path/to/django/code$ routes viz --browser routes.jsonIf you're not sure which framework to look for, you can use the specialall ID to check everything:
$ semgrep --json --config $(routes which all) --output routes.json path/to/codeIf you have custom authn or authz logic, you can copyroute-detect's rules:
$ cp $(routes which django) my-django.ymlThen you can modify the rule as necessary and run it like above:
$ semgrep --json --config my-django.yml --output routes.json path/to/django/code$ routes viz --browser routes.jsonroute-detect usespoetry for dependency and configuration management.
Before proceeding, install project dependencies with the following command:
$ poetry install --with devLint all project files with the following command:
$ poetry run pre-commit run --all-filesRun Python tests with the following command:
$ poetry run pytest --covRun Semgrep rule tests with the following command:
$ poetry run semgrep --test --config routes/rules/ tests/test_rules/About
Find authentication (authn) and authorization (authz) security bugs in web application routes.