Skip to main content

Route coverage

For Assess users, route coverage associates vulnerabilities with the originating web request.

With route coverage, you can see detailed information on the components of your application, such as which routes were exercised and which ones were not. This information can help you decide where to focus testing and remediation.

Web request example

Web requests are the primary interface of web applications. A request may be handled by one function with many subsequent functions coordinating interactions with other services, databases, or files.

During the request handling process, Contrast monitors data flows across the application to identify vulnerabilities. A single web request may be vulnerable to multiple types of attacks. Contrast associates these vulnerabilities with the original request.

This example shows a web request:

GET /users?active=true
Accept: application/json

This example shows how a function might handle the web request:

public class UserController {
    public String users(@RequestParam(name="active", required=false, defaultValue=true) Bool active) {

How route coverage works

An application route is a combination of three parts:

  • An HTTP verb (for example: GET).

  • The resource path (for example: /users).

  • The method signature of the controller (for example: UserController.users(Bool active)).

    For cases where using a method signature isn't appropriate, Contrast uses route templates, such as route.jsp, route.xhtml, or /route/id/{id).

When a Contrast agent starts, it instruments functions in the application so that the agent can assess web requests for vulnerabilities while the application is running. If a function implements a framework to handle web requests, Contrast can identify the route before a request is handled. In Contrast, the status for these routes is Discovered .

When your application is handling a request, Contrast tracks the activity as an Exercised route.

Frameworks and technologies

Contrast supports route discovery for these frameworks:

If the framework you are using is unsupported, contact Support . For unsupported frameworks, Contrast will attempt to infer the routes based on observed requests, but you will not see any routes discovered within Contrast.

Exclusion of built-in routes and applications

Contrast route coverage excludes built-in routes in select web frameworks and applications. For example:

  • The Jersey framework for Java applications includes a built-in route for serving a WADL file. Contrast does not include this route in its route coverage. Other web frameworks have similar built-in routes.

  • The Contrast Java agent does not report routes from built-in applications such as the Tomcat Manager Application.