Route coverage

For Assess users, route coverage associates vulnerabilities with the originating web request.

Web requests are the primary interface of web applications. A request may be handled by one function with many subsequent functions coordinating interactions with other services, databases, or files.

During the request handling process, Contrast monitors data flows across the application to identify vulnerabilities. A single web request may be vulnerable to multiple types of attacks. Contrast associates these vulnerabilities with the original request.

For example:

GET /users?active=true
Accept: application/json

This request could be handled by a function such as:

public class UserController {
    public String users(@RequestParam(name="active", required=false, defaultValue=true) Bool active) {

An application route is a combination of three parts:

  • an HTTP verb (GET in this example)

  • the resource path (/users)

  • the method signature of the controller (UserController.users(Bool active))

With route coverage, you can see detailed information on the components of your application, such as which routes have been exercised versus which ones have not. This can help you decide where to focus testing and remediation.

When the Contrast agent starts, it instruments functions in the application so that web requests can be assessed for vulnerabilities while the application is running. If a function implements a framework to handle web requests, Contrast can identify the route before a request is handled. These routes are labeled Discovered in Contrast.

When your application is handling a request, Contrast tracks the activity as an Exercised route.

Contrast supports route discovery for these frameworks:

  • Java: Jersey 2, Spring MVC 4-5, Struts 1, and Struts 2. Additionally, servlet route discovery is supported for: GlassFish 4.1, JBoss AS 4.2-7.1, Jetty 7.X-9.X, Tomcat 5.X-9.X, WebLogic 11g and 12c, WebSphere 8.5 and 9.0 and WildFly 8.1-18.0.


    The Contrast Java Agent will not report routes from “built-in” applications (like the Tomcat Manager Application) or framework routes (like org.springframework.boot.autoconfigure.web.BasicErrorController) . That way the agent will only include routes created by the application developer.

  • .NET Framework: ASP.NET MVC (versions 4 and 5), Web Forms and Web Pages. Also, Web API 2 and WCF

  • .NET Core: ASP.NET Core MVC (versions 2.1, 2.2, 3.0 and 3.1) and ASP.NET Core Razor Pages (versions 2.1, 2.2, 3.0 and 3.1)

  • Node.js: Express, hapi 17 and later, Koa, Fastify, Kraken and Loopback

  • Python:  Bottle: 0.10, 0.11, 0.12; Django: 1.X, 2.X and 3.X; Django Rest Framework: 3.7 and later; Falcon: 2.X (Python 3 only); Flask: 0.10 - 0.12 and 1.X; Pyramid: 1.4.5, 1.9 and 1.10.X

  • Ruby: Rails 5.X - 6.X, Sinatra 2.X and later


The Java and Node.js agents only report routes from supported frameworks. The Java agent also requires the option<example_name> be defined in the agent configuration.

If the framework you are using is unsupported, please contact Support and let us know. For unsupported frameworks, Contrast will attempt to infer the routes based on observed requests, but you will not see any routes discovered within Contrast.