Skip to main content

View route details

Route coverage helps you understand how vulnerabilities map to your application's attack surface.

If you remove routes from the Route coverage list (steps 8 and 9) and they still exist when the server restarts or you exercise the application, Contrast includes them in the list again. To permanently exclude routes, select the Exclude icon (ExcludeIcon.png) at the end of the route's row.

Steps

  1. Select  Applications in the header.

  2. Select the name of an application.

    The Overview tab shows the number of routes exercised compared to the number of total routes in your application.

  3. In the Overview tab, select the number of routes exercised or select the Route coverage tab.

    This image shows the options for selecting route coverage details

  4. In the Route coverage tab, the Route coverage summary shows this information:

    Image shows the route coverage summary with selected metadata.

    • Cumulative exercised routes: This section shows these details about routes that you exercised:

      • The percentage and number of all discovered routes: HTTP, non-HTTP, and middleware

      • The percentage and number of routes for HTTP requests

        An HTTP route is a path or URL that a client uses to request a resource from a web server.

      • The percentage and number of routes for non-HTTP requests

        A non-HTTP route is a network path that uses on a communication protocol other than HTTP.

      • The percentage and number of routes for middleware functions

        A middleware route is a function that exists between a client's request and a server's response. It can intercept a request and modify it, execute code, or pass it to a different function.

      Cumulative exercised routes shows values for only the route types that were exercised. For example, if no non-HTTP requests are exercised, no values for these routes are displayed.

      Notes

      To turn on the route coverage feature for non-HTTP requests and middleware functions, contact Contrast support.

      For Java,  this feature is compatible with Java agent 6.18.1 and later.

    • Session routes: This section shows details based on the applied session metadata filters.

      Use the Apply filter icon (icon-filter.svg) to select a specific session.

      Note

      If you haven't applied session metadata filters, no values display. To see values for session metadata, select Apply filter or Edit filter (to change the current filters) and specify the filters you want to use.

      It includes these details:

      • Percentage of routes exercised that match the applied filters

      • The number of exercised routes that match the applied filters

      • The date and time for the selected session

      • The repository for the application

      • Build number

      • Branch name

      • Committer name

  5. In the Route Coverage tab, if you don't apply session metadata filters, the route coverage chart displays details about routes based on their status.

    Note

    If you previously selected metadata filters, this chart does not display. To see the chart, select Clear the filters.

    RouteCoverageChart.png

    • Discovered by Contrast (but never exercised with the agent)

    • Exercised with the Contrast agent

    • Exercised and found to contain vulnerabilities

  6. In the Route coverage list, view additional details about each route.

    • Route: A route that Contrast identified or is tracking.

    • Environment: The environment in which the application is running: Development, QA or Production

    • Server: The servers where the application is running.

      By default, the Server column shows up to three servers. To view a complete list of servers (if more than three are in use), select Show all.

      Images shows the columns and filters for the Route Coverage list

      Note

      When you delete a server, Contrast removes it from the list instead of displaying it as greyed out.

    • Entry points: Route types: HTTP, non-HTTP, and middleware

    • Vulnerabilities: The number of vulnerabilities associated with the route.

    • Application: The name of the application

    • First seen: The first time Contrast observed the route.

    • Last activity: The activity time span for the route.

    • Status: The route status.

  7. Select an option to view details for each route that Contrast has identified in the application:

    1. To view the URL or path and route type (HTTP, non-HTTP, or middleware), select a route name.

    2. To view routes based on their type, select the Filter icon (icon-filter.svg) next to the Entry points column.

    3. To view vulnerability details for a specific route, select a section of the severity bar Vulnerability column. Each section indicates one or more severity levels: Critical, High, Medium, Low, and Notes.

    4. To view routes based on the applications where Contrast observed them, select the Filter icon ( icon-filter.svg) next to the Application column.

    5. To view routes based on the time when Contrast first observed them, select the Filter icon (icon-filter.svg) next to the First seen column.

    6. To view routes based on an activity time span, select the Filter icon (icon-filter.svg) next to the Last Activity column.

      Changing the time span also changes the time span for the route coverage chart.

      To clear the filter selection, select Clear next to the column heading.

  8. To remove a single route from the list:

    1. Hover over the end of the row and click the Remove icon (routeRemoveIcon.png).

    2. To confirm the removal of the route, select Delete.

  9. To remove multiple routes from the list:

    1. Select the check mark next to one or more routes or to select all routes, select the check mark next to Route.

    2. In the batch action menu at the bottom of the page, select the Remove icon (routeRemoveIcon.png).

    3. To confirm the removal of the route, select Delete.

  10. To view and share route details outside of Contrast:

    1. Select the check mark next to one or more routes or to select all routes, select the check mark next to Route.

    2. In the batch action menu at the bottom of the page, select the Export  icon( icon-download.svg).

      Contrast begins generating the CSV file in the background. When processing is complete, you receive a notification that the CSV file is ready to download. The notification message contains a link to the generated file.

      The CSV file includes:

      • A list of the application's routes.

      • Details about the server on which they were found.

      • Details of when the routes were last exercised.

      • A list of vulnerabilities, the severity and status of each.

See also

In this section:

A non-HTTP request is a network communication that uses a protocol other than Hypertext Transfer Protocol (HTTP) or its encrypted version, HTTPS, to send data between clients and servers (for example, FTP, SMTP , DNS, and SSH).

Middleware handles responses after servlets or controllers complete execution. It plays an essential role in web applications by intercepting and processing requests before they reach servlets and controllers.