Routing

Importance of finding routing in the application

It is essential to find routing of the application and know how is it written in different languages and frameworks during security audit. identifying routing in the application allows security auditor to discover hidden attack surfaces, understand application workflow and locate entry points.

Servlet Mappings (Java)

Some Java applications use servlet mappings in order to control how the application handles HTTP requests. Information which describes how the application should behave is written in web.xml file.

Each route is made up of two entries: Entry 1: define a servlet Entry 2: mapping url to a servlet

In simple words this file describes which class handles which endpoint.

In the example below we can identify the following information:

  1. File defines a servlet with id my_servlet for the com.example.ExampleServlet class

  2. Servlet mapping binds requests from /example URL to ExampleServlet

<web-app xmlns="http://java.sun.com/xml/ns/javaee" version="3.0">
    <!-- Servlet declaration -->
    <servlet id="my_servlet">
        <servlet-name>ExampleServlet</servlet-name> 
        <servlet-class>com.example.ExampleServlet</servlet-class>
    </servlet>

    <!-- Servlet mapping -->
    <servlet-mapping>
        <servlet-name>ExampleServlet</servlet-name>
        <url-pattern>/example</url-pattern>
    </servlet-mapping>
</web-app>

ExpressJS (NodeJS)

In NodeJS routing is declared directly in the source code.

Spring MVC / Spring Boot (Java)

In Spring MVC / Spring Boot programmers usually create a seperate classes for storing the routing.

Flask (Python)

In Flask routing is declared directly in the source code just as in ExpressJS.

PreviousManual code reviewNextSearching for exploits

Last updated