Skip to content

Unhandled endpoint

Description

Some endpoint can be found in the introspection but have no handler implemented.

Remediation

Either remove the endpoint from your schema or create a handler for them.

REST Specific

Asp_net Ensure that all endpoints defined in the API are properly handled in the ASP.NET routing configuration. Implement appropriate action methods in the controllers for each endpoint, and if an endpoint should not be available, remove it from the API routing table or return a 'Not Implemented' status code.
Ruby_on_rails Ensure that all routes defined in the Rails application have corresponding controller actions implemented. Use route constraints to limit unexpected routes and provide a catch-all route at the bottom of your routes file to handle unmatched requests with a custom 404 error page.
Next_js Ensure that all endpoints defined in the API are properly handled in the Next.js pages or API routes. Implement appropriate request handlers for each endpoint or remove unused endpoints from the introspection system to prevent potential security vulnerabilities.
Laravel Ensure that all routes defined in the Laravel application have corresponding controller methods implemented. Use route:list command to review registered routes and verify that each one has an appropriate handler. Implement middleware to catch any unhandled routes and provide a default response or redirect to a known route.
Express_js Ensure that all defined routes in your Express.js application have corresponding route handlers. For any unhandled endpoints, implement a catch-all route handler to return an appropriate error message, such as 404 Not Found, to the client. Additionally, consider using middleware for logging and monitoring to track these unhandled endpoints and take corrective actions.
Django Ensure that all endpoints defined in your Django application's URL configurations have corresponding view functions or classes implemented. Use Django's built-in 404 error handling to catch any unhandled endpoints and provide a user-friendly error page.
Symfony Ensure that all endpoints defined in the routing configuration have corresponding controller actions implemented. Use Symfony's debug:router console command to list all registered routes and verify that each one is handled properly. If an endpoint is not needed, remove it from the routing configuration to prevent unintended access.
Spring_boot Ensure that all endpoints defined in the Spring Boot application are mapped to appropriate handler methods. If an endpoint is discovered during introspection without a corresponding handler, implement the necessary @RequestMapping or specific mapping annotations like @GetMapping, @PostMapping, etc., to handle the request properly. Additionally, consider using a global @ControllerAdvice to handle unmapped endpoints and provide a default response.
Flask Ensure that all endpoints defined in the Flask application have corresponding view functions. Use the `@app.route` decorator to map URLs to view functions and return appropriate responses. If an endpoint should not be accessible, remove it from the URL map or implement a handler that returns a 404 or 403 status code. Regularly review your routing table and update the handlers as necessary to prevent unhandled endpoints.
Nuxt Ensure that all defined routes in your Nuxt.js application have corresponding page components or server middleware to handle the requests. If an endpoint is not meant to be accessible, remove it from the configuration or set up a catch-all route to handle undefined paths and provide a proper response, such as a 404 error page.
Fastapi Ensure that all endpoints defined in the API documentation are implemented with corresponding request handlers in the FastAPI application. For any endpoints that are currently unhandled, create appropriate route functions with the @app.route decorator, specifying the path, HTTP method, and request handling logic. Additionally, consider implementing a default route handler for undefined routes to return a 404 error with a clear message indicating that the endpoint is not available.

Configuration

Identifier: configuration/unhandled_endpoint

Examples

Ignore this check

checks:
  configuration/unhandled_endpoint:
    skip: true

Score

  • Escape Severity:

Compliance

  • OWASP: API2:2023

  • pci: 6.5.10

  • gdpr: Article-32
  • soc2: CC1
  • psd2: Article-95
  • iso27001: A.14.2
  • nist: SP800-53
  • fedramp: AC-2

Classification

  • CWE: 453

Score

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N