GuardAPI Logo
GuardAPI

Fix Shadow API Exposure in Revel

Shadow APIs are the silent killers of your attack surface. In the Revel framework, developers often fall into the trap of 'magic' routing, leaving undocumented, internal, or experimental endpoints exposed to discovery via fuzzing. If it's in your binary and reachable via a route, it's an entry point. We're going to kill the wildcards and enforce strict visibility.

The Vulnerable Pattern

// conf/routes
# DANGEROUS: The catch-all wildcard route exposes every public method in every controller
*       /:controller/:action                    App.Index

// app/controllers/debug.go
type Debug struct { *revel.Controller }


// This method is automatically exposed via /debug/dumpconfig due to the wildcard above
func (c Debug) DumpConfig() revel.Result {
return c.RenderJSON(revel.Config)
}

The Secure Implementation

Shadow APIs in Revel primarily stem from the `/:controller/:action` wildcard route which maps URI segments directly to Go methods. To fix this: 1. Delete the wildcard route from `conf/routes`. 2. Explicitly map every intended API endpoint. 3. Ensure internal helper functions in controllers are unexported (start with a lowercase letter) so the Revel binder ignores them. 4. Use Interceptors to enforce 'Deny by Default' security policies, ensuring that even if a route is accidentally exposed, it lacks the necessary credentials to execute sensitive logic.

// conf/routes
# SECURE: Explicitly define every allowed endpoint. No wildcards.
GET     /api/v1/status                          App.Index
POST    /api/v1/data                            Data.Submit

// app/controllers/app.go
type App struct { *revel.Controller }


// 1. Use unexported (lowercase) methods for internal logic to prevent Revel from routing them
func (c App) checkInternalHealth() bool {
return true
}


// 2. Implement an Interceptor for authorization to catch any accidental exposure
func (c App) CheckAuth() revel.Result {
if c.Request.Header.Get(“X-Internal-Secret”) != “expected-hash” {
return c.Forbidden(“Access Denied”)
}
return nil
}


func init() {
revel.InterceptMethod(App.CheckAuth, revel.BEFORE)
}

System Alert • ID: 5225
Target: Revel API
Potential Vulnerability

Your Revel API might be exposed to Shadow API Exposure

74% of Revel apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X