nodejsscan
Rules from the preeminent Node.js security scanner, NodeJSScan.
Run Locally
Rules (113)

AES with ECB mode is deterministic in nature and not suitable for encrypting large amount of repetitive data.

AES algorithms requires an initialization vector (IV). Providing no or null IV in some implementation results to a 0 IV. Use of a deterministic IV makes dictionary attacks easier.

crypto.pseudoRandomBytes()/Math.random() is a cryptographically weak random number generator.

MD5 is a a weak hash which is known to have collision. Use a strong hashing function.

SHA1 is a a weak hash which is known to have collision. Use a strong hashing function.

A weak or broken cryptographic algorithm was identified. Using these functions will introduce vulnerabilities or downgrade the security of your application.

String comparisons using '===', '!==', '!=' and '==' is vulnerable to timing attacks. More info: https://snyk.io/blog/node-js-timing-attack-ccc-ctf/

SSL Certificate verification for node-curl is disabled.

Setting 'NODE_TLS_REJECT_UNAUTHORIZED' to 0 will allow node server to accept self signed certificates and is not a secure behaviour.

Untrusted user input in findOne() function can result in NoSQL Injection.

Untrusted user input in MongoDB $where operator can result in NoSQL JavaScript Injection.

The Sequelize connection string indicates that database server does not use TLS. Non TLS connections are susceptible to man in the middle (MITM) attacks.

The Sequelize connection string indicates that TLS certificate vailidation of database server is disabled. This is equivalent to not having TLS. An attacker can present any invalid certificate and Sequelize will make database connection ignoring certificate errors. This setting make the connection susceptible to man in the middle (MITM) attacks. Not applicable to SQLite database.

The Sequelize connection string indicates that an older version of TLS is in use. TLS1.0 and TLS1.1 are deprecated and should be used. By default, Sequelize use TLSv1.2 but it's recommended to use TLS1.3. Not applicable to SQLite database.

Untrusted input concatinated with raw SQL query can result in SQL Injection.

Untrusted input concatinated with raw SQL query using knex raw() or whereRaw() functions can result in SQL Injection.

POST Request to Express Body Parser 'bodyParser()' can create Temporary files and consume space.

Layer7 Denial of Service. Looping over user controlled objects can result in DoS.

Ensure that the regex used to compare with user supplied input is safe from regular expression denial of service.

User controlled data in RegExp() can make the application vulnerable to layer 7 DoS.

Application can load content over HTTP and that makes the app vulnerable to Man in the middle attacks.

Blink's expirimental features are enabled in this application. Some of the features may affect the security of the application.

Disabling context isolation can introduce Prototype Pollution vulnerabilities.

Disabling webSecurity will disable the same-origin policy and allows the execution of insecure code from any domain.

Experimental features are not expected to be in production ready applications.

Node integration exposes node.js APIs to the electron app and this can introduce remote code execution vulnerabilities to the application if the app is vulnerable to Cross Site Scripting (XSS).

User controlled data in 'unserialize()' or 'deserialize()' function can result in Object Injection or Remote Code Injection.

User controlled data in 'unserialize()' or 'deserialize()' function can result in Object Injection or Remote Code Injection.

Found an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine.

User controlled data in eval() or similar functions may result in Server Side Injection or Remote Code Injection

Untrusted user input in `require()` function allows an attacker to load arbitrary code.

Unrusted data in `sandbox` can result in code injection.

Untrusted user input reaching `vm2` can result in code injection.

Untrusted user input reaching `vm2` sandbox can result in context injection.

Untrusted user input reaching `vm` can result in code injection.

Untrusted user input in `vm.compileFunction()` can result in code injection.

Untrusted user input in `vm.runInContext()` can result in code injection.

Untrusted user input in `vm.runInNewContext()` can result in code injection.

User controlled data in 'yaml.load()' function can result in Remote Code Injection.

Untrusted user input in templating engine's compile() function can result in Remote Code Execution via server side template injection.

User controlled data in 'child_process.exec()' can result in Remote OS Command Execution.

User controlled data in 'shelljs.exec()' can result in Remote OS Command Execution.

Error messages with stack traces may expose sensitive information about the application.

Error messages with stack traces can expose sensitive information about the application.

Hardcoded plain text secret used for Passport Strategy. Store it properly in an environment variable.

A hardcoded API Key is identified. Store it properly in an environment variable.

A hardcoded password in plain text is identified. Store it properly in an environment variable.

A hardcoded secret is identified. Store it properly in an environment variable.

A hardcoded username in plain text is identified. Store it properly in an environment variable.

User controlled data is used for application business logic decision making. This expose protected data or functionality.

This application has anti CSRF protection which prevents cross site request forgery attacks.

X-Permitted-Cross-Domain-Policies header set to off. More information: https://helmetjs.github.io/docs/crossdomain/

Content Security Policy header is present. More Information: https://helmetjs.github.io/docs/csp/

Expect-CT header is present. More information: https://helmetjs.github.io/docs/expect-ct/

X-DNS-Prefetch-Control header is present and DNS Prefetch Control is enabled. More information: https://helmetjs.github.io/docs/dns-prefetch-control/

Feature-Policy header is present. More information: https://helmetjs.github.io/docs/feature-policy/

X-Frame-Options header is present. More information: https://helmetjs.github.io/docs/frameguard/

HSTS header is present. More information: https://helmetjs.github.io/docs/hsts/

X-Download-Options header is present. More information: https://helmetjs.github.io/docs/ienoopen/

Content-Type-Options header is present. More information: https://helmetjs.github.io/docs/dont-sniff-mimetype/

Referrer-Policy header is present. More information: https://helmetjs.github.io/docs/referrer-policy/

Default X-Powered-By is removed or modified. More information: https://helmetjs.github.io/docs/hide-powered-by/

X-XSS-Protection header is present. More information: https://helmetjs.github.io/docs/xss-filter/

This application has API rate limiting controls.

Consider changing the default session cookie name. An attacker can use it to fingerprint the server and target attacks accordingly.

Default session middleware settings: `domain` not set. It indicates the domain of the cookie; use it to compare against the domain of the server in which the URL is being requested. If they match, then check the path attribute next.

Session middleware settings: `httpOnly` is explicitly set to false. It ensures that sensitive cookies cannot be accessed by client side JavaScript and helps to protect against cross-site scripting attacks.

Session middleware settings: `maxAge` not set. Use it to set expiration date for cookies.

Default session middleware settings: `path` not set. It indicates the path of the cookie; use it to compare against the request path. If this and domain match, then send the cookie in the request.

Default session middleware settings: `sameSite` attribute is not configured to strict or lax. These configurations provides protection against Cross Site Request Forgery attacks.

Default session middleware settings: `secure` not set. It ensures the browser only sends the cookie over HTTPS.

Access-Control-Allow-Origin response header is set to "*". This will disable CORS Same Origin Policy restrictions.

Access-Control-Allow-Origin response header is set to "*". This will disable CORS Same Origin Policy restrictions.

One or more Security Response header is explicitly disabled in Helmet.

Untrusted user input in response header will result in HTTP Header Injection or Response Splitting Attacks.

X-XSS-Protection header is set to 0. This will disable the browser's XSS Filter.

X-XSS-Protection header is set to 0. This will disable the browser's XSS Filter.

Using untrusted Host header for generating dynamic URLs can result in web cache and or password reset poisoning.

Password is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens.

The object is passed strictly to jose.JWT.sign(...). Make sure that sensitive information is not exposed through JWT token payload.

Hardcoded JWT secret or private key was found. Store it properly in an environment variable.

Hardcoded JWT secret was found. Store it properly in an environment variable.

Algorithm is set to none for JWT token. This can nullify the integrity of JWT signature.

No token revoking configured for `express-jwt`. A leaked token could still be used and unable to be revoked. Consider using function as the `isRevoked` option.

Detected usage of noassert in Buffer API, which allows the offset the be beyond the end of the buffer. This could result in writing or reading beyond the end of the buffer.

Untrusted user input in redirect() can result in Open Redirect vulnerability.

Untrusted user input in response header('Location') can result in Open Redirect vulnerability.

User controlled URL in http client libraries can result in Server Side Request Forgery (SSRF).

If unverified user data can reach the `phantom` methods it can result in Server-Side Request Forgery vulnerabilities.

If unverified user data can reach the `puppeteer` methods it can result in Server-Side Request Forgery vulnerabilities.

If unverified user data can reach the `puppeteer` methods it can result in Server-Side Request Forgery vulnerabilities.

User controlled URL reached to `wkhtmltoimage` can result in Server Side Request Forgery (SSRF).

User controlled URL reached to `wkhtmltopdf` can result in Server Side Request Forgery (SSRF).

Insecure ZIP archive extraction using adm-zip can result in arbitrary path over write and can result in code injection.

Insecure TAR archive extraction can result in arbitrary path over write and can result in code injection.

Insecure ZIP archive extraction can result in arbitrary path over write and can result in code injection.

Insecure ZIP archive extraction can result in arbitrary path over write and can result in code injection.

Untrusted user input in express render() function can result in arbitrary file read when hbs templating is used.

Untrusted user input in express render() function can result in arbitrary file read if hbs templating is used.

Untrusted user input in readFile()/readFileSync() can endup in Directory Traversal Attacks.

Path constructed with user input can result in Path Traversal. Ensure that user input does not reach `join()` or `resolve()`.

User controlled data in XML Parsers can result in XML Internal Entity Processing vulnerabilities like in DoS.

User controlled data in xpath.parse() can result in XPATH injection vulnerability.

Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities.

User controlled data in XML parsers can result in XML External or Internal Entity (XXE) Processing vulnerabilities

Use of 'ondoctype' in 'sax' library detected. By default, 'sax' won't do anything with custom DTD entity definitions. If you're implementing a custom DTD entity definition, be sure not to introduce XML External Entity (XXE) vulnerabilities, or be absolutely sure that external entities received from a trusted source while processing XML.

Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities.

Markup escaping disabled. This can be used with some template engines to escape disabling of HTML entities, which can lead to XSS attacks.

Untrusted User Input in Response will result in Reflected Cross Site Scripting Vulnerability.

Untrusted user input reaching `serialize-javascript` with `unsafe` attribute can cause Cross Site Scripting (XSS).

Disabling Escaping in Handlebars is not a secure behaviour. This can introduce XSS vulnerabilties.

Handlebars SafeString will not escape the data passed through it. Untrusted user input passing through SafeString can cause XSS.

Handlebars SafeString will not escape the data passed through it. Untrusted user input passing through SafeString can cause XSS.