nodejsscan
Ajin AbrahamRules from the preeminent Node.js security scanner, NodeJSScan.
Run Locally
Rules (113)
ajinabrahamAES with ECB mode is deterministic in nature and not suitable for encrypting large amount of repetitive data.
ajinabrahamAES algorithms requires an initialization vector (IV). Providing no or null IV in some implementation results to a 0 IV. Use of a deterministic IV makes dictionary attacks easier.
ajinabrahamcrypto.pseudoRandomBytes()/Math.random() is a cryptographically weak random number generator.
ajinabrahamMD5 is a a weak hash which is known to have collision. Use a strong hashing function.
ajinabrahamSHA1 is a a weak hash which is known to have collision. Use a strong hashing function.
ajinabrahamA weak or broken cryptographic algorithm was identified. Using these functions will introduce vulnerabilities or downgrade the security of your application.
ajinabrahamString comparisons using '===', '!==', '!=' and '==' is vulnerable to timing attacks. More info: https://snyk.io/blog/node-js-timing-attack-ccc-ctf/
ajinabrahamSSL Certificate verification for node-curl is disabled.
ajinabrahamSetting 'NODE_TLS_REJECT_UNAUTHORIZED' to 0 will allow node server to accept self signed certificates and is not a secure behaviour.
ajinabrahamUntrusted user input in findOne() function can result in NoSQL Injection.
ajinabrahamUntrusted user input in MongoDB $where operator can result in NoSQL JavaScript Injection.
ajinabrahamThe Sequelize connection string indicates that database server does not use TLS. Non TLS connections are susceptible to man in the middle (MITM) attacks.
ajinabrahamThe Sequelize connection string indicates that TLS certificate vailidation of database server is disabled. This is equivalent to not having TLS. An attacker can present any invalid certificate and Sequelize will make database connection ignoring certificate errors. This setting make the connection susceptible to man in the middle (MITM) attacks. Not applicable to SQLite database.
ajinabrahamThe Sequelize connection string indicates that an older version of TLS is in use. TLS1.0 and TLS1.1 are deprecated and should be used. By default, Sequelize use TLSv1.2 but it's recommended to use TLS1.3. Not applicable to SQLite database.
ajinabrahamUntrusted input concatinated with raw SQL query can result in SQL Injection.
ajinabrahamUntrusted input concatinated with raw SQL query using knex raw() or whereRaw() functions can result in SQL Injection.
ajinabrahamPOST Request to Express Body Parser 'bodyParser()' can create Temporary files and consume space.
ajinabrahamLayer7 Denial of Service. Looping over user controlled objects can result in DoS.
ajinabrahamEnsure that the regex used to compare with user supplied input is safe from regular expression denial of service.
ajinabrahamUser controlled data in RegExp() can make the application vulnerable to layer 7 DoS.
ajinabrahamApplication can load content over HTTP and that makes the app vulnerable to Man in the middle attacks.
ajinabrahamBlink's expirimental features are enabled in this application. Some of the features may affect the security of the application.
ajinabrahamDisabling context isolation can introduce Prototype Pollution vulnerabilities.
ajinabrahamDisabling webSecurity will disable the same-origin policy and allows the execution of insecure code from any domain.
ajinabrahamExperimental features are not expected to be in production ready applications.
ajinabrahamNode integration exposes node.js APIs to the electron app and this can introduce remote code execution vulnerabilities to the application if the app is vulnerable to Cross Site Scripting (XSS).
ajinabrahamUser controlled data in 'unserialize()' or 'deserialize()' function can result in Object Injection or Remote Code Injection.
ajinabrahamUser controlled data in 'unserialize()' or 'deserialize()' function can result in Object Injection or Remote Code Injection.
ajinabrahamFound an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine.
ajinabrahamUser controlled data in eval() or similar functions may result in Server Side Injection or Remote Code Injection
ajinabrahamUntrusted user input in `require()` function allows an attacker to load arbitrary code.
ajinabrahamUnrusted data in `sandbox` can result in code injection.
ajinabrahamUntrusted user input reaching `vm2` can result in code injection.
ajinabrahamUntrusted user input reaching `vm2` sandbox can result in context injection.
ajinabrahamUntrusted user input reaching `vm` can result in code injection.
ajinabrahamUntrusted user input in `vm.compileFunction()` can result in code injection.
ajinabrahamUntrusted user input in `vm.runInContext()` can result in code injection.
ajinabrahamUntrusted user input in `vm.runInNewContext()` can result in code injection.
ajinabrahamUser controlled data in 'yaml.load()' function can result in Remote Code Injection.
ajinabrahamUntrusted user input in templating engine's compile() function can result in Remote Code Execution via server side template injection.
ajinabrahamUser controlled data in 'child_process.exec()' can result in Remote OS Command Execution.
ajinabrahamUser controlled data in 'shelljs.exec()' can result in Remote OS Command Execution.
ajinabrahamError messages with stack traces may expose sensitive information about the application.
ajinabrahamError messages with stack traces can expose sensitive information about the application.
ajinabrahamHardcoded plain text secret used for Passport Strategy. Store it properly in an environment variable.
ajinabrahamA hardcoded API Key is identified. Store it properly in an environment variable.
ajinabrahamA hardcoded password in plain text is identified. Store it properly in an environment variable.
ajinabrahamA hardcoded secret is identified. Store it properly in an environment variable.
ajinabrahamA hardcoded username in plain text is identified. Store it properly in an environment variable.
ajinabrahamUser controlled data is used for application business logic decision making. This expose protected data or functionality.
ajinabrahamThis application has anti CSRF protection which prevents cross site request forgery attacks.
ajinabrahamX-Permitted-Cross-Domain-Policies header set to off. More information: https://helmetjs.github.io/docs/crossdomain/
ajinabrahamContent Security Policy header is present. More Information: https://helmetjs.github.io/docs/csp/
ajinabrahamExpect-CT header is present. More information: https://helmetjs.github.io/docs/expect-ct/
ajinabrahamX-DNS-Prefetch-Control header is present and DNS Prefetch Control is enabled. More information: https://helmetjs.github.io/docs/dns-prefetch-control/
ajinabrahamFeature-Policy header is present. More information: https://helmetjs.github.io/docs/feature-policy/
ajinabrahamX-Frame-Options header is present. More information: https://helmetjs.github.io/docs/frameguard/
ajinabrahamHSTS header is present. More information: https://helmetjs.github.io/docs/hsts/
ajinabrahamX-Download-Options header is present. More information: https://helmetjs.github.io/docs/ienoopen/
ajinabrahamContent-Type-Options header is present. More information: https://helmetjs.github.io/docs/dont-sniff-mimetype/
ajinabrahamReferrer-Policy header is present. More information: https://helmetjs.github.io/docs/referrer-policy/
ajinabrahamDefault X-Powered-By is removed or modified. More information: https://helmetjs.github.io/docs/hide-powered-by/
ajinabrahamX-XSS-Protection header is present. More information: https://helmetjs.github.io/docs/xss-filter/
ajinabrahamThis application has API rate limiting controls.
ajinabrahamConsider changing the default session cookie name. An attacker can use it to fingerprint the server and target attacks accordingly.
ajinabrahamDefault session middleware settings: `domain` not set. It indicates the domain of the cookie; use it to compare against the domain of the server in which the URL is being requested. If they match, then check the path attribute next.
ajinabrahamSession middleware settings: `httpOnly` is explicitly set to false. It ensures that sensitive cookies cannot be accessed by client side JavaScript and helps to protect against cross-site scripting attacks.
ajinabrahamSession middleware settings: `maxAge` not set. Use it to set expiration date for cookies.
ajinabrahamDefault session middleware settings: `path` not set. It indicates the path of the cookie; use it to compare against the request path. If this and domain match, then send the cookie in the request.
ajinabrahamDefault session middleware settings: `sameSite` attribute is not configured to strict or lax. These configurations provides protection against Cross Site Request Forgery attacks.
ajinabrahamDefault session middleware settings: `secure` not set. It ensures the browser only sends the cookie over HTTPS.
ajinabrahamAccess-Control-Allow-Origin response header is set to "*". This will disable CORS Same Origin Policy restrictions.
ajinabrahamAccess-Control-Allow-Origin response header is set to "*". This will disable CORS Same Origin Policy restrictions.
ajinabrahamOne or more Security Response header is explicitly disabled in Helmet.
ajinabrahamUntrusted user input in response header will result in HTTP Header Injection or Response Splitting Attacks.
ajinabrahamX-XSS-Protection header is set to 0. This will disable the browser's XSS Filter.
ajinabrahamX-XSS-Protection header is set to 0. This will disable the browser's XSS Filter.
ajinabrahamUsing untrusted Host header for generating dynamic URLs can result in web cache and or password reset poisoning.
ajinabrahamPassword is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens.
ajinabrahamThe object is passed strictly to jose.JWT.sign(...). Make sure that sensitive information is not exposed through JWT token payload.
ajinabrahamHardcoded JWT secret or private key was found. Store it properly in an environment variable.
ajinabrahamHardcoded JWT secret was found. Store it properly in an environment variable.
ajinabrahamAlgorithm is set to none for JWT token. This can nullify the integrity of JWT signature.
ajinabrahamNo token revoking configured for `express-jwt`. A leaked token could still be used and unable to be revoked. Consider using function as the `isRevoked` option.
ajinabrahamDetected usage of noassert in Buffer API, which allows the offset the be beyond the end of the buffer. This could result in writing or reading beyond the end of the buffer.
ajinabrahamUntrusted user input in redirect() can result in Open Redirect vulnerability.
ajinabrahamUntrusted user input in response header('Location') can result in Open Redirect vulnerability.
ajinabrahamUser controlled URL in http client libraries can result in Server Side Request Forgery (SSRF).
ajinabrahamIf unverified user data can reach the `phantom` methods it can result in Server-Side Request Forgery vulnerabilities.
ajinabrahamIf unverified user data can reach the `puppeteer` methods it can result in Server-Side Request Forgery vulnerabilities.
ajinabrahamIf unverified user data can reach the `puppeteer` methods it can result in Server-Side Request Forgery vulnerabilities.
ajinabrahamUser controlled URL reached to `wkhtmltoimage` can result in Server Side Request Forgery (SSRF).
ajinabrahamUser controlled URL reached to `wkhtmltopdf` can result in Server Side Request Forgery (SSRF).
ajinabrahamInsecure ZIP archive extraction using adm-zip can result in arbitrary path over write and can result in code injection.
ajinabrahamInsecure TAR archive extraction can result in arbitrary path over write and can result in code injection.
ajinabrahamInsecure ZIP archive extraction can result in arbitrary path over write and can result in code injection.
ajinabrahamInsecure ZIP archive extraction can result in arbitrary path over write and can result in code injection.
ajinabrahamUntrusted user input in express render() function can result in arbitrary file read when hbs templating is used.
ajinabrahamUntrusted user input in express render() function can result in arbitrary file read if hbs templating is used.
ajinabrahamUntrusted user input in readFile()/readFileSync() can endup in Directory Traversal Attacks.
ajinabrahamPath constructed with user input can result in Path Traversal. Ensure that user input does not reach `join()` or `resolve()`.
ajinabrahamUser controlled data in XML Parsers can result in XML Internal Entity Processing vulnerabilities like in DoS.
ajinabrahamUser controlled data in xpath.parse() can result in XPATH injection vulnerability.
ajinabrahamMake sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities.
ajinabrahamUser controlled data in XML parsers can result in XML External or Internal Entity (XXE) Processing vulnerabilities
ajinabrahamUse of 'ondoctype' in 'sax' library detected. By default, 'sax' won't do anything with custom DTD entity definitions. If you're implementing a custom DTD entity definition, be sure not to introduce XML External Entity (XXE) vulnerabilities, or be absolutely sure that external entities received from a trusted source while processing XML.
ajinabrahamMake sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities.
ajinabrahamMarkup escaping disabled. This can be used with some template engines to escape disabling of HTML entities, which can lead to XSS attacks.
ajinabrahamUntrusted User Input in Response will result in Reflected Cross Site Scripting Vulnerability.
ajinabrahamUntrusted user input reaching `serialize-javascript` with `unsafe` attribute can cause Cross Site Scripting (XSS).
ajinabrahamDisabling Escaping in Handlebars is not a secure behaviour. This can introduce XSS vulnerabilties.
ajinabrahamHandlebars SafeString will not escape the data passed through it. Untrusted user input passing through SafeString can cause XSS.
ajinabrahamHandlebars SafeString will not escape the data passed through it. Untrusted user input passing through SafeString can cause XSS.