#generic

Rulesets (9)

Rules (127)

profile photo of returntocorpreturntocorp

This tag is missing an 'integrity' subresource integrity attribute. The 'integrity' attribute allows for the browser to verify that externally hosted files (for example from a CDN) are delivered without unexpected manipulation. Without this attribute, if an attacker can modify the externally hosted resource, this could lead to XSS and other types of attacks. To prevent this, include the base64-encoded cryptographic hash of the resource (file) you’re telling the browser to fetch in the 'integrity' attribute for all externally hosted files.

profile photo of returntocorpreturntocorp

Your app uses TLS public key pinning without specifying an expiration date. If your users do not update the app to receive new pins in time, expired or replaced certificates can lead to connectivity issues until they install an update. It is considered best practice to set an expiration time, after which the system will default to trusting system CAs and disregard the pin.

profile photo of returntocorpreturntocorp

Only the exit code from the final command in this RUN instruction will be evaluated unless 'pipefail' is set. If you want to fail the command at any stage in the pipe, set 'pipefail' by including 'SHELL ["/bin/bash", "-o", "pipefail", "-c"] before the command. If you're using alpine and don't have bash installed, communicate this explicitly with `SHELL ["/bin/ash"]`.

profile photo of returntocorpreturntocorp

By not specifying a USER, a programs in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.

profile photo of returntocorpreturntocorp

Detected a template variable used in an anchor tag with the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. If using Flask, use 'url_for()' to safely generate a URL. If using Django, use the 'url' filter to safely generate a URL. If using Mustache, use a URL encoding library, or prepend a slash '/' to the variable for relative links (`href="/{{link}}"`). You may also consider setting the Content Security Policy (CSP) header.

profile photo of returntocorpreturntocorp

Detected a template variable used as the 'src' in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent malicious URLs from being injected and could results in a cross-site scripting (XSS) vulnerability. Prefer not to dynamically generate the 'src' attribute and use static URLs instead. If you must do this, carefully check URLs against an allowlist and be sure to URL-encode the result.

profile photo of returntocorpreturntocorp

Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI. For Django, you may also consider using the 'json_script' template tag and retrieving the data in your script by using the element ID (e.g., `document.getElementById`).

profile photo of returntocorpreturntocorp

The host for this proxy URL is dynamically determined. This can be dangerous if the host can be injected by an attacker because it may forcibly alter destination of the proxy. Consider hardcoding acceptable destinations and retrieving them with 'map' or something similar.

profile photo of returntocorpreturntocorp

The $$VARIABLE path parameter is added as a header in the response. This could allow an attacker to inject a newline and add a new header into the response. This is called HTTP response splitting. To fix, do not allow whitespace in the path parameter: '[^\s]+'.

profile photo of returntocorpreturntocorp

The 'add_header' directive is called in a 'location' block after headers have been set at the server block. Calling 'add_header' in the location block will actually overwrite the headers defined in the server block, no matter which headers are set. To fix this, explicitly set all headers or set all headers in the server block.

profile photo of returntocorpreturntocorp

This location block contains a 'proxy_pass' directive but does not contain the 'internal' directive. The 'internal' directive restricts access to this location to internal requests. Without 'internal', an attacker could use your server for server-side request forgeries (SSRF). Include the 'internal' directive in this block to limit exposure.

profile photo of returntocorpreturntocorp

This server configuration is missing the 'ssl_protocols' directive. By default, this server will use 'ssl_protocols TLSv1 TLSv1.1 TLSv1.2', and versions older than TLSv1.2 are known to be broken. Explicitly specify 'ssl_protocols TLSv1.2 TLSv1.3' to use secure TLS versions.

profile photo of returntocorpreturntocorp

This anchor tag with 'target="_blank"' is missing 'noopener'. A page opened with 'target="_blank"' can access the window object of the origin page. This means it can manipulate the 'window.opener' property, which could redirect the origin page to a malicious URL. This is called reverse tabnabbing. To prevent this, include 'rel=noopener' on this tag

profile photo of returntocorpreturntocorp

This anchor tag with 'target="_blank"' is missing 'noreferrer'. A page opened with 'target="_blank"' can access the window object of the origin page. This means it can manipulate the 'window.opener' property, which could redirect the origin page to a malicious URL. This is called reverse tabnabbing. To prevent this, include 'rel=noreferrer' on this tag.

profile photo of returntocorpreturntocorp

Detected a template variable used as the 'src' in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent malicious URLs from being injected and could results in a cross-site scripting (XSS) vulnerability. Prefer not to dynamically generate the 'src' attribute and use static URLs instead. If you must do this, carefully check URLs against an allowlist and be sure to URL-encode the result.

profile photo of returntocorpreturntocorp

Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI.

profile photo of returntocorpreturntocorp

Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI.

profile photo of returntocorpreturntocorp

Detected a template variable used in an anchor tag with the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. Use 'url_for()' to safely generate a URL. You may also consider setting the Content Security Policy (CSP) header.

profile photo of returntocorpreturntocorp

'content_tag' exhibits unintuitive escaping behavior and may accidentally expose your application to cross-site scripting. If using Rails 2, only attribute values are escaped. If using Rails 3, content and attribute values are escaped. Tag and attribute names are never escaped. Because of this, it is recommended to use 'html_safe' if you must render raw HTML data.

profile photo of returntocorpreturntocorp

'raw' renders raw HTML, as the name implies. This means that normal HTML escaping is bypassed. If user data can be controlled here, this exposes your application to cross-site scripting (XSS). If you need to do this, be sure to correctly sanitize the data using a library such as DOMPurify.

profile photo of returntocorpreturntocorp

Detected a template variable used in 'link_to'. This will generate dynamic data in the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: 'link_to "Here", "/"+@link'. You may also consider setting the Content Security Policy (CSP) header.

profile photo of returntocorpreturntocorp

Detected a template variable used in an anchor tag with the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. If using a relative URL, start with a literal forward slash and concatenate the URL, like this: href='/<%= link =>'. You may also consider setting the Content Security Policy (CSP) header.

profile photo of returntocorpreturntocorp

Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need to do this, use `escape_javascript` or its alias, `j`. However, this will not protect from XSS in all circumstances; see the references for more information. Consider placing this value in the HTML portion (outside of a script tag).

profile photo of returntocorpreturntocorp

This anchor tag with 'target="_blank"' is missing 'noopener' or 'noreferrer'. A page opened with 'target="_blank"' can access the window object of the origin page. This means it can manipulate the 'window.opener' property, which could redirect the origin page to a malicious URL. This is called reverse tabnabbing. To prevent this, include 'rel=noopener' or 'rel=noreferrer' on this tag.

profile photo of returntocorpreturntocorp

Detected use of mail_to helper used with the `:encode => :javascript option`. The attacker could specify a malicious name or email value that could lead to a XSS attack. Instead, use `:encode => :hex` or patch to Rails 3.0.4 or 2.3.11.

profile photo of returntocorpreturntocorp

Detected user input flowing into number_to_currency helper. One of the parameters to the helper (unit) is not escaped correctly and could lead to XSS, which in turn could lead to sensitive data being exfiltrated. Instead, sanitize data with the 'html_escape' or 'h' function before passing it into `number_to_currency` or upgrade to Rails 4.0.2 or 3.2.16.

profile photo of returntocorpreturntocorp

Raw html content controlled by a variable detected. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. Try to avoid using `Html()` or consider properly sanitizing input data.

profile photo of returntocorpreturntocorp

Conditions for Nginx H2C smuggling identified. H2C smuggling allows upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections which can allow a bypass of reverse proxy access controls,and lead to long-lived, unrestricted HTTP traffic directly to back-end servers. To mitigate: WebSocket support required: Allow only the value websocket for HTTP/1.1 upgrade headers (e.g., Upgrade: websocket). WebSocket support not required: Do not forward Upgrade headers.

profile photo of returntocorpreturntocorp

Detected a template variable used in a script tag. Although template variables are HTML escaped, HTML escaping does not always prevent cross-site scripting (XSS) attacks when used directly in JavaScript. If you need this data on the rendered page, consider placing it in the HTML portion (outside of a script tag). Alternatively, use a JavaScript-specific encoder, such as the one available in OWASP ESAPI. For Django, you may also consider using the 'json_script' template tag and retrieving the data in your script by using the element ID (e.g., `document.getElementById`).

profile photo of returntocorpreturntocorp

Detected a template variable used in an anchor tag with the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. Use the 'url' template tag to safely generate a URL. You may also consider setting the Content Security Policy (CSP) header.