#javascript
Rulesets (39)
Scan code for potential security issues that require additional review. Recommended for teams looking to set up guardrails or to flag troublesome spots for further review.
Ajin AbrahamRules from the preeminent Node.js security scanner, NodeJSScan.
Default ruleset for JavaScript, curated by Semgrep.
Vasilii ErmilovMost common clientside JavaScript XSS vulnerabilities
Default ruleset for TypeScript, curated by Semgrep.
r2cCross-site scripting (XSS) secure defaults for Express.js
r2cRule pack for detecting insecure transport in node js
Scan code for potential security issues that require additional review. Recommended for teams looking to set up guardrails or to flag troublesome spots for further review.
A collection of opinionated rules for best practices in popular languages. Recommended for users who want really strict coding standards.
Selected rules from eslint-plugin-security, a security plugin for ESLint, rewritten in Semgrep.
r2cSecure defaults for XSS prevention
Find common bugs, errors, and logic issues in popular languages.
Colleen DaiEnsure your code communicates over encrypted channels instead of plaintext.
Rules for detecting secrets checked into version control
Grayson HardawayRuleset accompanying Semgrep OWASP presentation.
r2cScan for runtime errors, logic bus, and high-confidence security vulnerabilities. Recommended for use in CI to block serious issues from reaching production.
r2cRule pack for detecting insecure transport in node js
Use recommended rulesets specific to your project. Auto config is not a ruleset but a mode that scans for languages and frameworks and then uses the Semgrep Registry to select recommended rules. Semgrep will send a list of languages, frameworks, and your project URL to the Registry when using auto mode (but code is never uploaded).
r2cOmni pack for insecure transport rules
electron desktop app
Use Semgrep as a universal linter to identify vulnerabilities and code smells in your code base with the eslint rule pack.
Default ruleset for Express.js, written by Semgrep.
Leverage all Gitlab provided rules with the gitlab rulepack.
Use Semgrep as a universal linter to identify vulnerabilities and code smells in your code base with the eslint rule pack.
Vasilii ErmilovInsecure usage of most popular headless browser APIs
Colleen DaiEnsure your code communicates over encrypted channels instead of plaintext.
Vasilii ErmilovSecure defaults for Command injection prevention
A ruleset of javascript and typescript rules made for OWASP Juice Shop.
r2cScan for runtime errors, logic bus, and high-confidence security vulnerabilities. Recommended for use in CI to block serious issues from reaching production. Supports Python, Java, JavaScript, and Go.
Colleen DaiSQL injection guardrails. Checks for non-constant SQL queries and other SQLi.
Default ruleset for Node.js, curated by Semgrep.
Grayson HardawayRuleset for OWASP SF
Rules (497)
Insufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
Insufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
returntocorpThis application has anti CSRF protection which prevents cross site request forgery attacks.
returntocorpContent Security Policy header is present. More Information: https://helmetjs.github.io/docs/csp/
returntocorpX-Permitted-Cross-Domain-Policies header set to off. More information: https://helmetjs.github.io/docs/crossdomain/
returntocorpExpect-CT header is present. More information: https://helmetjs.github.io/docs/expect-ct/
returntocorpFeature-Policy header is present. More information: https://helmetjs.github.io/docs/feature-policy/
returntocorpX-Download-Options header is present. More information: https://helmetjs.github.io/docs/ienoopen/
returntocorpThis application has API rate limiting controls.
returntocorpPotential arbitrary code execution, whatever is provided to `toFastProperties` is sent straight to eval()
returntocorpReact useSelect() label is not internationalized - '$LABEL'. You should support different langauges in your website or app with internationalization. Instead, use packages such as `i18next` to internationalize your elements.
returntocorp`undefined` is not a reserved keyword in Javascript, so this is "valid" Javascript but highly confusing and likely to result in bugs.
returntocorpfound alert() call; should this be in production code?
returntocorpfound debugger call; should this be in production code?
returntocorpThe string method replaceAll is not supported in all versions of javascript, and is not supported by older browser versions. Consider using replace() with a regex as the first argument instead like mystring.replace(/bad/g, "good") instead of mystring.replaceAll("bad", "good") (https://discourse.threejs.org/t/replaceall-is-not-a-function/14585)
returntocorp`$X` is assigned twice; the first assignment is useless
returntocorpDetected a useless comparison operation `$X == $X` or `$X != $X`. This operation is always true. If testing for floating point NaN, use `math.isnan`, or `cmath.isnan` if the number is complex.
returntocorpfound confirm() call; should this be in production code?
returntocorpthis rule has been deprecated.
returntocorpThis looks like a JavaScript template string. Are you missing a '$' in front of '{...}'?
returntocorpthis rule has been deprecated.
Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype, leading to possible code execution.
returntocorpUser controlled data in 'yaml.load()' function can result in Remote Code Injection.
ajinabrahamThis application has anti CSRF protection which prevents cross site request forgery attacks.
ajinabrahamContent Security Policy header is present. More Information: https://helmetjs.github.io/docs/csp/
ajinabrahamX-Permitted-Cross-Domain-Policies header set to off. More information: https://helmetjs.github.io/docs/crossdomain/
ajinabrahamExpect-CT header is present. More information: https://helmetjs.github.io/docs/expect-ct/
ajinabrahamFeature-Policy header is present. More information: https://helmetjs.github.io/docs/feature-policy/
ajinabrahamX-Frame-Options header is present. More information: https://helmetjs.github.io/docs/frameguard/
ajinabrahamX-DNS-Prefetch-Control header is present and DNS Prefetch Control is enabled. More information: https://helmetjs.github.io/docs/dns-prefetch-control/
ajinabrahamDefault X-Powered-By is removed or modified. More information: https://helmetjs.github.io/docs/hide-powered-by/
ajinabrahamHSTS header is present. More information: https://helmetjs.github.io/docs/hsts/
ajinabrahamX-Download-Options header is present. More information: https://helmetjs.github.io/docs/ienoopen/
ajinabrahamContent-Type-Options header is present. More information: https://helmetjs.github.io/docs/dont-sniff-mimetype/
ajinabrahamReferrer-Policy header is present. More information: https://helmetjs.github.io/docs/referrer-policy/
ajinabrahamX-XSS-Protection header is present. More information: https://helmetjs.github.io/docs/xss-filter/
ajinabrahamThis application has API rate limiting controls.
ajinabrahamSession middleware settings: `httpOnly` is explicitly set to false. It ensures that sensitive cookies cannot be accessed by client side JavaScript and helps to protect against cross-site scripting attacks.
returntocorpX-XSS-Protection header is set to 0. This will disable the browser's XSS Filter.
returntocorpX-XSS-Protection header is set to 0. This will disable the browser's XSS Filter.
returntocorpIf user input reaches `HoverProvider` while `supportHml` is set to `true` it may introduce an XSS vulnerability. Do not produce HTML for hovers with dynamically generated input.
returntocorpCopying a prop into state in React -- this is bad practice as all updates to it are ignored. Instead, read props directly in your component and avoid copying props into state.
returntocorpUntrusted user input in `vm.runInContext()` can result in code injection.
returntocorpthis rule has been deprecated.
returntocorpDepending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability.
returntocorpMake sure that unverified user data can not reach `sandbox`.
Insufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
returntocorpJSON stringify does not produce a stable key ordering, and should not be relied on for producing object keys. Consider using json-stable-stringify instead.
returntocorpChecks for setting the environment variable NODE_TLS_REJECT_UNAUTHORIZED to 0, which disables TLS verification. This should only be used for debugging purposes. Setting the option rejectUnauthorized to false bypasses verification against the list of trusted CAs, which also leads to insecure transport. These options lead to vulnerability to MTM attacks, and should not be used.
returntocorpInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
returntocorpInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
returntocorpInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
ajinabrahamMD5 is a a weak hash which is known to have collision. Use a strong hashing function.
ajinabrahamSHA1 is a a weak hash which is known to have collision. Use a strong hashing function.
ajinabrahamAES with ECB mode is deterministic in nature and not suitable for encrypting large amount of repetitive data.
ajinabrahamAES algorithms requires an initialization vector (IV). Providing no or null IV in some implementation results to a 0 IV. Use of a deterministic IV makes dictionary attacks easier.
ajinabrahamA weak or broken cryptographic algorithm was identified. Using these functions will introduce vulnerabilities or downgrade the security of your application.
ajinabrahamcrypto.pseudoRandomBytes()/Math.random() is a cryptographically weak random number generator.
ajinabrahamString comparisons using '===', '!==', '!=' and '==' is vulnerable to timing attacks. More info: https://snyk.io/blog/node-js-timing-attack-ccc-ctf/
ajinabrahamSetting 'NODE_TLS_REJECT_UNAUTHORIZED' to 0 will allow node server to accept self signed certificates and is not a secure behaviour.
ajinabrahamSSL Certificate verification for node-curl is disabled.
ajinabrahamUntrusted user input in findOne() function can result in NoSQL Injection.
ajinabrahamUntrusted user input in MongoDB $where operator can result in NoSQL JavaScript Injection.
ajinabrahamThe Sequelize connection string indicates that database server does not use TLS. Non TLS connections are susceptible to man in the middle (MITM) attacks.
ajinabrahamThe Sequelize connection string indicates that TLS certificate vailidation of database server is disabled. This is equivalent to not having TLS. An attacker can present any invalid certificate and Sequelize will make database connection ignoring certificate errors. This setting make the connection susceptible to man in the middle (MITM) attacks. Not applicable to SQLite database.
ajinabrahamThe Sequelize connection string indicates that an older version of TLS is in use. TLS1.0 and TLS1.1 are deprecated and should be used. By default, Sequelize use TLSv1.2 but it's recommended to use TLS1.3. Not applicable to SQLite database.
ajinabrahamUntrusted input concatinated with raw SQL query can result in SQL Injection.
ajinabrahamUntrusted input concatinated with raw SQL query using knex raw() or whereRaw() functions can result in SQL Injection.
ajinabrahamPOST Request to Express Body Parser 'bodyParser()' can create Temporary files and consume space.
ajinabrahamLayer7 Denial of Service. Looping over user controlled objects can result in DoS.
ajinabrahamEnsure that the regex used to compare with user supplied input is safe from regular expression denial of service.
ajinabrahamUser controlled data in RegExp() can make the application vulnerable to layer 7 DoS.
ajinabrahamDisabling webSecurity will disable the same-origin policy and allows the execution of insecure code from any domain.
ajinabrahamApplication can load content over HTTP and that makes the app vulnerable to Man in the middle attacks.
ajinabrahamBlink's expirimental features are enabled in this application. Some of the features may affect the security of the application.
ajinabrahamNode integration exposes node.js APIs to the electron app and this can introduce remote code execution vulnerabilities to the application if the app is vulnerable to Cross Site Scripting (XSS).
ajinabrahamDisabling context isolation can introduce Prototype Pollution vulnerabilities.
ajinabrahamExperimental features are not expected to be in production ready applications.
ajinabrahamUser controlled data in 'unserialize()' or 'deserialize()' function can result in Object Injection or Remote Code Injection.
ajinabrahamUser controlled data in 'unserialize()' or 'deserialize()' function can result in Object Injection or Remote Code Injection.
ajinabrahamFound an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine.
ajinabrahamUser controlled data in eval() or similar functions may result in Server Side Injection or Remote Code Injection
ajinabrahamUntrusted user input in `require()` function allows an attacker to load arbitrary code.
ajinabrahamUnrusted data in `sandbox` can result in code injection.
ajinabrahamUntrusted user input reaching `vm2` can result in code injection.
ajinabrahamUntrusted user input reaching `vm2` sandbox can result in context injection.
ajinabrahamUntrusted user input in `vm.runInContext()` can result in code injection.
ajinabrahamUntrusted user input in `vm.runInNewContext()` can result in code injection.
ajinabrahamUntrusted user input in `vm.compileFunction()` can result in code injection.
ajinabrahamUntrusted user input reaching `vm` can result in code injection.
ajinabrahamUser controlled data in 'yaml.load()' function can result in Remote Code Injection.
ajinabrahamUntrusted user input in templating engine's compile() function can result in Remote Code Execution via server side template injection.
ajinabrahamUser controlled data in 'child_process.exec()' can result in Remote OS Command Execution.
ajinabrahamUser controlled data in 'shelljs.exec()' can result in Remote OS Command Execution.
ajinabrahamError messages with stack traces can expose sensitive information about the application.
ajinabrahamError messages with stack traces may expose sensitive information about the application.
ajinabrahamHardcoded plain text secret used for Passport Strategy. Store it properly in an environment variable.
ajinabrahamA hardcoded password in plain text is identified. Store it properly in an environment variable.
ajinabrahamA hardcoded username in plain text is identified. Store it properly in an environment variable.
ajinabrahamA hardcoded API Key is identified. Store it properly in an environment variable.
ajinabrahamA hardcoded secret is identified. Store it properly in an environment variable.
ajinabrahamUser controlled data is used for application business logic decision making. This expose protected data or functionality.
ajinabrahamConsider changing the default session cookie name. An attacker can use it to fingerprint the server and target attacks accordingly.
ajinabrahamDefault session middleware settings: `secure` not set. It ensures the browser only sends the cookie over HTTPS.
ajinabrahamDefault session middleware settings: `sameSite` attribute is not configured to strict or lax. These configurations provides protection against Cross Site Request Forgery attacks.
ajinabrahamDefault session middleware settings: `domain` not set. It indicates the domain of the cookie; use it to compare against the domain of the server in which the URL is being requested. If they match, then check the path attribute next.
ajinabrahamDefault session middleware settings: `path` not set. It indicates the path of the cookie; use it to compare against the request path. If this and domain match, then send the cookie in the request.
ajinabrahamSession middleware settings: `maxAge` not set. Use it to set expiration date for cookies.
ajinabrahamAccess-Control-Allow-Origin response header is set to "*". This will disable CORS Same Origin Policy restrictions.
ajinabrahamAccess-Control-Allow-Origin response header is set to "*". This will disable CORS Same Origin Policy restrictions.
ajinabrahamOne or more Security Response header is explicitly disabled in Helmet.
ajinabrahamUntrusted user input in response header will result in HTTP Header Injection or Response Splitting Attacks.
ajinabrahamX-XSS-Protection header is set to 0. This will disable the browser's XSS Filter.
ajinabrahamX-XSS-Protection header is set to 0. This will disable the browser's XSS Filter.
ajinabrahamUsing untrusted Host header for generating dynamic URLs can result in web cache and or password reset poisoning.
ajinabrahamPassword is exposed through JWT token payload. This is not encrypted and the password could be compromised. Do not store passwords in JWT tokens.
ajinabrahamThe object is passed strictly to jose.JWT.sign(...). Make sure that sensitive information is not exposed through JWT token payload.
ajinabrahamHardcoded JWT secret or private key was found. Store it properly in an environment variable.
ajinabrahamHardcoded JWT secret was found. Store it properly in an environment variable.
ajinabrahamAlgorithm is set to none for JWT token. This can nullify the integrity of JWT signature.
ajinabrahamNo token revoking configured for `express-jwt`. A leaked token could still be used and unable to be revoked. Consider using function as the `isRevoked` option.
ajinabrahamDetected usage of noassert in Buffer API, which allows the offset the be beyond the end of the buffer. This could result in writing or reading beyond the end of the buffer.
ajinabrahamUntrusted user input in redirect() can result in Open Redirect vulnerability.
ajinabrahamUntrusted user input in response header('Location') can result in Open Redirect vulnerability.
ajinabrahamUser controlled URL in http client libraries can result in Server Side Request Forgery (SSRF).
ajinabrahamIf unverified user data can reach the `phantom` methods it can result in Server-Side Request Forgery vulnerabilities.
ajinabrahamIf unverified user data can reach the `puppeteer` methods it can result in Server-Side Request Forgery vulnerabilities.
ajinabrahamIf unverified user data can reach the `puppeteer` methods it can result in Server-Side Request Forgery vulnerabilities.
ajinabrahamUser controlled URL reached to `wkhtmltoimage` can result in Server Side Request Forgery (SSRF).
ajinabrahamUser controlled URL reached to `wkhtmltopdf` can result in Server Side Request Forgery (SSRF).
ajinabrahamInsecure ZIP archive extraction can result in arbitrary path over write and can result in code injection.
ajinabrahamInsecure ZIP archive extraction can result in arbitrary path over write and can result in code injection.
ajinabrahamInsecure ZIP archive extraction using adm-zip can result in arbitrary path over write and can result in code injection.
ajinabrahamInsecure TAR archive extraction can result in arbitrary path over write and can result in code injection.
ajinabrahamUntrusted user input in express render() function can result in arbitrary file read when hbs templating is used.
ajinabrahamUntrusted user input in express render() function can result in arbitrary file read if hbs templating is used.
ajinabrahamUntrusted user input in readFile()/readFileSync() can endup in Directory Traversal Attacks.
ajinabrahamPath constructed with user input can result in Path Traversal. Ensure that user input does not reach `join()` or `resolve()`.
ajinabrahamUser controlled data in XML Parsers can result in XML Internal Entity Processing vulnerabilities like in DoS.
ajinabrahamUser controlled data in xpath.parse() can result in XPATH injection vulnerability.
ajinabrahamMake sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities.
ajinabrahamUser controlled data in XML parsers can result in XML External or Internal Entity (XXE) Processing vulnerabilities
ajinabrahamUse of 'ondoctype' in 'sax' library detected. By default, 'sax' won't do anything with custom DTD entity definitions. If you're implementing a custom DTD entity definition, be sure not to introduce XML External Entity (XXE) vulnerabilities, or be absolutely sure that external entities received from a trusted source while processing XML.
ajinabrahamMake sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities.
ajinabrahamMarkup escaping disabled. This can be used with some template engines to escape disabling of HTML entities, which can lead to XSS attacks.
ajinabrahamUntrusted User Input in Response will result in Reflected Cross Site Scripting Vulnerability.
ajinabrahamUntrusted user input reaching `serialize-javascript` with `unsafe` attribute can cause Cross Site Scripting (XSS).
ajinabrahamHandlebars SafeString will not escape the data passed through it. Untrusted user input passing through SafeString can cause XSS.
ajinabrahamDisabling Escaping in Handlebars is not a secure behaviour. This can introduce XSS vulnerabilties.
ajinabrahamHandlebars SafeString will not escape the data passed through it. Untrusted user input passing through SafeString can cause XSS.
returntocorpLazy loading can complicate code bundling if care is not taken, also `require`s are run synchronously by Node.js. If they are called from within a function, it may block other requests from being handled at a more critical time. The best practice is to `require` modules at the beginning of each file, before and outside of any functions.
returntocorpUser-controllable argument $DATAVAL to $METHOD passed to Axios via internal handler $INNERFUNC. This could be a server-side request forgery. A user could call a restricted API or leak internal headers to an unauthorized party. Validate your user arguments against an allowlist of known URLs, or consider refactoring so that user-controlled data is not necessary.
returntocorpFound data from an Express or Next web request flowing to `eval`. If this data is user-controllable this can lead to execution of arbitrary system commands in the context of your application process. Avoid `eval` whenever possible.
returntocorpDetected string concatenation with a non-literal variable in a `mssql` JS SQL statement. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `$REQ.input('USER_ID', mssql.Int, id);`
returntocorpInsecure ZIP archive extraction can result in arbitrary path over write and can result in code injection.
returntocorpInsecure ZIP archive extraction can result in arbitrary path over write and can result in code injection.
returntocorpInsecure ZIP archive extraction using adm-zip can result in arbitrary path over write and can result in code injection.
returntocorpInsecure TAR archive extraction can result in arbitrary path over write and can result in code injection.
returntocorpDetected usage of noassert in Buffer API, which allows the offset the be beyond the end of the buffer. This could result in writing or reading beyond the end of the buffer.
returntocorpAES with ECB mode is deterministic in nature and not suitable for encrypting large amount of repetitive data.
returntocorpA weak or broken cryptographic algorithm was identified. Using these functions will introduce vulnerabilities or downgrade the security of your application.
returntocorpcrypto.pseudoRandomBytes()/Math.random() is a cryptographically weak random number generator.
returntocorpError messages with stack traces can expose sensitive information about the application.
returntocorpError messages with stack traces may expose sensitive information about the application.
returntocorpUser controlled data was found to enter a dynamic execution of JavaScript. This can lead to Remote Code Injection. Where possible do not dynamically execute user-input in functions such as eval(...).
returntocorpUntrusted user input in `require()` function allows an attacker to load arbitrary code.
returntocorpUser controlled data in 'child_process.exec()' can result in Remote OS Command Execution.
returntocorpUser controlled data in 'shelljs.exec()' can result in Remote OS Command Execution.
returntocorpPOST Request to Express Body Parser 'bodyParser()' can create Temporary files and consume space.
returntocorpHardcoded plain text secret used for Passport Strategy. Store it properly in an environment variable.
returntocorpOne or more Security Response header is explicitly disabled in Helmet.
returntocorpUntrusted user input in response header will result in HTTP Header Injection or Response Splitting Attacks.
returntocorpThe object is passed strictly to jose.JWT.sign(...). Make sure that sensitive information is not exposed through JWT token payload.
returntocorpEnsure that the regex used to compare with user supplied input is safe from regular expression denial of service.
returntocorpDisabling webSecurity will disable the same-origin policy and allows the execution of insecure code from any domain.
returntocorpApplication can load content over HTTP and that makes the app vulnerable to Man in the middle attacks.
returntocorpBlink's experimental features are enabled in this application. Some of the features may affect the security of the application.
returntocorpNode integration exposes node.js APIs to the electron app and this can introduce remote code execution vulnerabilities to the application if the app is vulnerable to Cross Site Scripting (XSS).
returntocorpExperimental features are not expected to be in production ready applications.
returntocorpIf unverified user data can reach the `phantom` methods it can result in Server-Side Request Forgery vulnerabilities.
returntocorpIf unverified user data can reach the `puppeteer` methods it can result in Server-Side Request Forgery vulnerabilities.
returntocorpIf unverified user data can reach the `puppeteer` methods it can result in Server-Side Request Forgery vulnerabilities.
returntocorpUser controlled URL reached to `wkhtmltoimage` can result in Server Side Request Forgery (SSRF).
returntocorpUser controlled URL reached to `wkhtmltopdf` can result in Server Side Request Forgery (SSRF).
returntocorpString comparisons using '===', '!==', '!=' and '==' is vulnerable to timing attacks. More info: https://snyk.io/blog/node-js-timing-attack-ccc-ctf/
returntocorpSetting 'NODE_TLS_REJECT_UNAUTHORIZED' to 0 will allow node server to accept self signed certificates and is not a secure behaviour.
returntocorpSSL Certificate verification for node-curl is disabled.
returntocorpHandlebars SafeString will not escape the data passed through it. Untrusted user input passing through SafeString can cause XSS.
returntocorpUse of angular.element can lead to XSS if user-input is treated as part of the HTML element within `$SINK`. It is recommended to contextually output encode user-input, before inserting into `$SINK`. If the HTML needs to be preserved it is recommended to sanitize the input using $sce.getTrustedHTML or $sanitize.
returntocorpUse of $window.location.href can lead to open-redirect if user input is used for redirection.
returntocorp$sceDelegateProvider allowlisting can introduce security issues if wildcards are used.
returntocorp$sceProvider is set to false. Disabling Strict Contextual escaping (SCE) in an AngularJS application could provide additional attack surface for XSS vulnerabilities.
returntocorpThe use of $sce.trustAsCss can be dangerous if unsanitized user input flows through this API.
returntocorpThe use of $sce.trustAsHtml can be dangerous if unsanitized user input flows through this API.
returntocorpThe use of $sce.trustAsJs can be dangerous if unsanitized user input flows through this API.
returntocorpAllowing spawning arbitrary programs or running shell processes with arbitrary arguments may end up in a command injection vulnerability. Try to avoid non-literal values for the command string. If it is not possible, then do not let running arbitrary commands, use a white list for inputs.
returntocorpDetected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `knex.raw('SELECT $1 from table', [userinput])`
returntocorpDetected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `connection.query('SELECT $1 from table', [userinput])`
returntocorpDetected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `connection.query('SELECT $1 from table', [userinput])`
returntocorpDetected SQL statement that is tainted by `$EVENT` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, use parameterized queries or prepared statements instead. You can use parameterized statements like so: `sequelize.query('SELECT * FROM projects WHERE status = ?', { replacements: ['active'], type: QueryTypes.SELECT });`
returntocorpThe `eval()` function evaluates JavaScript code represented as a string. Executing JavaScript from a string is an enormous security risk. It is far too easy for a bad actor to run arbitrary code when you use `eval()`. Ensure evaluated content is not definable by external sources.
returntocorpDetected user input flowing into an HTML response. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data.
returntocorpDetected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.
returntocorpThe `vm` module enables compiling and running code within V8 Virtual Machine contexts. The `vm` module is not a security mechanism. Do not use it to run untrusted code. If code passed to `vm` functions is controlled by user input it could result in command injection. Do not let user input in `vm` functions.
returntocorpDetected possible DOM-based XSS. This occurs because a portion of the URL is being used to construct an element added directly to the page. For example, a malicious actor could send someone a link like this: http://www.some.site/page.html?default=<script>alert(document.cookie)</script> which would add the script to the page. Consider allowlisting appropriate values or using an approach which does not involve the URL.
returntocorpDetected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.
returntocorpUser controlled data in methods like `innerHTML`, `outerHTML` or `document.write` is an anti-pattern that can lead to XSS vulnerabilities
returntocorpUser controlled data in a `$EL.innerHTML` is an anti-pattern that can lead to XSS vulnerabilities
returntocorpNo validation of origin is done by the addEventListener API. It may be possible to exploit this flaw to perform Cross Origin attacks such as Cross-Site Scripting(XSS).
returntocorpthis rule has been deprecated.
returntocorpUser controlled data in a HTML string may result in XSS
returntocorpUser controlled data in a HTML string may result in XSS
returntocorpThe target origin of the window.postMessage() API is set to "*". This could allow for information disclosure due to the possibility of any origin allowed to receive the message.
returntocorpIf unverified user data can reach the `compileScript` method it can result in Server-Side Request Forgery vulnerabilities
returntocorpthis rule has been deprecated.
returntocorpthis rule has been deprecated.
returntocorpthis rule has been deprecated.
returntocorpthis rule has been deprecated.
returntocorpMake sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities.
returntocorpMake sure that unverified user data can not reach `$VM`.
returntocorpMake sure that unverified user data can not reach `vm2`.
returntocorpUser data flows into the host portion of this manually-constructed HTML. This can introduce a Cross-Site-Scripting (XSS) vulnerability if this comes from user-provided input. Consider using a sanitization library such as DOMPurify to sanitize the HTML within.
returntocorpDetected user input used to manually construct a SQL string. This is usually bad practice because manual construction could accidentally result in a SQL injection. An attacker could use a SQL injection to steal or modify contents of the database. Instead, use a parameterized query which is available by default in most database engines. Alternatively, consider using an object-relational mapper (ORM) such as Sequelize which will protect your queries.
returntocorpUser controlled data in a `createNodesFromMarkup` is an anti-pattern that can lead to XSS vulnerabilities
returntocorpDetected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.
returntocorpUser controlled data in a jQuery's `.$METHOD(...)` is an anti-pattern that can lead to XSS vulnerabilities
returntocorpUser controlled data in a `$(...)` is an anti-pattern that can lead to XSS vulnerabilities
returntocorpJQuery's `html` function is susceptible to Cross Site Scripting (XSS) attacks. If you're just passing text, consider `text` instead. Otherwise, use a function that escapes HTML such as edX's `HtmlUtils.setHtml()`.
returntocorpThe object is passed strictly to jsonwebtoken.sign(...) Make sure that sensitive information is not exposed through JWT token payload.
returntocorpDetected use of the 'none' algorithm in a JWT token. The 'none' algorithm assumes the integrity of the token has already been verified. This would allow a malicious actor to forge a JWT token that will automatically be verified. Do not explicitly use the 'none' algorithm. Instead, use an algorithm such as 'HS256'.
returntocorpDetected non-literal calls to $EXEC(). This could lead to a command injection vulnerability.
returntocorpRegExp() called with a `$ARG` function argument, this might allow an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS.
returntocorpIt looks like MD5 is used as a password hash. MD5 is not considered a secure password hash because it can be cracked by an attacker in a short amount of time. Use a suitable password hashing function such as bcrypt. You can use the `bcrypt` node.js package.
returntocorpThis rule has been deprecated. It duplicates `javascript/sequelize/security/audit/sequelize-raw-query` rule.
returntocorpDetected possible user input going into a `path.join` or `path.resolve` function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.
returntocorpFound '$SPAWN' with '{shell: $SHELL}'. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use '{shell: false}' instead.
returntocorpDetected SQL statement that is tainted by `$REQ` object. This could lead to SQL injection if the variable is user-controlled and not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements. An example of parameterized queries like so: `knex.raw('SELECT $1 from table', [userinput])` can help prevent SQLi.
returntocorpDetected a `$IMPORT` SQL statement that comes from a function argument. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.
returntocorpMake sure that unverified user data can not reach vm.runInContext.
returntocorpthis rule has been deprecated.
returntocorpthis rule has been deprecated.
returntocorpthis rule has been deprecated.
returntocorpA hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
returntocorpthis rule has been deprecated.
returntocorpthis rule has been deprecated.
returntocorpthis rule has been deprecated.
returntocorpthis rule has been deprecated.
returntocorpDetected usage of noassert in Buffer API, which allows the offset the be beyond the end of the buffer. This could result in writing or reading beyond the end of the buffer.
returntocorpMarkup escaping disabled. This can be used with some template engines to escape disabling of HTML entities, which can lead to XSS attacks.
returntocorpDetected use of dynamic execution of JavaScript which may come from user-input, which can lead to Cross-Site-Scripting (XSS). Where possible avoid including user-input in functions which dynamically execute user-input.
returntocorpDetected use of express.csrf() middleware before express.methodOverride(). This can allow GET requests (which are not checked by csrf) to turn into POST requests later.
returntocorpDetected usage of crypto.pseudoRandomBytes, which does not produce secure random numbers.
returntocorpThis template literal looks like HTML and has interpolated variables. These variables are not HTML-encoded by default. If the variables contain HTML tags, these may be interpreted by the browser, resulting in cross-site scripting (XSS).
returntocorpDepending on the context, user control data in `Object.assign` can cause web response to include data that it should not have or can lead to a mass assignment vulnerability.
returntocorpGit allows shell commands to be specified in ext URLs for remote repositories. For example, git clone 'ext::sh -c whoami% >&2' will execute the whoami command to try to connect to a remote repository. Make sure that the URL is not controlled by external input.
returntocorpIf unverified user data can reach the `phantom` page methods it can result in Server-Side Request Forgery vulnerabilities
returntocorpIf unverified user data can reach the `addInitScript` method it can result in Server-Side Request Forgery vulnerabilities
returntocorpIf unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities
returntocorpRemote debugging protocol does not perform any authentication, so exposing it too widely can be a security risk.
returntocorpIf unverified user data can reach the `goto` method it can result in Server-Side Request Forgery vulnerabilities
returntocorpIf unverified user data can reach the `setContent` method it can result in Server-Side Request Forgery vulnerabilities
returntocorpIf unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities
returntocorpIf unverified user data can reach the `evaluate` method it can result in Server-Side Request Forgery vulnerabilities
returntocorpRemote debugging protocol does not perform any authentication, so exposing it too widely can be a security risk.
returntocorpIf unverified user data can reach the `goto` method it can result in Server-Side Request Forgery vulnerabilities
returntocorpIf TLS is disabled on server side (Postgresql server), Sequelize establishes connection without TLS and no error will be thrown. To prevent MITN (Man In The Middle) attack, TLS must be enforce by Sequelize. Set "ssl: true" or define settings "ssl: {...}"
returntocorpAvoiding SQL string concatenation: untrusted input concatenated with raw SQL query can result in SQL Injection. Data replacement or data binding should be used. See https://sequelize.org/master/manual/raw-queries.html
returntocorpSet "rejectUnauthorized" to false is a convenient way to resolve certificate error. But this method is unsafe because it disables the server certificate verification, making the Node app open to MITM attack. "rejectUnauthorized" option must be alway set to True (default value). With self -signed certificate or custom CA, use "ca" option to define Root Certificate. This rule checks TLS configuration only for Postgresql, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. This rule could be extended for MSSQL, but the dialectOptions is specific for Tedious.
returntocorpTLS1.0 and TLS1.1 are deprecated and should not be used anymore. By default, NodeJS used TLSv1.2. So, TLS min version must not be downgrade to TLS1.0 or TLS1.1. Enforce TLS1.3 is highly recommended This rule checks TLS configuration only for PostgreSQL, MariaDB and MySQL. SQLite is not really concerned by TLS configuration. This rule could be extended for MSSQL, but the dialectOptions is specific for Tedious.
returntocorp`serialize-javascript` used with `unsafe` parameter, this could be vulnerable to XSS.
returntocorpPotential arbitrary code execution, piped to eval
returntocorpDetects direct creations of $HTTPS servers that don't disallow SSL v2, SSL v3, and TLS v1. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.
returntocorpDetects creations of $HTTPS servers from option objects that don't disallow SSL v2, SSL v3, and TLS v1. These protocols are deprecated due to POODLE, man in the middle attacks, and other vulnerabilities.
returntocorpChecks for lack of usage of the "secure: true" option when sending ftp requests through the nodejs ftp module. This leads to unencrypted traffic being sent to the ftp server. There are other options such as "implicit" that still does not encrypt all traffic. ftp is the most utilized npm ftp module.
returntocorpChecks for requests sent to http:// URLs. This is dangerous as the server is attempting to connect to a website that does not encrypt traffic with TLS. Instead, only send requests to https:// URLs.
returntocorpChecks for requests to http (unencrypted) sites using some of node js's most popular REST/HTTP libraries, including node-rest-client, axios, and got.
returntocorpChecks for creation of telnet servers or attempts to connect through telnet. This is insecure as the telnet protocol supports no encryption, and data passes through unencrypted.
returntocorpChecks for any usage of http servers instead of https servers. Encourages the usage of https protocol instead of http, which does not have TLS and is therefore unencrypted. Using http can lead to man-in-the-middle attacks in which the attacker is able to read sensitive information.
returntocorpDetected a variable used in an anchor tag with the 'href' attribute. A malicious actor may be able to input the 'javascript:' URI, which could cause cross-site scripting (XSS). It is recommended to disallow 'javascript:' URIs within your application.
returntocorpthis rule has been deprecated.
returntocorpDetection of $HTML from non-constant definition. This can inadvertently expose users to cross-site scripting (XSS) attacks if this comes from user-provided input. If you have to use $HTML, consider using a sanitization library such as DOMPurify to sanitize your HTML.
returntocorpUnencrypted request over HTTP detected.
returntocorpOverwriting `transformLinkUri` or `transformImageUri` to something insecure, or turning `allowDangerousHtml` on, or turning `escapeHtml` off, will open the code up to XSS vectors.
returntocorpUser data from `$REQ` is being compiled into the template, which can lead to a Server Side Template Injection (SSTI) vulnerability.
returntocorpInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
returntocorpInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
returntocorpInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
returntocorpThis code contains bidirectional (bidi) characters. While this is useful for support of right-to-left languages such as Arabic or Hebrew, it can also be used to trick language parsers into executing code in a manner that is different from how it is displayed in code editing and review tools. If this is not what you were expecting, please review this code in an editor that can reveal hidden Unicode characters.
returntocorpThe libxml library processes user-input with the `noent` attribute is set to `true` which can lead to being vulnerable to XML External Entities (XXE) type attacks. It is recommended to set `noent` to `false` when using this feature to ensure you are protected.
returntocorpDetected use of parseXml() function with the `noent` field set to `true`. This can lead to an XML External Entities (XXE) attack if untrusted data is passed into it.
returntocorpThe application redirects to a URL specified by user-supplied input `$REQ` that is not validated. This could redirect users to malicious locations. Consider using an allow-list approach to validate URLs, or warn users they are being redirected to a third-party website.
returntocorpThe application processes user-input, this is passed to res.sendFile which can allow an attacker to arbitrarily read files on the system through path traversal. It is recommended to perform input validation in addition to canonicalizing the path. This allows you to validate the path against the intended directory it should be accessing.
returntocorpThe following function call $SER.$FUNC accepts user controlled data which can result in Remote Code Execution (RCE) through Object Deserialization. It is recommended to use secure data processing alternatives such as JSON.parse() and Buffer.from().
returntocorpDetected a sequelize statement that is tainted by user-input. This could lead to SQL injection if the variable is user-controlled and is not properly sanitized. In order to prevent SQL injection, it is recommended to use parameterized queries or prepared statements.
returntocorpA hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
returntocorpDetected user input flowing into a manually constructed HTML string. You may be accidentally bypassing secure methods of rendering HTML by manually constructing HTML and this could create a cross-site scripting vulnerability, which could let attackers steal sensitive user data. To be sure this is safe, check that the HTML is rendered safely. Otherwise, use templates which will safely render HTML instead.
returntocorpPossibility of prototype polluting assignment detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object.
returntocorpThis rule is deprecated.
returntocorpPossibility of prototype polluting function detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object.
returntocorpA hardcoded password in plain text is identified. Store it properly in an environment variable.
returntocorpA hardcoded secret is identified. Store it properly in an environment variable.
returntocorpA hardcoded username in plain text is identified. Store it properly in an environment variable.
returntocorpA hardcoded API Key is identified. Store it properly in an environment variable.
returntocorpX-Frame-Options header is present. More information: https://helmetjs.github.io/docs/frameguard/
returntocorpX-DNS-Prefetch-Control header is present and DNS Prefetch Control is enabled. More information: https://helmetjs.github.io/docs/dns-prefetch-control/
returntocorpDefault X-Powered-By is removed or modified. More information: https://helmetjs.github.io/docs/hide-powered-by/
returntocorpHSTS header is present. More information: https://helmetjs.github.io/docs/hsts/
returntocorpReferrer-Policy header is present. More information: https://helmetjs.github.io/docs/referrer-policy/
returntocorpX-XSS-Protection header is present. More information: https://helmetjs.github.io/docs/xss-filter/
returntocorpConsider changing the default session cookie name. An attacker can use it to fingerprint the server and target attacks accordingly.
returntocorpDefault session middleware settings: `secure` not set. It ensures the browser only sends the cookie over HTTPS.
returntocorpDefault session middleware settings: `sameSite` attribute is not configured to strict or lax. These configurations provides protection against Cross Site Request Forgery attacks.
returntocorpDefault session middleware settings: `httpOnly` not set. It ensures the sensitive cookies cannot be accessed by client side JavaScript and helps to protect against cross-site scripting attacks.
returntocorpDefault session middleware settings: `domain` not set. It indicates the domain of the cookie; use it to compare against the domain of the server in which the URL is being requested. If they match, then check the path attribute next.
returntocorpDefault session middleware settings: `path` not set. It indicates the path of the cookie; use it to compare against the request path. If this and domain match, then send the cookie in the request.
returntocorpDefault session middleware settings: `expires` not set. Use it to set expiration date for persistent cookies.
returntocorpAccess-Control-Allow-Origin response header is set to "*". This will disable CORS Same Origin Policy restrictions.
returntocorpUser controlled data in XML Parsers can result in XML Internal Entity Processing vulnerabilities like in DoS.
returntocorpUser controlled data in xpath.parse() can result in XPATH injection vulnerability.
returntocorpMarkup escaping disabled. This can be used with some template engines to escape disabling of HTML entities, which can lead to XSS attacks.
returntocorpUntrusted User Input in Response will result in Reflected Cross Site Scripting Vulnerability.
returntocorpthis rule has been deprecated.
returntocorpthis rule has been deprecated.
returntocorpCannot determine what '$UNK' is and it is used with a '<script>' tag. This could be susceptible to cross-site scripting (XSS). Ensure '$UNK' is not externally controlled, or sanitize this data.
returntocorpMake sure that unverified user data can not reach `vm2`.
returntocorpMake sure that unverified user data can not reach `vm2`.
returntocorpIf unverified user data can reach the XML Parser it can result in XML External or Internal Entity (XXE) Processing vulnerabilities
returntocorpDetected the use of a regular expression `$REDOS` which appears to be vulnerable to a Regular expression Denial-of-Service (ReDoS). For this reason, it is recommended to review the regex and ensure it is not vulnerable to catastrophic backtracking, and if possible use a library which offers default safety against ReDoS vulnerabilities.
returntocorp`$STR.replace` method will only replace the first occurrence when used with a string argument ($CHAR). If this method is used for escaping of dangerous data then there is a possibility for a bypass. Try to use sanitization library instead or use a Regex with a global flag.
returntocorpUsing non-static data to retrieve and run functions from the object is dangerous. If the data is user-controlled, it may allow executing arbitrary code.
returntocorpThis rule is deprecated.
The application was found calling the `new Buffer` constructor which has been deprecated since Node 8. By passing in a non-literal value, an adversary could allocate large amounts of memory. Other issues also exist with the `Buffer` constructor: - Older versions would return uninitialized memory, which could contain sensitive information - Unable to easily determine what a Buffer contained if passed a non-literal value To remediate this issue, use `Buffer.alloc` or `Buffer.from` instead to allocate a new `Buffer`. Example using `Buffer.alloc` instead of `new Buffer(...)`: ``` // Create a new buffer using Buffer.from const buf = Buffer.from([1, 2, 3, 4]); // Work with buf ``` For more information on migrating to `Buffer.from()`/`Buffer.alloc()` see: - https://nodejs.org/en/docs/guides/buffer-constructor-deprecation
Depending on the context, generating weak random numbers may expose cryptographic functions, which rely on these numbers, to be exploitable. When generating numbers for sensitive values such as tokens, nonces, and cryptographic keys, it is recommended that the `randomBytes` method of the `crypto` module be used instead of `pseudoRandomBytes`. Example using `randomBytes`: ``` // Generate 256 bytes of random data const randomBytes = crypto.randomBytes(256); ``` For more information on JavaScript Cryptography see: https://nodejs.org/api/crypto.html#cryptorandombytessize-callback
returntocorpInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
returntocorpInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
returntocorpInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
returntocorpInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
returntocorpInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
returntocorpInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
returntocorpInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
returntocorpInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
returntocorpInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
returntocorpInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
returntocorpInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
returntocorpInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
returntocorpInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
returntocorpInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
returntocorpInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
returntocorpInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
returntocorpInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
returntocorpDetected the use of require(variable). Calling require with a non-literal argument might allow an attacker to load and run arbitrary code, or access arbitrary files.
returntocorpThe use of $translateProvider.translations method can be dangerous if user input is provided to this API.
returntocorpDon’t use the default session cookie name Using the default session cookie name can open your app to attacks. The security issue posed is similar to X-Powered-By: a potential attacker can use it to fingerprint the server and target attacks accordingly.
returntocorpDefault session middleware settings: `secure` not set. It ensures the browser only sends the cookie over HTTPS.
returntocorpDefault session middleware settings: `httpOnly` not set. It ensures the cookie is sent only over HTTP(S), not client JavaScript, helping to protect against cross-site scripting attacks.
returntocorpDefault session middleware settings: `domain` not set. It indicates the domain of the cookie; use it to compare against the domain of the server in which the URL is being requested. If they match, then check the path attribute next.
returntocorpNo token revoking configured for `express-jwt`. A leaked token could still be used and unable to be revoked. Consider using function as the `isRevoked` option.
returntocorpPossible writing outside of the destination, make sure that the target path is nested in the intended destination
returntocorpXml Parser is used inside Request Event. Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities
returntocorpIt looks like '$UNK' is read from user input and it is used to as a redirect. Ensure '$UNK' is not externally controlled, otherwise this is an open redirect.
returntocorpThe Mustache escape function is being overwritten. This could bypass HTML escaping safety measures built into the rendering engine, exposing your application to cross-site scripting (XSS) vulnerabilities. If you need unescaped HTML, use the triple brace operator in your template: '{{{ ... }}}'.
returntocorpFound an insecure gRPC connection. This creates a connection without encryption to a gRPC client/server. A malicious attacker could tamper with the gRPC message, which could compromise the machine.
returntocorpThe object is passed strictly to jose.JWT.sign(...) Make sure that sensitive information is not exposed through JWT token payload.
returntocorpA hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
returntocorpInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
returntocorpInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
returntocorpfindDOMNode is an escape hatch used to access the underlying DOM node. In most cases, use of this escape hatch is discouraged because it pierces the component abstraction.
returntocorpBy declaring a styled component inside the render method of a react component, you are dynamically creating a new component on every render. This means that React will have to discard and re-calculate that part of the DOM subtree on each subsequent render, instead of just calculating the difference of what changed between them. This leads to performance bottlenecks and unpredictable behavior.
returntocorpLegacy component lifecycle was detected - $METHOD.
returntocorpInsufficient permissions to view rule definition. This rule is only visible to logged in users. Log in to see this rule.
returntocorpBy setting `allErrors: true` in `Ajv` library, all error objects will be allocated without limit. This allows the attacker to produce a huge number of errors which can lead to denial of service. Do not use `allErrors: true` in production.
returntocorpBracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it's prototype. Use literal values for object properties.
returntocorpBy letting user input control CORS parameters, there is a risk that software does not properly verify that the source of data or communication is valid. Use literal values for CORS settings.
returntocorpBy letting user input control `X-Frame-Options` header, there is a risk that software does not properly verify whether or not a browser should be allowed to render a page in an `iframe`.
returntocorpDetected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string.
returntocorpDisabling Escaping in Handlebars is not a secure behaviour. This can introduce XSS vulnerabilities.
returntocorpThe use of $sce.trustAs can be dangerous if unsanitized user input flows through this API.
returntocorpThe use of $sce.trustAsResourceUrl can be dangerous if unsanitized user input flows through this API.
returntocorpThe use of $sce.trustAsUrl can be dangerous if unsanitized user input flows through this API.
returntocorpIf unverified user data can reach the `phantom` methods it can result in Server-Side Request Forgery vulnerabilities
returntocorpIf unverified user data can reach the `puppeteer` methods it can result in Server-Side Request Forgery vulnerabilities
returntocorpIf unverified user data can reach the `phantom` methods it can result in Server-Side Request Forgery vulnerabilities
returntocorpIf unverified user data can reach the `wkhtmltopdf` methods it can result in Server-Side Request Forgery vulnerabilities
returntocorpMake sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities
returntocorpIf an attacker controls the x in require(x) then they can cause code to load that was not intended to run on the server.
returntocorpthis rule has been deprecated.
returntocorpA hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
returntocorpA hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
returntocorpDetected calls to child_process from a function argument `$FUNC`. This could lead to a command injection if the input is user controllable. Try to avoid calls to child_process, and if it is needed ensure user input is correctly sanitized or sandboxed.
returntocorpThe MD5 hashing algorithm is considered to be weak. If this is used in any sensitive operation such as password hashing, or is used to ensure data integrity (collision sensitive) then you should use a stronger hashing algorithm. For passwords, consider using `Argon2id`, `scrypt`, or `bcrypt`. For data integrity, consider using `SHA-256`
returntocorpIt looks like no matter how $CONDITION is evaluated, this expression returns $ANS. This is probably a copy-paste error.
returntocorpDetected a call to `$FUNC()` in an attempt to HTML escape the string `$STR`. Manually sanitizing input through a manually built list can be circumvented in many situations, and it's better to use a well known sanitization library such as `sanitize-html` or `DOMPurify`.
returntocorpA CSRF middleware was not detected in your express application. Ensure you are either using one such as `csurf` or `csrf` (see rule references) and/or you are properly doing CSRF validation in your routes with a token or cookies.
returntocorpDirectory listing/indexing is enabled, which may lead to disclosure of sensitive directories and files. It is recommended to disable directory listing unless it is a public resource. If you need directory listing, ensure that sensitive files are inaccessible when querying the resource.
returntocorpDetected usage of the `notevil` package, which is unmaintained and has vulnerabilities. Using any sort of `eval()` functionality can be very dangerous, but if you must, the `eval` package is an up to date alternative. Be sure that only trusted input reaches an `eval()` function.
returntocorpThe following request $REQUEST.$METHOD() was found to be crafted from user-input `$REQ` which can lead to Server-Side Request Forgery (SSRF) vulnerabilities. It is recommended where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommeneded to follow OWASP best practices to prevent abuse.
returntocorpDetected a hardcoded hmac key. Avoid hardcoding secrets and consider using an alternate option such as reading the secret from a config file or using an environment variable.
returntocorpUser controlled URL in http client libraries can result in Server Side Request Forgery (SSRF).
returntocorpHardcoded JWT secret or private key was found. Store it properly in an environment variable.
returntocorpHardcoded JWT secret was found. Store it properly in an environment variable.
returntocorpAlgorithm is set to none for JWT token. This can nullify the integrity of JWT signature.
returntocorpLayer7 Denial of Service. Looping over user controlled objects can result in DoS.
returntocorpUser controlled data is used for application business logic decision making. This expose protected data or functionality.
returntocorpUntrusted user input in findOne() function can result in NoSQL Injection.
returntocorpUntrusted user input in MongoDB $where operator can result in NoSQL JavaScript Injection.
returntocorpUntrusted user input in redirect() can result in Open Redirect vulnerability.
returntocorp