Amazon QDetector Library Sign in to Amazon Q

Q

Detector Library

Java detectors (132/132)

Reflected cross site scripting Mandatory method not called after object creation Process empty record list in Amazon KCL AWS object presence check Missing timeout check on CountDownLatch.await Unspecified default value Device Permission Usage.Deserialization of untrusted object Preserve thread interruption status rule Missing check on the value returned by moveToFirst API Missing timeout check on ExecutorService.awaitTermination Overflow when deserializing relational database objects Custom manual retries of AWS SDK calls Missing null check for cache response metadata Inefficient usage of Transaction library from AWS Labs Insecure connection using unencrypted protocol Inefficient additional authenticated data (AAD) authenticity Use of a deprecated method Error-prone AWS IAM policy creation Use of externally-controlled input to build connection string Inefficient Amazon S3 manual pagination Mutually exclusive call AWS Lambda client not reused Missing check on the result of createNewFile Sensitive data stored unencrypted due to partial encryption Missing statement to record cause of InvocationTargetException Misconfigured Concurrency Inefficient polling of AWS resource Improper Initialization Unexpected re-assignment of synchronized objects XPath injection AWS client not reused in a Lambda function Long polling is not enabled in Amazon SQS Insecure temporary file or directory HTTP response splitting Input and output values become out of sync Server-side request forgery Missing Authorization for address id Do not catch and throw exception Concurrency deadlock Not recommended aws credentials classes Path traversal Override of reserved variable names in a Lambda function Missing byte array length of JSON parser Usage of an API that is not recommended Hardcoded credentials Insecure JSON web token (JWT) parsing Not calling finalize causes skipped cleanup steps Unchecked S3 object metadata content length Untrusted data in security decision Permissive cors configuration rule Insecure cookie Resource leak XML External Entity Bad parameters used with AWS API methods Missing position check before getting substring LDAP injection Avoid reset exception in Amazon S3 Insecure hashing Backward compatibility breaks with error message parsing Inefficient map entry iteration Missing S3 bucket owner condition AWS DynamoDB getItem output is not null checked Invalid public method parameters Log injection Sensitive information leak Usage of multiple date time pattern formatter Synchronous publication of AWS Lambda metrics XML External Entity Document Builder Factory Improper use of classes that aren't thread-safe Incorrect null check before setting a value Insufficient use of name in Amazon SQS queue Missing check on the value returned by ResultSet.next Insecure TLS version Unsanitized input is run as code Use an enum to specify an AWS Region Improperly formatted string arguments Improper service shutdown Unrestricted upload of dangerous file type Untrusted AMI images Insecure SAML parser configuration Cross-site request forgery Case sensitive keys in S3 object user metadata Stack trace not included in re-thrown exception Region specification missing from AWS client initialization Insufficient number of PBEKeySpec iterations URL redirection to untrusted site Use of externally-controlled input to select classes or code Missing encryption of sensitive data in storage Ignored output of DynamoDBMapper operations Null pointer dereference Cross-site scripting Unauthenticated LDAP requests Use of inefficient APIs Low maintainability with old Android features Atomicity violation Missing handling of specifically-thrown exceptions Weak obfuscation of web request Clear text credentials Session fixation Catching and not re-throwing or logging exceptions Missing check when launching an Android activity with an implicit intent Client constructor deprecation Inefficient use of stream sorting Arithmetic overflow or underflow Simplifiable code Loose file permissions Manual pagination Incorrect string equality operator Inefficient chain of AWS API calls OS command injection Internationalization Code clone SQL injection Missing check on method output Missing pagination Resources used by an Amazon S3 TransferManager are not released Insecure cryptography Missing timezone of SimpleDateFormat Low maintainability with low class cohesion Oversynchronization Infinite loop Batch operations preferred over looping Object Input Stream Insecure Deserialization Weak pseudorandom number generation Insecure CORS policy Missing handling of file deletion result Amazon SQS message visibility changed without a status check State machine execution ARN is not logged Client-side KMS reencryption Use Stream::anyMatch instead of Stream::findFirst or Stream::findAny Batch request with unchecked failures

Tag: injection

Reflected cross site scripting

Rule to detect reflected XSS.

Deserialization of untrusted object

Deserialization of untrusted objects can lead to security vulnerabilities such as, inadvertently running remote code.

Use of externally-controlled input to build connection string

Use of unsanitized user input to build connection strings can allow attackers to bypass security checks and access restricted resources.

XPath injection

Potentially unsanitized user input in XPath queries can allow an attacker to control the query in unwanted or insecure ways.

HTTP response splitting

Passing data from an untrusted source into a cookie or web response might expose the user to HTTP response splitting attacks.

Server-side request forgery

Insufficient sanitization of potentially untrusted URLs on the server side can allow server requests to unwanted destinations.

Path traversal

Creating file paths from untrusted input might give a malicious actor access to sensitive files.

Untrusted data in security decision

Security decisions should not depend on branching that can be influenced by untrusted or client-provided data.

XML External Entity

Objects that parse or handle XML can lead to XML External Entity (XXE) attacks when misconfigured.

LDAP injection

LDAP queries that rely on potentially untrusted inputs can allow attackers to read or modify sensitive data, run code, and perform other unwanted actions.

Invalid public method parameters

Public method parameters should be validated for nullness, unexpected values, and malicious values.

Log injection

Using untrusted inputs in a log statement can enable attackers to break the log's format, forge log entries, and bypass log monitors.

XML External Entity Document Builder Factory

Objects that parse or handle XML in XML document can lead to XML External Entity (XXE) attacks when misconfigured.

Unsanitized input is run as code

Scripts generated from unsanitized inputs can lead to malicious behavior and inadvertently running code remotely.

Unrestricted upload of dangerous file type

Insufficiently restrictive file uploads can lead to inadvertently running malicious code.

Cross-site request forgery

Insecure configuration can lead to a cross-site request forgery (CRSF) vulnerability.

Use of externally-controlled input to select classes or code

Use of unsanitized external input in reflection can allow attackers to bypass security checks and run malicious code.

Cross-site scripting

Relying on potentially untrusted user inputs when constructing web application outputs can lead to cross-site scripting vulnerabilities.

OS command injection

Constructing operating system or shell commands with unsanitized user input can lead to inadvertently running malicious code.

SQL injection

Use of untrusted inputs in SQL database query can enable attackers to read, modify, or delete sensitive data in the database

Object Input Stream Insecure Deserialization

Deserialization of untrusted data without sufficiently verifying that the resulting data will be valid.