Amazon QDetector Library Sign in to Amazon Q

Q

Detector Library

JavaScript detectors (78/78)

Improper access control Sensitive data stored unencrypted due to partial encryption Pseudorandom number generators OS command injection URL redirection to untrusted site Integer overflow Protection mechanism failure Non-literal regular expression Tainted input for Docker API Usage of an API that is not recommended XML external entity Server-side request forgery New function detected Stack trace exposure Timing attack SNS don't bind subscribe and publish Invoke super appropriately NoSQL injection Hardcoded credentials Insecure cookie Cross-site scripting Hardcoded IP address AWS credentials logged XPath injection Data loss in a batch request Path traversal Least privilege violation DNS prefetching Resource leak Insufficiently protected credentials File extension validation Insecure connection using unencrypted protocol Cross-site request forgery Typeof expression Set SNS Return Subscription ARN File and directory information exposure Missing Amazon S3 bucket owner condition Insecure hashing Numeric truncation error Client-side KMS reencryption AWS client not reused in a Lambda function LDAP injection Batch request with unchecked failures Cryptographic key generator Unauthenticated Amazon SNS unsubscribe requests might succeed Unverified hostname Origins-verified cross-origin communications Loose file permissions Unsanitized input is run as code Missing pagination Untrusted Amazon Machine Images Improper certificate validation Insecure CORS policy Deserialization of untrusted object Sensitive information leak Check failed records when using kinesis Weak obfuscation of web requests Catch and swallow exception Logging of sensitive information Limit request length String passed to `setInterval` or `setTimeout`Log injection Override of reserved variable names in a Lambda function Improper restriction of rendered UI layers or frames Insecure cryptography Insecure object attribute modification Session fixation Avoid nan in comparison Improper input validation Disabled HTML autoescape Use of a deprecated method Unvalidated expansion of archive files File injection Sendfile injection SQL injection Header injection Insecure temporary file or directory Inefficient polling of AWS resource

Tag: top25-cwes

OS command injection

Constructing operating system or shell commands with unsanitized user input can lead to inadvertently running malicious code.

URL redirection to untrusted site

User-controlled input that specifies a link to an external site could lead to phishing attacks and allow user credentials to be stolen.

Integer overflow

An integer overflow might cause security issues when it is used for resource management or execution control.

XML external entity

Objects that parse or handle XML can lead to XML external entity (XXE) attacks when they are misconfigured.

Server-side request forgery

Insufficient sanitization of potentially untrusted URLs on the server side can allow server requests to unwanted destinations.

NoSQL injection

User input can be vulnerable to injection attacks.

Cross-site scripting

Relying on potentially untrusted user inputs when constructing web application outputs can lead to cross-site scripting vulnerabilities.

Path traversal

Creating file paths from untrusted input might give a malicious actor access to sensitive files.

Resource leak

Allocated resources are not released properly.

Cross-site request forgery

Insecure configuration can lead to a cross-site request forgery (CRSF) vulnerability.

Loose file permissions

Weak file permissions can lead to privilege escalation.

Unsanitized input is run as code

Scripts generated from unsanitized inputs can lead to malicious behavior and inadvertently running code remotely.

Deserialization of untrusted object

Deserialization of untrusted objects can lead to security vulnerabilities such as, inadvertently running remote code.

Sensitive information leak

Exposure of sensitive information can lead to an unauthorized actor having access to the information.

Weak obfuscation of web requests

Weak obfuscation of web requests makes your application vulnerable.

Improper input validation

Improper input validation can enable attacks and lead to unwanted behavior.

Sendfile injection

The software allows user input to control or influence paths or file names that are used in file system operations.

SQL injection

The use of untrusted inputs in a SQL database query can enable attackers to read, modify, or delete sensitive data in the database.