Q
Detector Library
JSX detectors (78/78)
Protection mechanism failureLog injectionInsecure connection using unencrypted protocolUse of a deprecated methodAWS credentials loggedImproper input validationInsecure cryptographyCatch and swallow exceptionFile and directory information exposureOrigins-verified cross-origin communicationsSQL injectionNon-literal regular expressionTypeof expressionBatch request with unchecked failuresPseudorandom number generatorsCryptographic key generatorServer-side request forgerySensitive information leakFile injectionString passed to `setInterval` or `setTimeout`Cross-site request forgeryUsage of an API that is not recommendedTainted input for Docker APICross-site scriptingWeak obfuscation of web requestsUnauthenticated Amazon SNS unsubscribe requests might succeedSet SNS Return Subscription ARNXML external entityResource leakImproper access controlLoose file permissionsOS command injectionClient-side KMS reencryptionInsecure CORS policyInefficient polling of AWS resourceNew function detectedMissing paginationAvoid nan in comparisonHeader injectionHardcoded credentialsFile extension validationNoSQL injectionMissing Amazon S3 bucket owner conditionDisabled HTML autoescapeLeast privilege violationURL redirection to untrusted siteInsufficiently protected credentialsInsecure hashingUnsanitized input is run as codeCheck failed records when using kinesisUntrusted Amazon Machine ImagesSession fixationData loss in a batch requestXPath injectionDeserialization of untrusted objectInvoke super appropriatelyStack trace exposureTiming attackLDAP injectionInsecure cookieSensitive data stored unencrypted due to partial encryptionUnvalidated expansion of archive filesInteger overflowSNS don't bind subscribe and publishUnverified hostnameImproper restriction of rendered UI layers or framesAWS client not reused in a Lambda functionPath traversalOverride of reserved variable names in a Lambda functionInsecure temporary file or directoryLogging of sensitive informationHardcoded IP addressInsecure object attribute modificationNumeric truncation errorDNS prefetchingLimit request lengthSendfile injectionImproper certificate validation
Tag: injection
Log injection
Using untrusted inputs in a log statement can enable attackers to break the log's format, forge log entries, and bypass log monitors.
Improper input validation
Improper input validation can enable attacks and lead to unwanted behavior.
SQL injection
The use of untrusted inputs in a SQL database query can enable attackers to read, modify, or delete sensitive data in the database.
Server-side request forgery
Insufficient sanitization of potentially untrusted URLs on the server side can allow server requests to unwanted destinations.
File injection
Writing unsanitized user data to a file is unsafe.
Cross-site request forgery
Insecure configuration can lead to a cross-site request forgery (CRSF) vulnerability.
Cross-site scripting
Relying on potentially untrusted user inputs when constructing web application outputs can lead to cross-site scripting vulnerabilities.
XML external entity
Objects that parse or handle XML can lead to XML external entity (XXE) attacks when they are misconfigured.
OS command injection
Constructing operating system or shell commands with unsanitized user input can lead to inadvertently running malicious code.
New function detected
Use of
new Function() can be dangerous if used to evaluate dynamic content.Header injection
Constructing HTTP response headers from user-controlled data is unsafe.
NoSQL injection
User input can be vulnerable to injection attacks.
Unsanitized input is run as code
Scripts generated from unsanitized inputs can lead to malicious behavior and inadvertently running code remotely.
Untrusted Amazon Machine Images
Improper filtering of Amazon Machine Images (AMIs) can result in loading an untrusted image, which is a potential security vulnerability.
XPath injection
Potentially unsanitized user input in XPath queries can allow an attacker to control the query in unwanted or insecure ways.
Deserialization of untrusted object
Deserialization of untrusted objects can lead to security vulnerabilities such as, inadvertently running remote code.
LDAP injection
LDAP queries that rely on potentially untrusted inputs can allow attackers to read or modify sensitive data, run code, and perform other unwanted actions.
Path traversal
Creating file paths from untrusted input might give a malicious actor access to sensitive files.