Security detectors

Insecure cookie

Insecure cookies can lead to unencrypted transmission of sensitive data.

Cookie Without Http Only Flag

Sensitive cookie without 'HttpOnly' flag

Improper Authentication

Improper authentication from insufficient identity verification.

Cryptographic key generator

Insufficient key sizes can lead to brute force attacks.

Weak pseudorandom number generation

Insufficiently random generators (or hardcoded seeds) can make pseudorandom sequences predictable.

Path traversal

Creating file paths from untrusted input might give a malicious actor access to sensitive files.

Cross-site scripting

Relying on potentially untrusted user inputs when constructing web application outputs can lead to cross-site scripting vulnerabilities.

Reusing Nonce and key in encryption

GCM Cipher with reused initialization vector is detected.

Code Injection

Code injection occurs when an application executes untrusted code from an attacker.

Server-side request forgery

Server-side request forgery (SSRF) is a vulnerability that allows an attacker to manipulate a web application to make unintended requests from the server.

Cross-site request forgery

Insecure configuration can lead to a cross-site request forgery (CSRF) vulnerability.

Log injection

Using untrusted inputs in a log statement can enable attackers to break the log's format, forge log entries, and bypass log monitors.

Hardcoded credentials

Hardcoded credentials can be intercepted by malicious actors.

Null Pointer Dereference

Dereferencing a null pointer can lead to unexpected null pointer exceptions.

Insecure hashing

Obsolete, broken, or weak hashing algorithms can lead to security vulnerabilities.

Missing encryption of sensitive data

The product does not encrypt sensitive or critical information before storage or transmission.

Improper verification of Intent

Intent receiver method is registered without specifying any broadcast permission.

Insecure connection using unencrypted protocol

Connections that use insecure protocols transmit data in cleartext, which can leak sensitive information.

OS Command Injection

Possible unintended system commands could be executed through user input.

Insecure Bean Validation

Passing user-controlled input directly to bean validation APIs can lead to code injection attacks.

SQL injection

Use of untrusted inputs in SQL database query can enable attackers to read, modify, or delete sensitive data in the database

Incorrect Type Conversion

Failure to properly transform an object, resource, or structure from one type to a safer one.