Q
Detector Library
PHP detectors (34/34)
Server Side Request ForgerySQL InjectionActivated Debug FeatureSensitive information leakLog InjectionOrigins-verified cross-origin communicationsCross-site scriptingDangerous Function UsagePath TraversalAvoiding Exceptions in PHPOS command injectionIncorrect ComparisonLdap Bind Without PasswordSendfile InjectionAssert UseLoose file permissionsImproper AuthenticationInsecure connectionWeak Random Number GenerationOpen RedirectAllow Url Fopen Or IncludeInsecure cryptographyObject Input Stream Insecure DeserializationCookie Without Http Only FlagCode InjectionZip bomb attackUnsafe ReflectionSecure Signal HandlingDeserialization of untrusted dataStatic Initialization Vector (IV)Coral Csrf RuleInsecure cookieImproper access controlInsecure Object Attribute Modification
PHP detectors
Showing all detectors for the PHP language.
Browse all detectors
Server Side Request Forgery
The web server lacks proper validation when processing a URL or comparable request from an upstream component, creating a potential security risk associated with the function and its payload.
SQL Injection
The use of untrusted inputs in a SQL database query can enable attackers to read, modify, or delete sensitive data in the database.
Activated Debug Feature
Set
APP_DEBUG = false in production to avoid exposing debug settings.Sensitive information leak
The
phpinfo function may reveal sensitive information about your environment.Log Injection
Improper Output Neutralization for Logs.
Origins-verified cross-origin communications
Unverified origins of messages and identities in cross-origin communications can lead to security vulnerabilities.
Cross-site scripting
Relying on potentially untrusted user inputs when constructing web application outputs can lead to cross-site scripting vulnerabilities.
Dangerous Function Usage
Identifies the use of deprecated
Mcrypt functions in PHP, encouraging a switch to secure alternatives.Path Traversal
Creating file paths from untrusted input might give a malicious actor access to sensitive files.
Avoiding Exceptions in PHP
Maintaining application stability with graceful PHP exits and exceptional handling.
OS command injection
OS command injection from untrusted input.
Incorrect Comparison
Secure comparison type safety recommendation.
Ldap Bind Without Password
Uncovered an anonymous LDAP bind,posing a risk of unauthorized execution of LDAP statements. Strengthen LDAP security with authentication enforcement.
Sendfile Injection
Functions require input validation and sanitization to prevent security risks from untrusted user data.
Assert Use
Executing assert with user-provided input is comparable to invoking dynamic code evaluations.
Loose file permissions
Weak file permissions can lead to privilege escalation.
Improper Authentication
The
wp_ajax_priv_upload and wp_ajax_nopriv_upload hooks allow developers to define callbacks for authenticated and anonymous AJAX requests.Insecure connection
Connections that use insecure protocols transmit data in cleartext, which can leak sensitive information.
Weak Random Number Generation
Use secure random functions like
random_bytes() instead of non-cryptographic PRNGs in security code.Open Redirect
Redirecting to the current request URL might direct to another domain if the current path begins with two slashes.
Allow Url Fopen Or Include
Using unvalidated URLs with allow_url_fopen enables server-side request forgery attacks.
Insecure cryptography
Use of a broken or risky cryptographic algorithm identified as weak.
Object Input Stream Insecure Deserialization
Sanitize user input to prevent PHP object injection vulnerabilities from direct injection without sanitization.
Cookie Without Http Only Flag
Sensitive cookie without 'HttpOnly' flag
Code Injection
Avoid running dynamic commands to prevent command injection vulnerabilities.
Zip bomb attack
Expanding unverified archive files without controlling the size of the expanded data can lead to zip bomb attacks.
Unsafe Reflection
Use of externally-controlled input in reflection.
Secure Signal Handling
Ensure secure coding by validating process signaling parameters to prevent application instability and potential denial of services.
Deserialization of untrusted data
Deserialization of untrusted data can lead to security vulnerabilities, such as inadvertently running remote code.
Static Initialization Vector (IV)
Using a static initialization vector (IV) for a cryptographic cipher is security sensitive.
Coral Csrf Rule
Modify input validation check to guarantee expected behavior for all inputs, not just an invalid assumption that causes errors.
Insecure cookie
Insecure cookies can lead to unencrypted transmission of sensitive data.
Improper access control
The software does not restrict or incorrectly restrict access to a resource from an unauthorized actor.
Insecure Object Attribute Modification
Overrides Eloquent's mass assignment protections by setting $guarded to empty array.