Security
express-sandbox-code-injection
express-sandbox-code-injection
Make sure that unverified user data can not reach sandbox
.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-94: Improper Control of Generation of Code (‘Code Injection’)
OWASP:
- A03:2021 - Injection
x-frame-options-misconfiguration
x-frame-options-misconfiguration
By letting user input control X-Frame-Options
header, there is a risk that software does not properly verify whether or not a browser should be allowed to render a page in an iframe
.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-451: User Interface (UI) Misrepresentation of Critical Information
OWASP:
- A04:2021 - Insecure Design
require-request
require-request
If an attacker controls the x in require(x) then they can cause code to load that was not intended to run on the server.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-706: Use of Incorrectly-Resolved Name or Reference
OWASP:
- A01:2021 - Broken Access Control
express-data-exfiltration
express-data-exfiltration
Depending on the context, user control data in Object.assign
can cause web response to include data that it should not have or can lead to a mass assignment vulnerability.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes
OWASP:
- A08:2021 - Software and Data Integrity Failures
express-expat-xxe
express-expat-xxe
Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-611: Improper Restriction of XML External Entity Reference
OWASP:
- A04:2017 - XML External Entities (XXE)
- A05:2021 - Security Misconfiguration
express-wkhtmltoimage-injection
express-wkhtmltoimage-injection
If unverified user data can reach the phantom
methods it can result in Server-Side Request Forgery vulnerabilities
Likelihood: MEDIUM
Confidence: LOW
CWE:
- CWE-918: Server-Side Request Forgery (SSRF)
OWASP:
- A10:2021 - Server-Side Request Forgery (SSRF)
express-wkhtmltopdf-injection
express-wkhtmltopdf-injection
If unverified user data can reach the wkhtmltopdf
methods it can result in Server-Side Request Forgery vulnerabilities
Likelihood: MEDIUM
Confidence: LOW
CWE:
- CWE-918: Server-Side Request Forgery (SSRF)
OWASP:
- A10:2021 - Server-Side Request Forgery (SSRF)
express-puppeteer-injection
express-puppeteer-injection
If unverified user data can reach the puppeteer
methods it can result in Server-Side Request Forgery vulnerabilities
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-918: Server-Side Request Forgery (SSRF)
OWASP:
- A10:2021 - Server-Side Request Forgery (SSRF)
cors-misconfiguration
cors-misconfiguration
By letting user input control CORS parameters, there is a risk that software does not properly verify that the source of data or communication is valid. Use literal values for CORS settings.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-346: Origin Validation Error
OWASP:
- A07:2021 - Identification and Authentication Failures
express-xml2json-xxe
express-xml2json-xxe
Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-611: Improper Restriction of XML External Entity Reference
OWASP:
- A04:2017 - XML External Entities (XXE)
- A05:2021 - Security Misconfiguration
express-vm-injection
express-vm-injection
Make sure that unverified user data can not reach $VM
.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-94: Improper Control of Generation of Code (‘Code Injection’)
OWASP:
- A03:2021 - Injection
express-jwt-hardcoded-secret
express-jwt-hardcoded-secret
A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
Likelihood: HIGH
Confidence: HIGH
CWE:
- CWE-798: Use of Hard-coded Credentials
OWASP:
- A07:2021 - Identification and Authentication Failures
express-phantom-injection
express-phantom-injection
If unverified user data can reach the phantom
methods it can result in Server-Side Request Forgery vulnerabilities
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-918: Server-Side Request Forgery (SSRF)
OWASP:
- A10:2021 - Server-Side Request Forgery (SSRF)
express-insecure-template-usage
express-insecure-template-usage
User data from $REQ
is being compiled into the template, which can lead to a Server Side Template Injection (SSTI) vulnerability.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine
OWASP:
- A03:2021 - Injection
- A01:2017 - Injection
express-vm2-injection
express-vm2-injection
Make sure that unverified user data can not reach vm2
.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-94: Improper Control of Generation of Code (‘Code Injection’)
OWASP:
- A03:2021 - Injection