Get Started
- CodeAnt AI
- Control Center
- Pull Request Review
- IDE
- Compliance
- Anti-Patterns
- Code Governance
- Infrastructure Security Database
- Application Security Database
- Apex
- Bash
- C
- Clojure
- Cpp
- Csharp
- Dockerfile
- Elixir
- Fingerprints
- Generic
- Go
- Html
- Java
- Javascript
- Ajv
- Angular
- Apollo
- Argon2
- Audit
- Aws-lambda
- Axios
- Bluebird
- Browser
- Chrome-remote-interface
- Crypto
- Deno
- Express
- Direct-response-write-with-header
- Express-child-process
- Express-fs-filename
- Express-sqlite-sqli
- Mongodb
- Mysql
- Needle
- Open-redirect-deepsemgrep
- Pg
- Redos
- Regexp-redos
- Request
- Security
- Security
- Session-fixation
- Fbjs
- Firebase
- Grpc
- Intercom
- Jose
- Jquery
- Jsonwebtoken
- Jssha
- Jwt-simple
- Knex
- Lang
- Monaco-editor
- Mongodb
- Mongoose
- Mssql
- Mysql
- Node-expat
- Passport-jwt
- Pg
- Phantom
- Playwright
- Puppeteer
- React
- Sandbox
- Sax
- Sequelize
- Serialize-javascript
- Shelljs
- Superagent
- Thenify
- Vm2
- Vue
- Wkhtmltoimage
- Wkhtmltopdf
- Xml2json
- Json
- Kotlin
- Ocaml
- Php
- Problem-based-packs
- Python
- Ruby
- Rust
- Scala
- Solidity
- Swift
- Terraform
- Typescript
- Yaml
Security
Make sure that unverified user data can not reach sandbox.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-94: Improper Control of Generation of Code (‘Code Injection’)
OWASP:
- A03:2021 - Injection
By letting user input control X-Frame-Options header, there is a risk that software does not properly verify whether or not a browser should be allowed to render a page in an iframe.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-451: User Interface (UI) Misrepresentation of Critical Information
OWASP:
- A04:2021 - Insecure Design
If an attacker controls the x in require(x) then they can cause code to load that was not intended to run on the server.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-706: Use of Incorrectly-Resolved Name or Reference
OWASP:
- A01:2021 - Broken Access Control
Depending on the context, user control data in Object.assign can cause web response to include data that it should not have or can lead to a mass assignment vulnerability.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes
OWASP:
- A08:2021 - Software and Data Integrity Failures
Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-611: Improper Restriction of XML External Entity Reference
OWASP:
- A04:2017 - XML External Entities (XXE)
- A05:2021 - Security Misconfiguration
If unverified user data can reach the phantom methods it can result in Server-Side Request Forgery vulnerabilities
Likelihood: MEDIUM
Confidence: LOW
CWE:
- CWE-918: Server-Side Request Forgery (SSRF)
OWASP:
- A10:2021 - Server-Side Request Forgery (SSRF)
If unverified user data can reach the wkhtmltopdf methods it can result in Server-Side Request Forgery vulnerabilities
Likelihood: MEDIUM
Confidence: LOW
CWE:
- CWE-918: Server-Side Request Forgery (SSRF)
OWASP:
- A10:2021 - Server-Side Request Forgery (SSRF)
If unverified user data can reach the puppeteer methods it can result in Server-Side Request Forgery vulnerabilities
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-918: Server-Side Request Forgery (SSRF)
OWASP:
- A10:2021 - Server-Side Request Forgery (SSRF)
By letting user input control CORS parameters, there is a risk that software does not properly verify that the source of data or communication is valid. Use literal values for CORS settings.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-346: Origin Validation Error
OWASP:
- A07:2021 - Identification and Authentication Failures
Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-611: Improper Restriction of XML External Entity Reference
OWASP:
- A04:2017 - XML External Entities (XXE)
- A05:2021 - Security Misconfiguration
Make sure that unverified user data can not reach $VM.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-94: Improper Control of Generation of Code (‘Code Injection’)
OWASP:
- A03:2021 - Injection
A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
Likelihood: HIGH
Confidence: HIGH
CWE:
- CWE-798: Use of Hard-coded Credentials
OWASP:
- A07:2021 - Identification and Authentication Failures
If unverified user data can reach the phantom methods it can result in Server-Side Request Forgery vulnerabilities
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-918: Server-Side Request Forgery (SSRF)
OWASP:
- A10:2021 - Server-Side Request Forgery (SSRF)
User data from $REQ is being compiled into the template, which can lead to a Server Side Template Injection (SSTI) vulnerability.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine
OWASP:
- A03:2021 - Injection
- A01:2017 - Injection
Make sure that unverified user data can not reach vm2.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-94: Improper Control of Generation of Code (‘Code Injection’)
OWASP:
- A03:2021 - Injection