Get Started
- CodeAnt AI
- Control Center
- Pull Request Review
- IDE
- Compliance
- Anti-Patterns
- Code Governance
- Infrastructure Security Database
- Application Security Database
- Apex
- Bash
- C
- Clojure
- Cpp
- Csharp
- Dockerfile
- Elixir
- Fingerprints
- Generic
- Go
- Html
- Java
- Javascript
- Ajv
- Angular
- Apollo
- Argon2
- Audit
- Aws-lambda
- Axios
- Bluebird
- Browser
- Chrome-remote-interface
- Crypto
- Deno
- Express
- Fbjs
- Firebase
- Grpc
- Intercom
- Jose
- Jquery
- Jsonwebtoken
- Jssha
- Jwt-simple
- Knex
- Lang
- Monaco-editor
- Mongodb
- Mongoose
- Mssql
- Mysql
- Node-expat
- Passport-jwt
- Pg
- Phantom
- Playwright
- Puppeteer
- React
- Sandbox
- Sax
- Sequelize
- Serialize-javascript
- Shelljs
- Superagent
- Thenify
- Vm2
- Vue
- Wkhtmltoimage
- Wkhtmltopdf
- Xml2json
- Json
- Kotlin
- Ocaml
- Php
- Problem-based-packs
- Python
- Ruby
- Rust
- Scala
- Solidity
- Swift
- Terraform
- Typescript
- Yaml
Audit
No token revoking configured for express-jwt. A leaked token could still be used and unable to be revoked. Consider using function as the isRevoked option.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-522: Insufficiently Protected Credentials
OWASP:
- A02:2017 - Broken Authentication
- A04:2021 - Insecure Design
It looks like ‘UNK′isreadfromuserinputanditisusedtoasaredirect.Ensure′UNK’ is not externally controlled, otherwise this is an open redirect.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’)
OWASP:
- A01:2021 - Broken Access Control
Directory listing/indexing is enabled, which may lead to disclosure of sensitive directories and files. It is recommended to disable directory listing unless it is a public resource. If you need directory listing, ensure that sensitive files are inaccessible when querying the resource.
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- CWE-548: Exposure of Information Through Directory Listing
OWASP:
- A06:2017 - Security Misconfiguration
- A01:2021 - Broken Access Control
Don’t use the default session cookie name Using the default session cookie name can open your app to attacks. The security issue posed is similar to X-Powered-By: a potential attacker can use it to fingerprint the server and target attacks accordingly.
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- CWE-522: Insufficiently Protected Credentials
OWASP:
- A02:2017 - Broken Authentication
- A04:2021 - Insecure Design
Default session middleware settings: secure not set. It ensures the browser only sends the cookie over HTTPS.
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- CWE-522: Insufficiently Protected Credentials
OWASP:
- A02:2017 - Broken Authentication
- A04:2021 - Insecure Design
Default session middleware settings: httpOnly not set. It ensures the cookie is sent only over HTTP(S), not client JavaScript, helping to protect against cross-site scripting attacks.
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- CWE-522: Insufficiently Protected Credentials
OWASP:
- A02:2017 - Broken Authentication
- A04:2021 - Insecure Design
Default session middleware settings: domain not set. It indicates the domain of the cookie; use it to compare against the domain of the server in which the URL is being requested. If they match, then check the path attribute next.
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- CWE-522: Insufficiently Protected Credentials
OWASP:
- A02:2017 - Broken Authentication
- A04:2021 - Insecure Design
Default session middleware settings: path not set. It indicates the path of the cookie; use it to compare against the request path. If this and domain match, then send the cookie in the request.
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- CWE-522: Insufficiently Protected Credentials
OWASP:
- A02:2017 - Broken Authentication
- A04:2021 - Insecure Design
Default session middleware settings: expires not set. Use it to set expiration date for persistent cookies.
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- CWE-522: Insufficiently Protected Credentials
OWASP:
- A02:2017 - Broken Authentication
- A04:2021 - Insecure Design
The libxml library processes user-input with the noent attribute is set to true which can lead to being vulnerable to XML External Entities (XXE) type attacks. It is recommended to set noent to false when using this feature to ensure you are protected.
Likelihood: HIGH
Confidence: HIGH
CWE:
- CWE-611: Improper Restriction of XML External Entity Reference
OWASP:
- A04:2017 - XML External Entities (XXE)
- A05:2021 - Security Misconfiguration
Detected usage of the notevil package, which is unmaintained and has vulnerabilities. Using any sort of eval() functionality can be very dangerous, but if you must, the eval package is an up to date alternative. Be sure that only trusted input reaches an eval() function.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-1104: Use of Unmaintained Third Party Components
OWASP:
- A06:2021 - Vulnerable and Outdated Components
Possible writing outside of the destination, make sure that the target path is nested in the intended destination
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
OWASP:
- A05:2017 - Broken Access Control
- A01:2021 - Broken Access Control
The application redirects to a URL specified by user-supplied input $REQ that is not validated. This could redirect users to malicious locations. Consider using an allow-list approach to validate URLs, or warn users they are being redirected to a third-party website.
Likelihood: HIGH
Confidence: HIGH
CWE:
- CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’)
OWASP:
- A01:2021 - Broken Access Control
User controllable data $REQ enters $RES.render(...) this can lead to the loading of other HTML/templating pages that they may not be authorized to render. An attacker may attempt to use directory traversal techniques e.g. ../folder/index to access other HTML pages on the file system. Where possible, do not allow users to define what should be loaded in $RES.render or use an allow list for the existing application.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-706: Use of Incorrectly-Resolved Name or Reference
OWASP:
- A01:2021 - Broken Access Control
The following request REQUEST.METHOD() was found to be crafted from user-input $REQ which can lead to Server-Side Request Forgery (SSRF) vulnerabilities. It is recommended where possible to not allow user-input to craft the base request, but to be treated as part of the path or query parameter. When user-input is necessary to craft the request, it is recommeneded to follow OWASP best practices to prevent abuse.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-918: Server-Side Request Forgery (SSRF)
OWASP:
- A10:2021 - Server-Side Request Forgery (SSRF)
Xml Parser is used inside Request Event. Make sure that unverified user data can not reach the XML Parser, as it can result in XML External or Internal Entity (XXE) Processing vulnerabilities
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-611: Improper Restriction of XML External Entity Reference
OWASP:
- A04:2017 - XML External Entities (XXE)
- A05:2021 - Security Misconfiguration
A CSRF middleware was not detected in your express application. Ensure you are either using one such as csurf or csrf (see rule references) and/or you are properly doing CSRF validation in your routes with a token or cookies.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-352: Cross-Site Request Forgery (CSRF)
OWASP:
- A01:2021 - Broken Access Control
The following function call SER.FUNC accepts user controlled data which can result in Remote Code Execution (RCE) through Object Deserialization. It is recommended to use secure data processing alternatives such as JSON.parse() and Buffer.from().
Likelihood: HIGH
Confidence: HIGH
CWE:
- CWE-502: Deserialization of Untrusted Data
OWASP:
- A08:2017 - Insecure Deserialization
- A08:2021 - Software and Data Integrity Failures
Bracket object notation with user input is present, this might allow an attacker to access all properties of the object and even it’s prototype. Use literal values for object properties.
Likelihood: MEDIUM
Confidence: LOW
CWE:
- CWE-522: Insufficiently Protected Credentials
OWASP:
- A02:2017 - Broken Authentication
- A04:2021 - Insecure Design
A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module).
Likelihood: HIGH
Confidence: HIGH
CWE:
- CWE-798: Use of Hard-coded Credentials
OWASP:
- A07:2021 - Identification and Authentication Failures
Detected use of parseXml() function with the noent field set to true. This can lead to an XML External Entities (XXE) attack if untrusted data is passed into it.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-611: Improper Restriction of XML External Entity Reference
OWASP:
- A04:2017 - XML External Entities (XXE)
- A05:2021 - Security Misconfiguration
The application processes user-input, this is passed to res.sendFile which can allow an attacker to arbitrarily read files on the system through path traversal. It is recommended to perform input validation in addition to canonicalizing the path. This allows you to validate the path against the intended directory it should be accessing.
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- CWE-73: External Control of File Name or Path
OWASP:
- A04:2021 - Insecure Design