| Bypass Safe-by-Default Framework Output Encoding |
bypass-framework-safe-default-output-encoding |
Ensure framework default output encoding |
| Cookie Secure Flag Not Set |
cookie-secure-flag-not-set |
Ensure cookies are set to secure |
| Dangerous Function Buffer allocUnsafe |
dangerous-function-buffer-alloc-unsafe |
Ensure buffer does not use allocUnsafe |
| Dangerous Function Buffer noAssert |
dangerous-function-buffer-noassert |
Ensure buffer does not use noAssert |
| Dangerous Function Buffer Not Initialized With Literal |
dangerous-function-buffer-non-literal-alloc |
Ensure buffer is initialized with a literal value |
| Dangerous Deserialization |
dangerous-function-deserialization |
Ensure safe deserialization |
| Ensure no raw SQL queries are used despite using an ORM |
dangerous-raw-sql-used-with-orm |
Ensure no raw SQL queries |
| Debugging interface publicly exposed |
debugging-interface-publicly-exposed |
Ensure debug interface is not exposed |
| Uncontrolled data decompression (decompression bomb) |
dos-via-decompression-bomb |
Ensure proper handling of highly compressed data |
| Dynamic Code Injection |
dynamic-code-injection |
Ensure no dynamic code injection |
| Eval With Expression |
eval-with-expression |
Ensure no dynamic eval expression |
| Express Detect No CSRF Before Method Override |
express-detect-no-csrf-before-method-override |
Ensure express detects CSRF before override |
| Insecure Crypto Algorithm |
insecure-crypto-algorithm |
Ensure usage of secure cryptograhic alogrithms |
| JWT Hardcoded Secret Key |
jwt-hardcoded-secret-key |
Ensure JWT secret is not hard coded |
| JWT Without Signature |
jwt-none-algorithm-usage |
Ensure JWT algorithm defined |
| Missing Reverse-Tabnabbing Protection |
missing-reverse-tabnabbing-protection |
Ensure secure link target |
| Node TLS Certificate Validation Disabled |
node-disable-ssl |
Ensure Node performs TLS validation |
| Node Unsafe Property Access |
node-unsafe-property-access |
Ensure safe property access |
| Node vm use runInThisContext |
node-vm-runinthiscontext |
Ensure node function runInThisContext used securely |
| Non-Literal Used to Require a Module |
non-literal-require |
Ensure node uses literal require statements |
| OS Command Injection |
os-command-injection |
Ensure secure usage of os commands |
| Path traversal |
path-traversal |
Ensure the function validates filesystem paths |
| XHR Request Over Plaintext |
plaintext-client-request |
Ensure XHR requests use encrypted transport |
| Javascript Serialize use Unsafe |
serialize-option-unsafe |
Ensure javascript serialize does not use unsafe |
| Server-Side Template Injection (SSTI) |
server-side-template-injection |
Ensure server side templates are validated |
| Server-Side Request Forgery (SSRF) |
ssrf |
Ensure server side requests are validated |
| TLS Verification Disabled |
tls-disabled-cert-validation |
Ensure TLS validation is enabled |
| TLS Insecure Protocol Config |
tls-insecure-protocol-config |
Ensure strong TLS protocols are used |
| Unrestricted server socket binding |
unrestricted-server-socket-binding |
Ensure binding to limited interfaces |
| Unsafe child_process |
unsafe-child-process |
Ensure child_process usage is secure |
| Wildcard In System Call |
wildcard-in-system-call |
Ensure system calls do not use wildcards |
| Unsafe Use of Window.postMessage |
window-postmessage-unsafe-target-origin |
Ensure safe usage of window.postMessage |
| Request Parameter Reflected in Response |
xss-request-parameter-reflected-in-response |
Ensure safe encoding of response |