Skip to content

Insecure coding practices

This page lists all the insecure coding practices that BoostSecurity currently detects.

Name Id Description
Bypass Safe-by-Default Framework Output Encoding bypass-framework-safe-default-output-encoding Ensure framework default output encoding
Cookie Secure Flag Not Set cookie-secure-flag-not-set Ensure cookies are set to secure
Dangerous Function Buffer allocUnsafe dangerous-function-buffer-alloc-unsafe Ensure buffer does not use allocUnsafe
Dangerous Function Buffer noAssert dangerous-function-buffer-noassert Ensure buffer does not use noAssert
Dangerous Function Buffer Not Initialized With Literal dangerous-function-buffer-non-literal-alloc Ensure buffer is initialized with a literal value
Dangerous Deserialization dangerous-function-deserialization Ensure safe deserialization
Ensure no raw SQL queries are used despite using an ORM dangerous-raw-sql-used-with-orm Ensure no raw SQL queries
Debugging interface publicly exposed debugging-interface-publicly-exposed Ensure debug interface is not exposed
Uncontrolled data decompression (decompression bomb) dos-via-decompression-bomb Ensure proper handling of highly compressed data
Dynamic Code Injection dynamic-code-injection Ensure no dynamic code injection
Eval With Expression eval-with-expression Ensure no dynamic eval expression
Express Detect No CSRF Before Method Override express-detect-no-csrf-before-method-override Ensure express detects CSRF before override
Insecure Crypto Algorithm insecure-crypto-algorithm Ensure usage of secure cryptograhic alogrithms
JWT Hardcoded Secret Key jwt-hardcoded-secret-key Ensure JWT secret is not hard coded
JWT Without Signature jwt-none-algorithm-usage Ensure JWT algorithm defined
Missing Reverse-Tabnabbing Protection missing-reverse-tabnabbing-protection Ensure secure link target
Node TLS Certificate Validation Disabled node-disable-ssl Ensure Node performs TLS validation
Node Unsafe Property Access node-unsafe-property-access Ensure safe property access
Node vm use runInThisContext node-vm-runinthiscontext Ensure node function runInThisContext used securely
Non-Literal Used to Require a Module non-literal-require Ensure node uses literal require statements
OS Command Injection os-command-injection Ensure secure usage of os commands
Path traversal path-traversal Ensure the function validates filesystem paths
XHR Request Over Plaintext plaintext-client-request Ensure XHR requests use encrypted transport
Javascript Serialize use Unsafe serialize-option-unsafe Ensure javascript serialize does not use unsafe
Server-Side Template Injection (SSTI) server-side-template-injection Ensure server side templates are validated
Server-Side Request Forgery (SSRF) ssrf Ensure server side requests are validated
TLS Verification Disabled tls-disabled-cert-validation Ensure TLS validation is enabled
TLS Insecure Protocol Config tls-insecure-protocol-config Ensure strong TLS protocols are used
Unrestricted server socket binding unrestricted-server-socket-binding Ensure binding to limited interfaces
Unsafe child_process unsafe-child-process Ensure child_process usage is secure
Wildcard In System Call wildcard-in-system-call Ensure system calls do not use wildcards
Unsafe Use of Window.postMessage window-postmessage-unsafe-target-origin Ensure safe usage of window.postMessage
Request Parameter Reflected in Response xss-request-parameter-reflected-in-response Ensure safe encoding of response