Bypass Safe-by-Default Framework Output Encoding |
bypass-framework-safe-default-output-encoding |
Ensure framework default output encoding |
Cookie Secure Flag Not Set |
cookie-secure-flag-not-set |
Ensure cookies are set to secure |
Dangerous Function Buffer allocUnsafe |
dangerous-function-buffer-alloc-unsafe |
Ensure buffer does not use allocUnsafe |
Dangerous Function Buffer noAssert |
dangerous-function-buffer-noassert |
Ensure buffer does not use noAssert |
Dangerous Function Buffer Not Initialized With Literal |
dangerous-function-buffer-non-literal-alloc |
Ensure buffer is initialized with a literal value |
Dangerous Deserialization |
dangerous-function-deserialization |
Ensure safe deserialization |
Ensure no raw SQL queries are used despite using an ORM |
dangerous-raw-sql-used-with-orm |
Ensure no raw SQL queries |
Debugging interface publicly exposed |
debugging-interface-publicly-exposed |
Ensure debug interface is not exposed |
Uncontrolled data decompression (decompression bomb) |
dos-via-decompression-bomb |
Ensure proper handling of highly compressed data |
Dynamic Code Injection |
dynamic-code-injection |
Ensure no dynamic code injection |
Eval With Expression |
eval-with-expression |
Ensure no dynamic eval expression |
Express Detect No CSRF Before Method Override |
express-detect-no-csrf-before-method-override |
Ensure express detects CSRF before override |
Insecure Crypto Algorithm |
insecure-crypto-algorithm |
Ensure usage of secure cryptograhic alogrithms |
JWT Hardcoded Secret Key |
jwt-hardcoded-secret-key |
Ensure JWT secret is not hard coded |
JWT Without Signature |
jwt-none-algorithm-usage |
Ensure JWT algorithm defined |
Missing Reverse-Tabnabbing Protection |
missing-reverse-tabnabbing-protection |
Ensure secure link target |
Node TLS Certificate Validation Disabled |
node-disable-ssl |
Ensure Node performs TLS validation |
Node Unsafe Property Access |
node-unsafe-property-access |
Ensure safe property access |
Node vm use runInThisContext |
node-vm-runinthiscontext |
Ensure node function runInThisContext used securely |
Non-Literal Used to Require a Module |
non-literal-require |
Ensure node uses literal require statements |
OS Command Injection |
os-command-injection |
Ensure secure usage of os commands |
Path traversal |
path-traversal |
Ensure the function validates filesystem paths |
XHR Request Over Plaintext |
plaintext-client-request |
Ensure XHR requests use encrypted transport |
Javascript Serialize use Unsafe |
serialize-option-unsafe |
Ensure javascript serialize does not use unsafe |
Server-Side Template Injection (SSTI) |
server-side-template-injection |
Ensure server side templates are validated |
Server-Side Request Forgery (SSRF) |
ssrf |
Ensure server side requests are validated |
TLS Verification Disabled |
tls-disabled-cert-validation |
Ensure TLS validation is enabled |
TLS Insecure Protocol Config |
tls-insecure-protocol-config |
Ensure strong TLS protocols are used |
Unrestricted server socket binding |
unrestricted-server-socket-binding |
Ensure binding to limited interfaces |
Unsafe child_process |
unsafe-child-process |
Ensure child_process usage is secure |
Wildcard In System Call |
wildcard-in-system-call |
Ensure system calls do not use wildcards |
Unsafe Use of Window.postMessage |
window-postmessage-unsafe-target-origin |
Ensure safe usage of window.postMessage |
Request Parameter Reflected in Response |
xss-request-parameter-reflected-in-response |
Ensure safe encoding of response |