CodeGuru
Detector Library
JavaScript detectors (78/78)
Improper access controlSensitive data stored unencrypted due to partial encryptionPseudorandom number generatorsOS command injectionURL redirection to untrusted siteInteger overflowProtection mechanism failureNon-literal regular expressionTainted input for Docker APIUsage of an API that is not recommendedXML external entityServer-side request forgeryNew function detectedStack trace exposureTiming attackSNS don't bind subscribe and publishInvoke super appropriatelyNoSQL injectionHardcoded credentialsInsecure cookieCross-site scriptingHardcoded IP addressAWS credentials loggedXPath injectionData loss in a batch requestPath traversalLeast privilege violationDNS prefetchingResource leakInsufficiently protected credentialsFile extension validationInsecure connection using unencrypted protocolCross-site request forgeryTypeof expressionSet SNS Return Subscription ARNFile and directory information exposureMissing Amazon S3 bucket owner conditionInsecure hashingNumeric truncation errorClient-side KMS reencryptionAWS client not reused in a Lambda functionLDAP injectionBatch request with unchecked failuresCryptographic key generatorUnauthenticated Amazon SNS unsubscribe requests might succeedUnverified hostnameOrigins-verified cross-origin communicationsLoose file permissionsUnsanitized input is run as codeMissing paginationUntrusted Amazon Machine ImagesImproper certificate validationInsecure CORS policyDeserialization of untrusted objectSensitive information leakCheck failed records when using kinesisWeak obfuscation of web requestsCatch and swallow exceptionLogging of sensitive informationLimit request lengthString passed to `setInterval` or `setTimeout`Log injectionOverride of reserved variable names in a Lambda functionImproper restriction of rendered UI layers or framesInsecure cryptographyInsecure object attribute modificationSession fixationAvoid nan in comparisonImproper input validationDisabled HTML autoescapeUse of a deprecated methodUnvalidated expansion of archive filesFile injectionSendfile injectionSQL injectionHeader injectionInsecure temporary file or directoryInefficient polling of AWS resource
Tag: injection
OS command injection
Constructing operating system or shell commands with unsanitized user input can lead to inadvertently running malicious code.
XML external entity
Objects that parse or handle XML can lead to XML external entity (XXE) attacks when they are misconfigured.
Server-side request forgery
Insufficient sanitization of potentially untrusted URLs on the server side can allow server requests to unwanted destinations.
New function detected
Use of
new Function() can be dangerous if used to evaluate dynamic content.NoSQL injection
User input can be vulnerable to injection attacks.
Cross-site scripting
Relying on potentially untrusted user inputs when constructing web application outputs can lead to cross-site scripting vulnerabilities.
XPath injection
Potentially unsanitized user input in XPath queries can allow an attacker to control the query in unwanted or insecure ways.
Path traversal
Creating file paths from untrusted input might give a malicious actor access to sensitive files.
Cross-site request forgery
Insecure configuration can lead to a cross-site request forgery (CRSF) vulnerability.
LDAP injection
LDAP queries that rely on potentially untrusted inputs can allow attackers to read or modify sensitive data, run code, and perform other unwanted actions.
Unsanitized input is run as code
Scripts generated from unsanitized inputs can lead to malicious behavior and inadvertently running code remotely.
Untrusted Amazon Machine Images
Improper filtering of Amazon Machine Images (AMIs) can result in loading an untrusted image, which is a potential security vulnerability.
Deserialization of untrusted object
Deserialization of untrusted objects can lead to security vulnerabilities such as, inadvertently running remote code.
Log injection
Using untrusted inputs in a log statement can enable attackers to break the log's format, forge log entries, and bypass log monitors.
Improper input validation
Improper input validation can enable attacks and lead to unwanted behavior.
File injection
Writing unsanitized user data to a file is unsafe.
SQL injection
The use of untrusted inputs in a SQL database query can enable attackers to read, modify, or delete sensitive data in the database.
Header injection
Constructing HTTP response headers from user-controlled data is unsafe.