Amazon QDetector Library Sign in to Amazon Q

Q

Detector Library

TypeScript detectors (104/104)

Integer overflow AWS insecure transmission CDK Insecure cookie AWS credentials logged SQL injection Insecure connection using unencrypted protocol New function detected Batch request with unchecked failures Unvalidated expansion of archive files Missing pagination XPath injection Logging of sensitive information Override of reserved variable names in a Lambda function Insecure CORS policy Improper input validation Hardcoded credentials Invoke super appropriately Numeric truncation error Avoid nan in comparison Missing check on method output Insufficiently protected credentials Improper restriction of rendered UI layers or frames Pseudorandom number generators AWS missing encryption CDK Catch and swallow exception Header injection Use {} instead of new Object()Hardcoded IP address Untrusted Amazon Machine Images Weak obfuscation of web requests File Race Bad Improper certificate validation Sendfile injection Cryptographic key generator improper input validation cdk XML external entity Timing attack Missing Amazon S3 bucket owner condition Insecure hashing Session fixation Use of Default Credentials CDK File injection Improper Restriction of Operations within the Bounds of a Memory Buffer Limit request length Log injection Type confusion Server side request forgery aws kmskey encryption cdk Inefficient polling of AWS resource Avoid Undefined As Variable Name Index of method comparison String passed to `setInterval` or `setTimeout`Data loss in a batch request Tainted input for Docker API Insecure temporary file or directory Check failed records when using kinesis AWS api logging disabled cdk Improper Access Control CDK Least privilege violation File extension validation Resource leak Set SNS Return Subscription ARN Insecure object attribute modification Missing Authentication for Critical Function CDK Typeof expression AWS missing encryption of sensitive data cdk Unauthenticated Amazon SNS unsubscribe requests might succeed Cross-site request forgery Client-side KMS reencryption Insecure cryptography Deserialization of untrusted object Clear text credentials Improper handling of case sensitivity Unsanitized input is run as code Protection mechanism failure Use of a deprecated method Sensitive information leak DNS prefetching Exposure of Sensitive Information CDK Insecure JWT parsing Loose file permissions Missing Authorization CDK Sensitive query string Insufficient Logging CDK OS command injection NoSQL injection Unverified hostname Path traversal Origins-verified cross-origin communications LDAP injection SNS don't bind subscribe and publish S3 partial encrypt CDK Non-literal regular expression Stack trace exposure File and directory information exposure Usage of an API that is not recommended Lazy Load Module Disabled HTML autoescape Improper access control Cross-site scripting Sensitive data stored unencrypted due to partial encryption AWS client not reused in a Lambda function URL redirection to untrusted site Untrusted data in security decision

Insecure cryptography Critical

Misuse of cryptography-related APIs can create security vulnerabilities. This includes algorithms with known weaknesses, certain padding modes, the lack of integrity checks, insufficiently large key sizes, and insecure combinations of the previous items.

Detector ID

typescript/insecure-cryptography@v1.0

Category

Common Weakness Enumeration (CWE)

CWE-327 CWE-347

Tags

# cryptography # owasp-top10

Noncompliant example

1import https from 'https'
2function insecureCryptographyNoncompliant() {
3  var ciphers = [
4    `TLS_DH_anon_WITH_AES_256_GCM_SHA384`,
5    `TLS_AES_128_GCM_SHA256`,
6    `ECDHE-ECDSA-AES128-GCM-SHA256`,
7  ].join(":");
8  var options = {
9    hostname: "www.example.com",
10    port: 443,
11    path: "/",
12    method: "GET",
13    secureProtocol: "TLSv1_2_method",
14    // Noncompliant: insecure TLS cipher suite is used.
15    ciphers: ciphers,
16  };
17
18  var req = https.request(
19    options,
20    (res: { on: (arg0: string, arg1: (d: any) => void) => void }) => {
21      res.on("data", (d: any) => {
22        process.stdout.write(d);
23      });
24    },
25  );
26}

Compliant example

1import https from 'https'
2function insecureCryptographyCompliant() {
3  var ciphers = [
4    `TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`,
5    `TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`,
6    `TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`,
7    `TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`,
8    `TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256`,
9    `TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256`,
10    `TLS_AES_128_GCM_SHA256`,
11    `TLS_AES_256_GCM_SHA384`,
12    "!aNULL",
13    "!eNULL",
14    "!NULL",
15    "!DES",
16    "!RC4",
17    "!MD5",
18  ].join(":");
19  var options = {
20    hostname: "www.example.com",
21    port: 443,
22    path: "/",
23    method: "GET",
24    secureProtocol: "TLSv1_2_method",
25    // Compliant: secure TLS cipher suite is used.
26    ciphers: ciphers,
27  };
28
29  var req = https.request(
30    options,
31    (res: { on: (arg0: string, arg1: (d: any) => void) => void }) => {
32      res.on("data", (d: any) => {
33        process.stdout.write(d);
34      });
35    },
36  );
37}