Skip to main content
Attack vulnerabilities are code patterns that allow malicious actors to perform unauthorized actions. These represent direct security threats.

Injection Attacks

SQL Injection (sqli)

Severity: Critical User input incorporated into SQL queries without proper sanitization. 
// Vulnerable
const query = `SELECT * FROM users WHERE id = ${userId}`;

// Fixed
const query = `SELECT * FROM users WHERE id = ?`;
db.query(query, [userId]);
Impact: Database theft, modification, or deletion.

NoSQL Injection (nosql-injection)

Severity: Critical User input in NoSQL database queries. 
// Vulnerable
db.users.find({ user: req.body.user, pass: req.body.pass });

// Fixed - validate input types
const user = String(req.body.user);
const pass = String(req.body.pass);
Impact: Authentication bypass, data theft.

Command Injection (command-injection)

Severity: Critical User input passed to system commands. 
// Vulnerable
exec(`ping ${userInput}`);

// Fixed - use parameterized APIs
execFile('ping', ['-c', '4', userInput]);
Impact: Full system compromise.

Code Evaluation (code-evaluation)

Severity: Critical Dynamic code execution with user input. 
// Vulnerable
eval(userInput);
new Function(userInput)();

// Fixed - avoid eval entirely
JSON.parse(userInput); // for JSON data
Impact: Arbitrary code execution.

Server-Side Template Injection (ssti)

Severity: Critical User input in server-side templates. 
# Vulnerable
template.render("Hello " + user_input)

# Fixed
template.render("Hello {{ name }}", name=user_input)
Impact: Remote code execution.

Cross-Site Scripting (XSS)

Severity: High User input rendered in HTML without proper encoding. 
// Vulnerable
element.innerHTML = userInput;

// Fixed
element.textContent = userInput;
// Or use proper sanitization
element.innerHTML = DOMPurify.sanitize(userInput);
Impact: Session hijacking, phishing, malware distribution.

Request Forgery

Server-Side Request Forgery (ssrf)

Severity: High Server makes requests to URLs controlled by user input. 
// Vulnerable
fetch(userProvidedUrl);

// Fixed - validate against allowlist
const allowed = ['api.example.com'];
const url = new URL(userProvidedUrl);
if (!allowed.includes(url.hostname)) throw new Error('Invalid URL');
Impact: Internal network access, cloud metadata exposure.

Cross-Site Request Forgery (csrf)

Severity: Medium State-changing requests without CSRF protection. 
// Vulnerable - no CSRF token
app.post('/transfer', (req, res) => { /* ... */ });

// Fixed - verify CSRF token
app.post('/transfer', csrfProtection, (req, res) => { /* ... */ });
Impact: Unauthorized actions on behalf of users.

Access Control

Insecure Direct Object Reference (idor)

Severity: High Access to resources without proper authorization checks. 
// Vulnerable
app.get('/document/:id', (req, res) => {
  return db.documents.findById(req.params.id);
});

// Fixed
app.get('/document/:id', (req, res) => {
  const doc = db.documents.findById(req.params.id);
  if (doc.userId !== req.user.id) return res.status(403);
  return doc;
});
Impact: Unauthorized data access.

Broken Access Control (broken-access-control)

Severity: High Missing or improper access control checks. Impact: Privilege escalation, unauthorized actions.

Broken Authentication (broken-authentication)

Severity: High Flawed authentication implementation. Impact: Account takeover, unauthorized access.

File System

Path Traversal (path-traversal)

Severity: High User input in file paths allowing access outside intended directory. 
// Vulnerable
const file = path.join('/uploads', userInput);

// Fixed
const file = path.join('/uploads', path.basename(userInput));
Impact: Arbitrary file read/write.

Unrestricted File Upload (unrestricted-file-upload)

Severity: High File uploads without proper validation. Impact: Remote code execution, malware hosting.

Other Attack Vectors

Remote Code Execution (rce)

Severity: Critical Any method allowing arbitrary code execution. Impact: Full system compromise.

XML External Entity (xxe)

Severity: High XML parsing with external entity processing enabled. 
// Vulnerable
xmlParser.parse(userXml);

// Fixed - disable external entities
xmlParser.parse(userXml, { noent: false, dtdload: false });
Impact: File disclosure, SSRF, denial of service.

Open Redirect (open-redirect)

Severity: Medium Redirects to URLs controlled by user input. 
// Vulnerable
res.redirect(req.query.next);

// Fixed
const allowedHosts = ['example.com'];
const url = new URL(req.query.next, 'https://example.com');
if (!allowedHosts.includes(url.hostname)) throw new Error('Invalid redirect');
Impact: Phishing, credential theft.

Prototype Pollution (prototype-pollution)

Severity: High Modification of JavaScript object prototypes via user input. Impact: Denial of service, potential RCE.

Insecure Deserialization (insecure-deserialization)

Severity: Critical Deserializing untrusted data without validation. Impact: Remote code execution.

Header Injection (header-injection)

Severity: Medium User input in HTTP headers. Impact: Response splitting, cache poisoning.

Log Injection (log-injection)

Severity: Low User input in log messages without sanitization. Impact: Log forging, log analysis bypass.

Session Fixation (session-fixation)

Severity: Medium Session ID can be set by attacker. Impact: Session hijacking.

Race Condition (race-condition)

Severity: Medium Time-of-check to time-of-use vulnerabilities. Impact: Security bypass, data corruption.

Denial of Service (dos)

Severity: Medium Code patterns that can cause service unavailability. Impact: Service disruption.

Regex Injection (regex-injection)

Severity: Medium User input in regular expressions (ReDoS risk). Impact: Denial of service.

PostMessage Misuse (postmessage-misuse)

Severity: Medium Improper handling of cross-origin messages. Impact: Cross-origin attacks.

Compliance Issues

Security weaknesses

Security Overview

All security categories

Issues

View your findings

How It Works

Detection explained