Attack Vulnerabilities

Attack vulnerabilities are code patterns that allow malicious actors to perform unauthorized actions. These represent direct security threats.

Injection Attacks

SQL Injection (sqli)

Severity: Critical User input incorporated into SQL queries without proper sanitization.

// Vulnerable
const query = `SELECT * FROM users WHERE id = ${userId}`;

// Fixed
const query = `SELECT * FROM users WHERE id = ?`;
db.query(query, [userId]);

Impact: Database theft, modification, or deletion.

NoSQL Injection (nosql-injection)

Severity: Critical User input in NoSQL database queries.

// Vulnerable
db.users.find({ user: req.body.user, pass: req.body.pass });

// Fixed - validate input types
const user = String(req.body.user);
const pass = String(req.body.pass);

Impact: Authentication bypass, data theft.

Command Injection (command-injection)

Severity: Critical User input passed to system commands.

// Vulnerable
exec(`ping ${userInput}`);

// Fixed - use parameterized APIs
execFile('ping', ['-c', '4', userInput]);

Impact: Full system compromise.

Code Evaluation (code-evaluation)

Severity: Critical Dynamic code execution with user input.

// Vulnerable
eval(userInput);
new Function(userInput)();

// Fixed - avoid eval entirely
JSON.parse(userInput); // for JSON data

Impact: Arbitrary code execution.

Server-Side Template Injection (ssti)

Severity: Critical User input in server-side templates.

# Vulnerable
template.render("Hello " + user_input)

# Fixed
template.render("Hello {{ name }}", name=user_input)

Impact: Remote code execution.

Cross-Site Scripting (XSS)

Severity: High User input rendered in HTML without proper encoding.

// Vulnerable
element.innerHTML = userInput;

// Fixed
element.textContent = userInput;
// Or use proper sanitization
element.innerHTML = DOMPurify.sanitize(userInput);

Impact: Session hijacking, phishing, malware distribution.

Request Forgery

Server-Side Request Forgery (ssrf)

Severity: High Server makes requests to URLs controlled by user input.

// Vulnerable
fetch(userProvidedUrl);

// Fixed - validate against allowlist
const allowed = ['api.example.com'];
const url = new URL(userProvidedUrl);
if (!allowed.includes(url.hostname)) throw new Error('Invalid URL');

Impact: Internal network access, cloud metadata exposure.

Cross-Site Request Forgery (csrf)

Severity: Medium State-changing requests without CSRF protection.

// Vulnerable - no CSRF token
app.post('/transfer', (req, res) => { /* ... */ });

// Fixed - verify CSRF token
app.post('/transfer', csrfProtection, (req, res) => { /* ... */ });

Impact: Unauthorized actions on behalf of users.

Access Control

Insecure Direct Object Reference (idor)

Severity: High Access to resources without proper authorization checks.

// Vulnerable
app.get('/document/:id', (req, res) => {
  return db.documents.findById(req.params.id);
});

// Fixed
app.get('/document/:id', (req, res) => {
  const doc = db.documents.findById(req.params.id);
  if (doc.userId !== req.user.id) return res.status(403);
  return doc;
});

Impact: Unauthorized data access.

Broken Access Control (broken-access-control)

Severity: High Missing or improper access control checks. Impact: Privilege escalation, unauthorized actions.

Broken Authentication (broken-authentication)

Severity: High Flawed authentication implementation. Impact: Account takeover, unauthorized access.

File System

Path Traversal (path-traversal)

Severity: High User input in file paths allowing access outside intended directory.

// Vulnerable
const file = path.join('/uploads', userInput);

// Fixed
const file = path.join('/uploads', path.basename(userInput));

Impact: Arbitrary file read/write.

Unrestricted File Upload (unrestricted-file-upload)

Severity: High File uploads without proper validation. Impact: Remote code execution, malware hosting.

Other Attack Vectors

Remote Code Execution (rce)

Severity: Critical Any method allowing arbitrary code execution. Impact: Full system compromise.

XML External Entity (xxe)

Severity: High XML parsing with external entity processing enabled.

// Vulnerable
xmlParser.parse(userXml);

// Fixed - disable external entities
xmlParser.parse(userXml, { noent: false, dtdload: false });

Impact: File disclosure, SSRF, denial of service.

Open Redirect (open-redirect)

Severity: Medium Redirects to URLs controlled by user input.

// Vulnerable
res.redirect(req.query.next);

// Fixed
const allowedHosts = ['example.com'];
const url = new URL(req.query.next, 'https://example.com');
if (!allowedHosts.includes(url.hostname)) throw new Error('Invalid redirect');

Impact: Phishing, credential theft.

Prototype Pollution (prototype-pollution)

Severity: High Modification of JavaScript object prototypes via user input. Impact: Denial of service, potential RCE.

Insecure Deserialization (insecure-deserialization)

Severity: Critical Deserializing untrusted data without validation. Impact: Remote code execution.

Header Injection (header-injection)

Severity: Medium User input in HTTP headers. Impact: Response splitting, cache poisoning.

Log Injection (log-injection)

Severity: Low User input in log messages without sanitization. Impact: Log forging, log analysis bypass.

Session Fixation (session-fixation)

Severity: Medium Session ID can be set by attacker. Impact: Session hijacking.

Race Condition (race-condition)

Severity: Medium Time-of-check to time-of-use vulnerabilities. Impact: Security bypass, data corruption.

Denial of Service (dos)

Severity: Medium Code patterns that can cause service unavailability. Impact: Service disruption.

Regex Injection (regex-injection)

Severity: Medium User input in regular expressions (ReDoS risk). Impact: Denial of service.

PostMessage Misuse (postmessage-misuse)

Severity: Medium Improper handling of cross-origin messages. Impact: Cross-origin attacks.

Compliance Issues

Security weaknesses

Security Overview

All security categories

Issues

View your findings

How It Works

Detection explained

Get Started

Dashboard

GitHub Integration

CLI

Security Categories

Settings

API Reference

Other Integrations

Documentation Index

​Injection Attacks

​SQL Injection (sqli)

​NoSQL Injection (nosql-injection)

​Command Injection (command-injection)

​Code Evaluation (code-evaluation)

​Server-Side Template Injection (ssti)

​Cross-Site Scripting (XSS)

​Request Forgery

​Server-Side Request Forgery (ssrf)

​Cross-Site Request Forgery (csrf)

​Access Control

​Insecure Direct Object Reference (idor)

​Broken Access Control (broken-access-control)

​Broken Authentication (broken-authentication)

​File System

​Path Traversal (path-traversal)

​Unrestricted File Upload (unrestricted-file-upload)

​Other Attack Vectors

​Remote Code Execution (rce)

​XML External Entity (xxe)

​Open Redirect (open-redirect)

​Prototype Pollution (prototype-pollution)

​Insecure Deserialization (insecure-deserialization)

​Header Injection (header-injection)

​Log Injection (log-injection)

​Session Fixation (session-fixation)

​Race Condition (race-condition)

​Denial of Service (dos)

​Regex Injection (regex-injection)

​PostMessage Misuse (postmessage-misuse)

​Related Pages