Security monitor
master
Last updated:
Warnings
Auth
CSRF
Cookies
Cryptography
DoS
File Access
found in 1 file
Firefox OS
HTTP
Input validation
Insecure Storage
Insecure modules/libraries
Mass assignment
Other
found in 1 file
Regex
Routes
SQL Injection
SSL
Unexpected behaviour
XSS
Select a category and start fixing
your security issues
your security issues
Auth
Authentication is present in almost all web applications nowadays.
Everything's ok
CSRF
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated.
Everything's ok
Cookies
An HTTP cookie is a small piece of data sent from a website and stored on the user's computer by the browser while the user is browsing.
Everything's ok
Cryptography
Cryptography is a security technique widely used and there are several cryptographic functions, but not all of them are secure.
Everything's ok
DoS
The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed.
Everything's ok
File Access
An attacker may use special paths to access files that should not be accessible.
script/test.js
const file = fs.readFileSync(process.argv[2], 'utf8'); // Reads argv into var file
Firefox OS
Sensitive APIs of Firefox OS.
You need to enable the following patterns for this category to be verified
This function is only available to higher privileged Firefox OS applications. MozBrowser frames have specific, elevated permissions.
ESLint
Writing user specified HTML to the DOM may lead to Cross-Site Scripting
ESLint
This function allows reading and modifying camera settings and is only available to higher privileged Firefox OS application.
ESLint
This function is only available to higher privileged Firefox OS applications. It allows managing and revoking apps permissions.
ESLint
This function is only available to higher privileged Firefox OS applications.
ESLint
ESLint
This function is only available to higher privileged Firefox OS applications.
ESLint
This function allows creating connections and communicating with remote servers.
ESLint
This function is only available to higher privileged Firefox OS applications.
ESLint
This function is only available to higher privileged Firefox OS applications. It allows controlling the phone's Voicemail features.
ESLint
This function sets a handler for inter app communication messages. In general, mozSetMessageHandler allows handling WebActivities. The origin of the activity and its data might be untrusted.
ESLint
This function is only available to higher privileged Firefox OS applications. It allows access to power management features.
ESLint
This exercises the proximity API to check whether the phone is close to something (i.e. held to the ear).
ESLint
This API allows access to datastores that may be used to serve or retrieve data from third party apps
ESLint
This function is only available to higher privileged Firefox OS applications. It allows managing the Wifi features of the phone.
ESLint
XMLHttpRequests of type system may contact and read data from third party origins
ESLint
This function is only available to higher privileged Firefox OS applications. It allows access to the phone's settings
ESLint
This function creates new Web Activities and can transfer data from one app to another
ESLint
Check to make sure message handler validates to protect against malicious cross-origin message.
ESLint
This function is only available to higher privileged Firefox OS applications. It allows managing the phone's app.
ESLint
This function allows reading and modifying the phone's contacts. It is only available to higher privileged Firefox OS applications.
ESLint
This specifies a handler for WAP Push notifications. In general, mozSetMessageHandler allows handling WebActivities. The origin of the activity and its data might be untrusted.
ESLint
This function is only available to higher privileged Firefox OS applications and allows setting and editing alarms. Frequent alarms might prevent power saving and drain the battery.
ESLint
This function is only available to higher privileged Firefox OS applications.
ESLint
HTTP
HTTP headers are a common attack vector for malign users.
Everything's ok
Input validation
Input not validated may originate SQL Injection attacks for instance.
You need to enable the following patterns for this category to be verified
Seems like you are using a configuration file for Rubocop, please make sure you have the related patterns enabled in your configuration file.
This function creates a DOM from strings. Depending on their source it is likely important to sanitize it before an insertion into the DOM happens
ESLint
Using execScript with user input leads to Cross Site Scripting (Internet Explorer only)
ESLint
Controlling of the first argument to Function(...) results in direct script execution.
ESLint
Calling setInterval with a first argument as string (or string concatenation) with user input may lead to XSS
ESLint
Calling setTimeout with a first argument as string (or string concatenation) with user input may lead to XSS
ESLint
This function generate notifications from the app. It is only available to higher privileged Firefox OS applications.
ESLint
Controlling of the first argument to Function(...) results in direct script execution.
ESLint
Due to a bug in Firefox, this function may be used as an obfuscated way to call execute scripts from strings (like eval). This may lead to Cross-Site-Scripting.
ESLint
Calling setImmediate with a first argument as string (or string concatenation) with user input may lead to XSS
ESLint
Avoid using of `Marshal.load` or `Marshal.restore` due to potential security issues. See reference for more information.
Rubocop
Prefer usage of `YAML.safe_load` over `YAML.load` due to potential security issues. See reference for more information.
Rubocop
Prefer usage of `JSON.parse` over `JSON.load` due to potential security issues. See reference for more information.
Rubocop
The use of eval represents a serious security risk.
Rubocop
Insecure Storage
Storing sensitive data using this APIs is not safe.
You need to enable the following patterns for this category to be verified
Insecure modules/libraries
Consider possible security implications associated with some modules.
Everything's ok
Mass assignment
Mass assignment is a feature of Rails which allows an application to create a record from the values of a hash.
Everything's ok
Other
Other language specific security issues.
script/test.js
entryArray[i] = new Object;
entryArray[i].raw = entries[i];
if (entryFilter(entries[i]) === true) { // filter out lines that don't with * [)
entryArray[i].name = namepatt.exec(entries[i])[1]; // Parses name of entry
entryArray[i].pass = findPattern(entries[i]); // Tests against known patterns
if (entryArray[i].pass === true) { // If entry passes increment totalPass counter
console.log(`${entryArray[i].name} Failed.`); // If entry fails increment totalFail counter and append error to issuelog
issuelog += `${entryArray[i].name} | ${entries[i]} \\n`;
Regex
Regex can be used in a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach heavy computation situations that cause them to work very slowly (exponentially related to input size).
Everything's ok
Routes
Badly configured routes can give unintended access to an attacker.
Everything's ok
SQL Injection
A SQL injection attack consists of insertion or 'injection' of a SQL query via the input data from the client to the application.
Everything's ok
SSL
Simply using SSL isn't enough to ensure the data you are sending is secure. Man in the middle attacks are well known and widely used.
Everything's ok
Unexpected behaviour
Assigning values to private APIs might lead to unexpected behaviour.
You need to enable the following patterns for this category to be verified
Unintended use of AssignmentExpression in If Statement.
ESLint
Assignments to the document's location may lead to spoofing and unexpected redirects. Furthermore, it can cause Cross-Site Scripting, when javascipt: URIs are used.
ESLint
Assignments to the document's location may lead to spoofing and unexpected redirects.
ESLint
Assignments to the document's location may lead to spoofing and unexpected redirects.
ESLint
Check to make sure message handler validates to protect against malicious cross-origin message.
ESLint
This function is only available to higher privileged Firefox OS applications.
ESLint
Assignments to the document's location may lead to spoofing and unexpected redirects.
ESLint
Assignments to the document's location may lead to spoofing and unexpected redirects. It may also lead to script execution, depending on the affected HTML Tag (i.e. object)
ESLint
Assignments to the document's location may lead to spoofing and unexpected redirects.
ESLint
Assignments to the document's location may lead to spoofing and unexpected redirects. Furthermore, it can cause Cross-Site Scripting, when javascipt: URIs are used
ESLint
This function is only available to higher privileged Firefox OS applications.
ESLint
XSS
XSS enables attackers to inject client-side scripts into web pages viewed by other users.
You need to enable the following patterns for this category to be verified
Attention popups fill the whole display. URLs pointing to javascript: and data: protocols can lead to XSS. Popups can also confuse and misdirect users.
ESLint
Writing user specified HTML to the DOM may lead to Cross-Site Scripting
ESLint