Security monitor
master
Last updated:
Warnings
Auth
CSRF
Cookies
Cryptography
DoS
File Access
Firefox OS
HTTP
Input validation
Insecure Storage
Insecure modules/libraries
Other
Regex
Routes
SQL Injection
Unexpected behaviour
XSS
Select a category and start fixing
your security issues
your security issues
Auth
Authentication is present in almost all web applications nowadays.
You need to enable the following patterns for this category to be verified
Suggest named credentials for authentication
PMD (Legacy)
Prohibit using hard coded passwords, consider placing them in config files or keystores instead.
Codacy ScalaMeta Pro
CSRF
Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated.
You need to enable the following patterns for this category to be verified
Avoid making DML operations in Apex class constructor/init method
PMD (Legacy)
Prohibits express.csrf() middleware before express.methodOverride().
ESLint
Cookies
An HTTP cookie is a small piece of data sent from a website and stored on the user's computer by the browser while the user is browsing.
You need to enable the following patterns for this category to be verified
Check for usage of the sessionId cookie in spray
Codacy ScalaMeta Pro
Cookie that is not marked as HttpOnly could be read by a malicious script in the browser.
Codacy ScalaMeta Pro
Cookie without the secure flag could be sent in clear text if a HTTP URL is visited.
Codacy ScalaMeta Pro
Cryptography
Cryptography is a security technique widely used and there are several cryptographic functions, but not all of them are secure.
You need to enable the following patterns for this category to be verified
Prohibits crypto.pseudoRandomBytes since it's not cryptographically strong.
ESLint
Prohibits potential hot spot string comparisons of passwords, secrets and hashes.
ESLint
RSA Laboratories currently recommends key sizes of 1024 bits
Codacy ScalaMeta Pro
Do not use java.util.Random, its pseudo random generator can be predictable
Codacy ScalaMeta Pro
Communication channels should use encrypted connections
Codacy ScalaMeta Pro
Do not use your own custom message digest algorithm
Codacy ScalaMeta Pro
At least 128 bits of entropy should be used when using Blowfish
Codacy ScalaMeta Pro
The NullCipher is rarely used intentionally in production applications.
Codacy ScalaMeta Pro
Prohibit using hard coded keys, consider placing them in config files or keystores instead.
Codacy ScalaMeta Pro
DoS
The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed.
You need to enable the following patterns for this category to be verified
Regular expressions are frequently subject to Denial of Service attacks
Codacy ScalaMeta Pro
Prohibits buffer read / write calls that use noAssert set to true.
ESLint
File Access
An attacker may use special paths to access files that should not be accessible.
You need to enable the following patterns for this category to be verified
Prevents possible filename injection by unfiltered input.
Codacy ScalaMeta Pro
Prohibits calls to fs functions that take a non Literal value as the filename parameter.
ESLint
Firefox OS
Sensitive APIs of Firefox OS.
You need to enable the following patterns for this category to be verified
This function allows reading and modifying camera settings and is only available to higher privileged Firefox OS application.
ESLint
XMLHttpRequests of type system may contact and read data from third party origins
ESLint
This function is only available to higher privileged Firefox OS applications. It allows managing the Wifi features of the phone.
ESLint
This function sets a handler for inter app communication messages. In general, mozSetMessageHandler allows handling WebActivities. The origin of the activity and its data might be untrusted.
ESLint
This function is only available to higher privileged Firefox OS applications.
ESLint
This function is only available to higher privileged Firefox OS applications. It allows access to the phone's settings
ESLint
This function is only available to higher privileged Firefox OS applications. It allows managing the phone's app.
ESLint
This exercises the proximity API to check whether the phone is close to something (i.e. held to the ear).
ESLint
This function allows creating connections and communicating with remote servers.
ESLint
This function is only available to higher privileged Firefox OS applications and allows setting and editing alarms. Frequent alarms might prevent power saving and drain the battery.
ESLint
ESLint
This API allows access to datastores that may be used to serve or retrieve data from third party apps
ESLint
This function is only available to higher privileged Firefox OS applications.
ESLint
Check to make sure message handler validates to protect against malicious cross-origin message.
ESLint
This function is only available to higher privileged Firefox OS applications.
ESLint
This function allows reading and modifying the phone's contacts. It is only available to higher privileged Firefox OS applications.
ESLint
Writing user specified HTML to the DOM may lead to Cross-Site Scripting
ESLint
This specifies a handler for WAP Push notifications. In general, mozSetMessageHandler allows handling WebActivities. The origin of the activity and its data might be untrusted.
ESLint
This function is only available to higher privileged Firefox OS applications. MozBrowser frames have specific, elevated permissions.
ESLint
This function is only available to higher privileged Firefox OS applications.
ESLint
This function creates new Web Activities and can transfer data from one app to another
ESLint
This function is only available to higher privileged Firefox OS applications. It allows managing and revoking apps permissions.
ESLint
This function is only available to higher privileged Firefox OS applications. It allows controlling the phone's Voicemail features.
ESLint
This function is only available to higher privileged Firefox OS applications. It allows access to power management features.
ESLint
HTTP
HTTP headers are a common attack vector for malign users.
You need to enable the following patterns for this category to be verified
The User-Agent header can be controlled by the client. As such, its value should not be used in any security critical decisions.
Codacy ScalaMeta Pro
Check for usage of the 'Content-Type' header in spray.
Codacy ScalaMeta Pro
The hostname header can be controlled by the client. As such, its value should not be used in any security critical decisions.
Codacy ScalaMeta Pro
Check for usage of the values obtained from http requests parameters in play-framework.
Codacy ScalaMeta Pro
The Referer header can be controlled by the client. As such, its value should not be used in any security critical decisions.
Codacy ScalaMeta Pro
Request headers can easily be altered by the requesting user.
Codacy ScalaMeta Pro
The Referer header can be controlled by the client. As such, its value should not be used in any security critical decisions.
Codacy ScalaMeta Pro
Check for usage of the values obtained from GET and POST parameters in spray.
Codacy ScalaMeta Pro
The User-Agent header can be controlled by the client. As such, its value should not be used in any security critical decisions.
Codacy ScalaMeta Pro
Request headers can easily be altered by the requesting user.
Codacy ScalaMeta Pro
Check for usage of the 'Content-Type' header in play
Codacy ScalaMeta Pro
Input validation
Input not validated may originate SQL Injection attacks for instance.
You need to enable the following patterns for this category to be verified
Validate CRUD permission before SOQL/DML operation
PMD (Legacy)
Avoid unescaped user controlled content in EL
PMD (Legacy)
Calling setInterval with a first argument as string (or string concatenation) with user input may lead to XSS
ESLint
Prohibits having disabled Markup escaping in Mustache.
ESLint
ESLint_no-unsafe-innerhtml_no-unsafe-innerhtml
ESLint
Calling setImmediate with a first argument as string (or string concatenation) with user input may lead to XSS
ESLint
Due to a bug in Firefox, this function may be used as an obfuscated way to call execute scripts from strings (like eval). This may lead to Cross-Site-Scripting.
ESLint
Using execScript with user input leads to Cross Site Scripting (Internet Explorer only)
ESLint
Controlling of the first argument to Function(...) results in direct script execution.
ESLint
This function creates a DOM from strings. Depending on their source it is likely important to sanitize it before an insertion into the DOM happens
ESLint
Calling setTimeout with a first argument as string (or string concatenation) with user input may lead to XSS
ESLint
Prohibits calls to require with non-literal argument.
ESLint
Controlling of the first argument to Function(...) results in direct script execution.
ESLint
This function generate notifications from the app. It is only available to higher privileged Firefox OS applications.
ESLint
Check if call to redirect comes directly from an input
Codacy ScalaMeta Pro
Object deserialization of untrusted data can lead to remote code execution.
Codacy ScalaMeta Pro
Check if call to redirect comes directly from an input
Codacy ScalaMeta Pro
Insecure Storage
Storing sensitive data using this APIs is not safe.
You need to enable the following patterns for this category to be verified
Insecure modules/libraries
Consider possible security implications associated with some modules.
You need to enable the following patterns for this category to be verified
Apex classes should declare a sharing model if DML or SOQL/SOSL is used
PMD (Legacy)
Other
Other language specific security issues.
You need to enable the following patterns for this category to be verified
Regex
Regex can be used in a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach heavy computation situations that cause them to work very slowly (exponentially related to input size).
You need to enable the following patterns for this category to be verified
Routes
Badly configured routes can give unintended access to an attacker.
You need to enable the following patterns for this category to be verified
Apex classes should safely redirect to a known location
PMD (Legacy)
Apex callouts should use encrypted communication channels
PMD (Legacy)
SQL Injection
A SQL injection attack consists of insertion or 'injection' of a SQL query via the input data from the client to the application.
You need to enable the following patterns for this category to be verified
Avoid untrusted/unescaped variables in DML query
PMD (Legacy)
Unexpected behaviour
Assigning values to private APIs might lead to unexpected behaviour.
You need to enable the following patterns for this category to be verified
Assignments to the document's location may lead to spoofing and unexpected redirects. Furthermore, it can cause Cross-Site Scripting, when javascipt: URIs are used
ESLint
Assignments to the document's location may lead to spoofing and unexpected redirects.
ESLint
Assignments to the document's location may lead to spoofing and unexpected redirects.
ESLint
This function is only available to higher privileged Firefox OS applications.
ESLint
Unintended use of AssignmentExpression in If Statement.
ESLint
Assignments to the document's location may lead to spoofing and unexpected redirects. It may also lead to script execution, depending on the affected HTML Tag (i.e. object)
ESLint
Check to make sure message handler validates to protect against malicious cross-origin message.
ESLint
This function is only available to higher privileged Firefox OS applications.
ESLint
Assignments to the document's location may lead to spoofing and unexpected redirects. Furthermore, it can cause Cross-Site Scripting, when javascipt: URIs are used.
ESLint
Assignments to the document's location may lead to spoofing and unexpected redirects.
ESLint
Assignments to the document's location may lead to spoofing and unexpected redirects.
ESLint
XSS
XSS enables attackers to inject client-side scripts into web pages viewed by other users.
You need to enable the following patterns for this category to be verified
Apex classes should escape Strings in error messages
PMD (Legacy)
Apex classes should escape/sanitize Strings obtained from URL parameters
PMD (Legacy)
Attention popups fill the whole display. URLs pointing to javascript: and data: protocols can lead to XSS. Popups can also confuse and misdirect users.
ESLint
Writing user specified HTML to the DOM may lead to Cross-Site Scripting
ESLint