Rule Explorer

Cookie configuration missing httpOnly flag

Cookie configuration missing sameSite protection

Cookie configuration missing secure flag

XSS via direct response write with user input

Hardcoded session secret in express-session configuration

express-session configured with resave: true

express-session configured with saveUninitialized: true

Hardcoded algorithm string in crypto API call hinders crypto agility

JWT decoded without signature verification

JWT signing or verification with a hardcoded secret

JWT verification configured to ignore token expiration

JWT configured to use the 'none' algorithm

JWT verification without an explicit algorithms allowlist

Potential command injection via exec/spawn with dynamic input

CORS misconfiguration allowing all origins

document.write() can lead to XSS vulnerabilities

Use of eval() allows arbitrary code execution

Hardcoded secret or credential detected

Open redirect via assignment to window.location with user input

Potential path traversal via fs operations with user input

Potential prototype pollution via dynamic property assignment

Potential SQL injection via string concatenation or template literal

Potential SSRF via dynamic outbound request URL

Unsafe deserialization of untrusted data

Template literal with variables in console/logging function may enable log injection

Potentially catastrophic backtracking regex pattern

Use of weak cryptographic hash (MD5/SHA1)

Assignment to innerHTML may lead to XSS

Use of quantum-vulnerable cryptographic algorithm (RSA/ECDSA/ECDH/DH/Ed25519)

Untrusted input reaches a command execution sink — OS command injection

Untrusted input reaches eval or Function — arbitrary code execution

Untrusted input reaches an LDAP operation sink — possible LDAP injection

Untrusted input reaches a logging sink — possible log injection

Untrusted input reaches a MongoDB query sink — possible NoSQL injection

Untrusted input reaches a SQL execute sink — possible SQL injection

Untrusted input reaches an HTTP request sink — possible SSRF

Untrusted input reaches a template rendering sink — possible server-side template injection

Untrusted input reaches an XPath evaluation sink — possible XPath injection

Untrusted input reaches innerHTML or document.write sink

Untrusted input reaches an XML parser — possible XML External Entity (XXE) injection

CSRF_COOKIE_HTTPONLY disabled in source code

CSRF_COOKIE_SAMESITE disabled in source code

CSRF_COOKIE_SECURE disabled in source code

View marked csrf_exempt

Django ALLOWED_HOSTS allows all hosts

Django SECRET_KEY hardcoded in source code

Flask app.run(debug=True) exposes debugger and reloader in production

Flask SECRET_KEY hardcoded in source code

Hardcoded algorithm string in hashlib.new() hinders crypto agility

JWT signing or verification with a hardcoded secret

JWT decoded without signature verification

Potential command injection via os.system/subprocess with user input

CORS misconfiguration allowing all origins

DEBUG = True left enabled — disable in production

Use of eval()/exec() allows arbitrary code execution

Hardcoded secret or credential detected

Open redirect via redirect() with user-controlled input

Potential path traversal via open() with user input

Deserialization of untrusted data via pickle

Potential SQL injection via string formatting

Potential SSRF via dynamic outbound request URL

Use of weak cryptographic hash (MD5/SHA1)

yaml.load() without SafeLoader can execute arbitrary code

Use of quantum-vulnerable cryptographic algorithm (RSA/ECDSA/ECDH/DSA/Ed25519/X25519)

Django SECURE_SSL_REDIRECT disabled in source code

SESSION_COOKIE_HTTPONLY disabled in source code

SESSION_COOKIE_SAMESITE disabled in source code

SESSION_COOKIE_SECURE disabled in source code

Untrusted input reaches OS command execution sink

Untrusted input reaches eval/exec sink

Untrusted input reaches LDAP search sink

Untrusted input reaches a logging sink — possible log injection

Untrusted input reaches a MongoDB query sink — possible NoSQL injection

Untrusted input reaches pickle deserialization sink

Untrusted input reaches DB execute sink

Untrusted input reaches outbound HTTP sink (potential SSRF)

Untrusted input reaches template rendering sink (potential SSTI)

Untrusted input reaches XPath query sink

Untrusted input reaches an XML parser — possible XML External Entity (XXE) injection

Untrusted input reaches unsafe YAML loader

Flask-WTF default CSRF checks disabled in source code

Flask-WTF CSRF protection disabled in source code

http.Cookie missing HttpOnly flag

http.Cookie missing Secure flag

Gin engine created without SetTrustedProxies configuration

TLS certificate verification disabled with InsecureSkipVerify

JWT key function uses a hardcoded secret

JWT parsed without signature verification

math/rand is not cryptographically secure

tls.Config is missing an explicit MinVersion

http.ListenAndServe without timeout configuration enables slowloris attacks

Potential command injection via exec.Command with dynamic input

Hardcoded secret or credential detected

Potential SQL injection via string concatenation or fmt.Sprintf

Potential SSRF via http.Get/http.Post with variable URL

Unsafe deserialization via gob or yaml.Unmarshal into interface{}/any

Use of weak cryptographic hash (MD5/SHA1)

Use of quantum-vulnerable cryptographic algorithm (RSA/ECDSA/ECDH/DSA/Ed25519)

Untrusted input reaches os/exec command execution sink

Untrusted input reaches LDAP search sink (potential LDAP injection)

Untrusted input reaches a logging sink — possible log injection

Untrusted input reaches a MongoDB query sink — possible NoSQL injection

Untrusted input reaches a filesystem path sink — possible path traversal

Untrusted input reaches database Query/Exec sink

Untrusted input reaches outbound net/http sink (potential SSRF)

Untrusted input reaches template parsing sink (potential SSTI)

Untrusted input reaches XPath query sink (potential XPath injection)

Potential command injection via system/exec/spawn or backtick execution

CSRF protection disabled via skip_before_action

Use of eval or similar dynamic code execution

Hardcoded secret or credential detected

Potential XSS via html_safe or raw()

Mass assignment via permit! allows all parameters

Potential open redirect via redirect_to with dynamic argument

Potential path traversal via dynamic file path

Potential SQL injection via string interpolation in query methods

Potential SSRF via dynamic outbound HTTP request URL

Unsafe deserialization via Marshal.load or YAML.load

Use of weak cryptographic hash (MD5/SHA1)

Hardcoded algorithm string in crypto API call hinders crypto agility

Potential command injection via Runtime.exec or ProcessBuilder with dynamic input

Hardcoded secret or credential detected

Potential path traversal via dynamic file path

Potential SQL injection via string concatenation in query method

Potential SSRF via URL or RestTemplate with dynamic input

Unsafe deserialization can lead to remote code execution

Use of weak cryptographic algorithm

Potential XSS via direct write of user input to HTTP response

XML parser created without disabling external entities (XXE)

Use of quantum-vulnerable cryptographic algorithm (RSA/EC/DSA/DH/Ed25519/X25519)

Permissive CORS configuration allows any origin

Spring Security CSRF protection is disabled

Untrusted Java servlet or Spring input reaches command execution sink

Untrusted Java servlet or Spring input reaches SQL query sink

Untrusted Java servlet or Spring input reaches outbound URL sink

Untrusted Java servlet or Spring input reaches unsafe deserialization sink

Potential command injection via shell execution function

Use of eval() allows arbitrary code execution

Use of extract() can overwrite existing variables

Dynamic file inclusion with variable argument enables remote/local file inclusion

Hardcoded secret or credential detected

preg_replace with /e modifier allows arbitrary code execution

Potential SQL injection via string interpolation or concatenation

Potential SSRF via file_get_contents or curl_init with variable URL

Use of unserialize() on untrusted data can lead to object injection

Use of weak cryptographic hash (MD5/SHA1)

Potential command injection via Command::new with dynamic input

Hardcoded secret or credential detected

Potential path traversal via Path::new or PathBuf::from with dynamic input

Potential SQL injection via format! macro in query argument

Potential SSRF via reqwest with dynamic URL

Use of .unwrap() or .expect() can cause panics in production

Use of weak cryptographic hash (MD5/SHA1)

Use of quantum-vulnerable cryptographic algorithm (RSA/ECDSA/ECDH/Ed25519/X25519)

TLS certificate verification disabled with danger_accept_invalid_certs

Use of std::mem::transmute can cause type confusion and undefined behavior

Use of unsafe block bypasses Rust memory safety guarantees

Potential command injection via Process.Start with dynamic argument

Overly permissive CORS configuration

Hardcoded secret or credential detected

Potential LDAP injection via string concatenation in search filter

Potential path traversal via dynamic file path

Potential SQL injection via string concatenation in database call

Potential SSRF via HTTP request with dynamic URL

Use of unsafe deserialization API

Use of weak cryptographic algorithm

Potential XXE vulnerability in XML parsing

Potential command injection via Process or NSTask with dynamic arguments

WKWebView evaluateJavaScript with dynamic input enables code injection

Hardcoded secret or credential detected

Insecure Keychain accessibility level allows access when device is locked

Insecure HTTP URL detected — use HTTPS instead

Potential path traversal via FileManager with dynamic path

Potential SQL injection via string interpolation in SQLite queries

Potential SSRF via URLSession or URL with dynamic input

TLS certificate validation disabled or weakened

Use of weak cryptographic hash (MD5/SHA1)

Potential command injection via Runtime.exec or ProcessBuilder with dynamic input

Permissive CORS configuration allows any origin

ScriptEngine.eval can execute arbitrary code

Hardcoded secret or credential detected

Potential path traversal via dynamic file path

Potential SQL injection via string concatenation in query method

Potential SSRF via URL or HTTP client with dynamic input

Unsafe deserialization can lead to remote code execution

Use of weak cryptographic algorithm

XML parser created without disabling external entities (XXE)

Untrusted input from Ktor/Spring handler reaches command execution sink

Untrusted input from Ktor/Spring handler reaches SQL query sink

Untrusted input from Ktor/Spring handler reaches HTTP/URL sink

Nginx TLS configuration uses quantum-vulnerable protocols or ciphers

Apache TLS configuration uses quantum-vulnerable protocols or ciphers

HAProxy TLS configuration uses quantum-vulnerable protocols or ciphers

Dockerfile disables TLS certificate verification via environment variable or insecure command

Dependency uses quantum-vulnerable cryptographic algorithm (dev-dependencies not distinguished)

Dependency uses quantum-vulnerable cryptographic algorithm

Dependency is affected by a known OSV vulnerability

Dependency uses quantum-vulnerable cryptographic algorithm

Dependency uses quantum-vulnerable cryptographic algorithm

Dependency uses quantum-vulnerable cryptographic algorithm

Dependency uses quantum-vulnerable cryptographic algorithm