|
High
|
|
Target URL is tainted by user input
|
Step |
Data Validation |
CWE-22
CWE-233
CWE-918
CWE-20
|
|
Unsafe regular expression
|
Step |
Data Validation |
CWE-1333
|
|
Unsafe variable is used to define host
|
Step |
Data Validation |
CWE-20
|
|
Use of weak hash algorithms
|
AssignMessage
HMAC
JavaScript |
Secure Configuration |
CWE-327
|
|
User-controlled data in ServiceCallout
|
Step |
Data Validation |
CWE-233
CWE-20
|
|
Medium
|
|
AccessControl allows all IPs
|
AccessControl |
Data Validation |
CWE-290
|
|
Condition has undefined variables
|
Step
RouteRule
Flow |
Code Quality |
CWE-570
CWE-571
|
|
Error flow variable is set but not checked in request phase
|
Step |
Error Handling |
CWE-390
|
|
Flow accepts requests with any method
|
Flow |
Data Validation |
CWE-749
|
|
Flow doesn't limit HTTP methods correctly
|
Flow |
Data Validation |
CWE-749
|
|
Insecure JSONThreatProtection policy
|
JSONThreatProtection |
Code Quality
Data Validation |
CWE-770
CWE-20
|
|
Insecure token expiration configuration
|
OAuthV2 |
Secure Configuration |
CWE-613
|
|
Lack of DefaultFaultRule
|
Target
Proxy |
Error Handling |
CWE-390
|
|
Masked flow variable is written into unmasked one
|
Step |
Data at Rest |
CWE-532
|
|
MatchesPath is applied to a static parameter
|
Target
Proxy |
Code Quality
Data Validation |
CWE-20
|
|
No SpikeArrest policy is applied
|
Proxy |
Code Quality
DoS Protection |
CWE-770
|
|
Private flow variable is written into public one
|
Step |
Data at Rest |
CWE-532
|
|
ServiceCallout policy uses default message object as a request
|
ServiceCallout |
Code Quality |
CWE-200
|
|
ServiceCallout policy uses default message object as a response
|
ServiceCallout |
Code Quality |
CWE-200
|
|
Unreachable FaultRule
|
Target
Proxy |
Code Quality |
CWE-561
|