Name Severity Scopes Tags Links
SpikeArrest policy doesn't use any identifier Critical SpikeArrest DoS Protection CWE-770
JWT is decoded but not verified in the same flow phase Critical Step Authentication & Auhtorisation CWE-347
Connection to the system is not encrypted Critical ServiceCallout MessageLogging Target Data in Transit CWE-319
Bypassing AccessControl policy via True-Client-IP header Critical AccessControl Data Validation CWE-290
Lack of certificate validation Critical ServiceCallout MessageLogging Target Data in Transit CWE-295
Request content is stringified Critical Step Data Validation DoS Protection CWE-20
Insecure Quota configuration High Step Code Quality Data Validation CWE-770
User-controlled data in ServiceCallout High Step Data Validation CWE-233 CWE-20
Flow accepts confidential data as URL parameters High Flow PreFlow Data in Transit CWE-598
API Key is not removed before the request is sent to target system High Proxy Data in Transit CWE-201
Request Content is tainted by user input High Step Data Validation CWE-20 CWE-116
Target URL is tainted by user input High Step Data Validation CWE-22 CWE-233 CWE-918 CWE-20
No TLS protocol specified in connection definition High ServiceCallout MessageLogging Target Data in Transit CWE-327
JSONThreatProtection policy is not applied to a request body with JSON type High Flow Data Validation CWE-502 CWE-20
Masked flow variable is written into unmasked one High Step Data at Rest CWE-532
The Authorization header is not removed before the request is made to the target system High Proxy Data in Transit CWE-201
Proxy doesn't have default flow High Proxy Code Quality Data Validation CWE-20
Open Redirect High Step Data Validation CWE-601 CWE-20
Policy sets confidential data in URL parameters High Step Data in Transit CWE-598
Unsafe variable is used to define host High Step Data Validation CWE-20