|
Critical
|
|
Bypassing AccessControl policy via True-Client-IP header
|
AccessControl |
Data Validation |
CWE-290
|
|
Connection to the system is not encrypted
|
ServiceCallout
MessageLogging
Target |
Data in Transit |
CWE-319
|
|
JWT/JWS is decoded but not verified in the same flow phase
|
Step |
Authentication & Authorisation |
CWE-347
|
|
Lack of certificate validation
|
ServiceCallout
MessageLogging
Target |
Data in Transit |
CWE-295
|
|
Request content is stringified
|
Step |
Data Validation
DoS Protection |
CWE-20
|
|
Sensitive information is in the source code
|
Step |
Data at Rest |
CWE-256
CWE-312
|
|
High
|
|
API Key is not removed before the request is sent to target system
|
Proxy |
Data in Transit |
CWE-201
|
|
AssignMessage request parameters pollution
|
AssignMessage |
Data Validation |
CWE-20
|
|
Authorization header is not removed before the request is sent to target system
|
Proxy |
Data in Transit |
CWE-201
|
|
Cache is accessed without prior authentication
|
Step |
Authentication & Authorisation |
CWE-306
|
|
Confidential data is used as a cache key
|
Step |
Data at Rest |
CWE-256
CWE-312
|
|
Flow accepts confidential data as URL parameters
|
Flow
PreFlow |
Data in Transit |
CWE-598
|
|
Insecure Quota configuration
|
Step |
Code Quality
Data Validation |
CWE-770
|
|
JSONThreatProtection policy is not applied to a request body with JSON type
|
Flow |
Data Validation |
CWE-502
CWE-20
|
|
No TLS protocol specified in connection definition
|
ServiceCallout
MessageLogging
Target |
Data in Transit |
CWE-327
|
|
Open Redirect
|
Step |
Data Validation |
CWE-601
CWE-20
|
|
Policy sets confidential data in URL parameters
|
Step |
Data in Transit |
CWE-598
|
|
Proxy doesn't have default flow
|
Proxy |
Code Quality
Data Validation |
CWE-20
|
|
Request content is tainted by user input
|
Step |
Data Validation |
CWE-20
CWE-116
|
|
SpikeArrest policy doesn't use any identifier
|
SpikeArrest |
DoS Protection |
CWE-770
|