|
Critical
|
|
Bypassing AccessControl policy via True-Client-IP header
|
AccessControl |
Data Validation |
CWE-290
|
|
High
|
|
API Key is not removed before the request is sent to target system
|
Proxy |
Data in Transit |
CWE-201
|
|
AssignMessage request parameters pollution
|
AssignMessage |
Data Validation |
CWE-20
|
|
Authorization header is not removed before the request is sent to target system
|
Proxy |
Data in Transit |
CWE-201
|
|
Proxy doesn't have default flow
|
Proxy |
Code Quality
Data Validation |
CWE-20
|
|
Use of weak hash algorithms
|
AssignMessage
HMAC
JavaScript |
Secure Configuration |
CWE-327
|
|
Medium
|
|
AccessControl allows all IPs
|
AccessControl |
Data Validation |
CWE-290
|
|
Condition has undefined variables
|
Step
RouteRule
Flow |
Code Quality |
CWE-570
CWE-571
|
|
Lack of DefaultFaultRule
|
Target
Proxy |
Error Handling |
CWE-390
|
|
MatchesPath is applied to a static parameter
|
Target
Proxy |
Code Quality
Data Validation |
CWE-20
|
|
No SpikeArrest policy is applied
|
Proxy |
Code Quality
DoS Protection |
CWE-770
|
|
Unreachable FaultRule
|
Target
Proxy |
Code Quality |
CWE-561
|
|
Unreachable Flow
|
Target
Proxy |
Code Quality |
CWE-561
|
|
Unreachable RouteRule
|
Proxy |
Code Quality |
CWE-561
|
|
Low
|
|
Missing security headers
|
Proxy |
Secure Configuration |
CWE-523
|
|
No mask configuration for the proxy
|
Proxy |
Code Quality |
|
|
Overcomplicated or malformed condition
|
Step
RouteRule
Flow |
Code Quality |
CWE-570
CWE-571
|
|
Info
|
|
Missing API versioning
|
Proxy |
Secure Configuration |
CWE-710
|
|
Policy is not linked to step
|
Proxy |
Code Quality |
CWE-561
|
|
Resource is not linked to a policy
|
Proxy |
Code Quality |
CWE-561
|