CodeSent Rules - Comprehensive API Security & Static Analysis

Target AccessControl AssignMessage SpikeArrest

Name	Severity	Scopes	Tags	Links
Bypassing AccessControl policy via True-Client-IP header	Critical	AccessControl	Data Validation	CWE-290
Connection to the system is not encrypted	Critical	ServiceCallout MessageLogging Target	Data in Transit	CWE-319
Lack of certificate validation	Critical	ServiceCallout MessageLogging Target	Data in Transit	CWE-295
AssignMessage request parameters pollution	High	AssignMessage	Data Validation	CWE-20
No TLS protocol specified in connection definition	High	ServiceCallout MessageLogging Target	Data in Transit	CWE-327
SpikeArrest policy doesn't use any identifier	High	SpikeArrest	DoS Protection	CWE-770
Use of weak hash algorithms	High	AssignMessage HMAC JavaScript	Secure Configuration	CWE-327
AccessControl allows all IPs	Medium	AccessControl	Data Validation	CWE-290
Lack of DefaultFaultRule	Medium	Target Proxy	Error Handling	CWE-390
MatchesPath is applied to a static parameter	Medium	Target Proxy	Code Quality Data Validation	CWE-20
Unreachable FaultRule	Medium	Target Proxy	Code Quality	CWE-561
Unreachable Flow	Medium	Target Proxy	Code Quality	CWE-561