CodeSent Rules - Comprehensive API Security & Static Analysis

Step BasicAuthentication HMAC JavaScript Proxy

Name	Severity	Scopes	Tags	Links
JWT/JWS is decoded but not verified in the same flow phase	Critical	Step	Authentication & Authorisation	CWE-347
Request content is stringified	Critical	Step	Data Validation DoS Protection	CWE-20
Sensitive information is in the source code	Critical	Step	Data at Rest	CWE-256 CWE-312
API Key is not removed before the request is sent to target system	High	Proxy	Data in Transit	CWE-201
Authorization header is not removed before the request is sent to target system	High	Proxy	Data in Transit	CWE-201
Cache is accessed without prior authentication	High	Step	Authentication & Authorisation	CWE-306
Confidential data is used as a cache key	High	Step	Data at Rest	CWE-256 CWE-312
Insecure Quota configuration	High	Step	Code Quality Data Validation	CWE-770
Open Redirect	High	Step	Data Validation	CWE-601 CWE-20
Policy sets confidential data in URL parameters	High	Step	Data in Transit	CWE-598
Proxy doesn't have default flow	High	Proxy	Code Quality Data Validation	CWE-20
Request content is tainted by user input	High	Step	Data Validation	CWE-20 CWE-116
Target URL is tainted by user input	High	Step	Data Validation	CWE-22 CWE-233 CWE-918 CWE-20
Unsafe regular expression	High	Step	Data Validation	CWE-1333
Unsafe variable is used to define host	High	Step	Data Validation	CWE-20
Use of weak hash algorithms	High	AssignMessage HMAC JavaScript	Secure Configuration	CWE-327
User-controlled data in ServiceCallout	High	Step	Data Validation	CWE-233 CWE-20
Condition has undefined variables	Medium	Step RouteRule Flow	Code Quality	CWE-570 CWE-571
Error flow variable is set but not checked in request phase	Medium	Step	Error Handling	CWE-390
Lack of DefaultFaultRule	Medium	Target Proxy	Error Handling	CWE-390