Step JSONThreatProtection Proxy
Name Severity Scopes Tags Links
JWT/JWS is decoded but not verified in the same flow phase Critical Step Authentication & Authorisation CWE-347
Request content is stringified Critical Step Data Validation DoS Protection CWE-20
Sensitive information is in the source code Critical Step Data at Rest CWE-256 CWE-312
API Key is not removed before the request is sent to target system High Proxy Data in Transit CWE-201
Authorization header is not removed before the request is sent to target system High Proxy Data in Transit CWE-201
Cache is accessed without prior authentication High Step Authentication & Authorisation CWE-306
Confidential data is used as a cache key High Step Data at Rest CWE-256 CWE-312
Insecure Quota configuration High Step Code Quality Data Validation CWE-770
Open Redirect High Step Data Validation CWE-601 CWE-20
Policy sets confidential data in URL parameters High Step Data in Transit CWE-598
Proxy doesn't have default flow High Proxy Code Quality Data Validation CWE-20
Request content is tainted by user input High Step Data Validation CWE-20 CWE-116
Target URL is tainted by user input High Step Data Validation CWE-22 CWE-233 CWE-918 CWE-20
Unsafe regular expression High Step Data Validation CWE-1333
Unsafe variable is used to define host High Step Data Validation CWE-20
User-controlled data in ServiceCallout High Step Data Validation CWE-233 CWE-20
Condition has undefined variables Medium Step RouteRule Flow Code Quality CWE-570 CWE-571
Error flow variable is set but not checked in request phase Medium Step Error Handling CWE-390
Insecure JSONThreatProtection policy Medium JSONThreatProtection Code Quality Data Validation CWE-770 CWE-20
Lack of DefaultFaultRule Medium Target Proxy Error Handling CWE-390