|
User-controlled data in ServiceCallout
|
High |
Step |
Data Validation |
CWE-233
CWE-20
|
|
Use of weak hash algorithms
|
High |
AssignMessage
HMAC
JavaScript |
Secure Configuration |
CWE-327
|
|
Unused flow variables
|
Info |
Step |
Code Quality |
CWE-563
|
|
Unsafe variable is used to define host
|
High |
Step |
Data Validation |
CWE-20
|
|
Unsafe regular expression
|
High |
Step |
Data Validation |
CWE-1333
|
|
Unreachable RouteRule
|
Medium |
Proxy |
Code Quality |
CWE-561
|
|
Unreachable Flow
|
Medium |
Proxy |
Code Quality |
CWE-561
|
|
Target URL is tainted by user input
|
High |
Step |
Data Validation |
CWE-22
CWE-233
CWE-918
CWE-20
|
|
Step operates undefined flow variables
|
Low |
Step |
Code Quality |
CWE-457
|
|
SpikeArrest policy doesn't use any identifier
|
High |
SpikeArrest |
DoS Protection |
CWE-770
|
|
Sharedflow has not beeing scanned by CodeSent
|
Low |
FlowCallout |
Code Quality |
|
|
ServiceCallout policy uses default message object as a response
|
Medium |
ServiceCallout |
Code Quality |
CWE-200
|
|
ServiceCallout policy uses default message object as a request
|
Medium |
ServiceCallout |
Code Quality |
CWE-200
|
|
Sensitive information is in the source code
|
Critical |
Step |
Data at Rest |
CWE-256
CWE-312
|
|
Resource is not linked to a policy
|
Info |
Proxy |
Code Quality |
CWE-561
|
|
Request content is stringified
|
Critical |
Step |
Data Validation
DoS Protection |
CWE-20
|
|
Request Content is tainted by user input
|
High |
Step |
Data Validation |
CWE-20
CWE-116
|
|
Proxy doesn't have default flow
|
High |
Proxy |
Code Quality
Data Validation |
CWE-20
|
|
Private flow variable is written into public one
|
Medium |
Step |
Data at Rest |
CWE-532
|
|
Policy sets confidential data in URL parameters
|
High |
Step |
Data in Transit |
CWE-598
|