Snyk Code security rules
This page lists all security rules used by Snyk Code when scanning your source code for vulnerabilities.
Each rule includes the following information.
Rule Name: The Snyk name of the rule.
Languages: The programming languages to which this specific rule applies. Note that there might be two rules with the same name that apply to different languages.
CWE(s): The CWE numbers that are covered by this rule.
Security Categories: The OWASP Top 10 (2021 edition) category to which the rule belongs to, if any, and if it is included in SANS 25.
ASP SSL Disabled
XML
CWE-319
OWASP:A02
Access Violation
Apex
CWE-284, CWE-285
OWASP:A01
Allocation of Resources Without Limits or Throttling
JavaScript, PHP
CWE-770
An optimizing compiler may remove memset non-zero leaving data in memory
C++
CWE-1330
Android Debug Mode Enabled
XML
CWE-489
Android Fragment Injection
Java, Kotlin
CWE-470
OWASP:A03
Android Intent Forwarding
Java, Kotlin
CWE-940
OWASP:A07
Android Uri Permission Manipulation
Java, Kotlin
CWE-266
OWASP:A04
Android World Writeable/Readable File Permission Found
Java, Kotlin, Scala
CWE-732
Anti-forgery token validation disabled
C#
CWE-352
Sans Top 25, OWASP:A01
Arbitrary File Write via Archive Extraction (Tar Slip)
Python
CWE-22
Sans Top 25, OWASP:A01
Arbitrary File Write via Archive Extraction (Zip Slip)
C#, JavaScript, PHP
CWE-22
Sans Top 25, OWASP:A01
Authentication Bypass by Spoofing
C++
CWE-290
OWASP:A07
Authentication over HTTP
Python
CWE-319
OWASP:A02
Binding to all network interfaces may open service to unintended traffic
Python
CWE-284
OWASP:A01
Broken User Authentication
Python
CWE-287
Sans Top 25, OWASP:A07
Buffer Over-read
JavaScript
CWE-126
Buffer Overflow
C++
CWE-122
Clear Text Logging
Go, Swift
CWE-200, CWE-312
OWASP:A01, OWASP:A04
Clear Text Sensitive Storage
Apex, JavaScript
CWE-200, CWE-312
OWASP:A01, OWASP:A04
Cleartext Storage of Sensitive Information in a Cookie
C#, Java, Kotlin, Scala
CWE-315
OWASP:A05
Cleartext Transmission of Sensitive Information
Java, JavaScript, Kotlin, Scala
CWE-319
OWASP:A02
Code Execution via Third Party Package Context
Java, Kotlin
CWE-94
Sans Top 25, OWASP:A03
Code Execution via Third Party Package Installation
Java, Kotlin
CWE-940
OWASP:A07
Code Injection
C#, Java, JavaScript, Kotlin, PHP, Python, Ruby, Scala, Swift, Visual Basic
CWE-94
Sans Top 25, OWASP:A03
Command Injection
Apex, C#, C++, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, Visual Basic
CWE-78
Sans Top 25, OWASP:A03
Cross-Site Request Forgery (CSRF)
Java, JavaScript, Kotlin, Python, Scala
CWE-352
Sans Top 25, OWASP:A01
Cross-site Scripting (XSS)
Apex, C#, C++, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, Visual Basic
CWE-79
Sans Top 25, OWASP:A03
Cryptographic Issues
Java, JavaScript, Kotlin, Python, Scala
CWE-310
OWASP:A02
Debug Features Enabled
C#, Visual Basic, XML
CWE-215
Debug Mode Enabled
Python
CWE-489
Denial of Service (DoS) through Nested GraphQL Queries
JavaScript
CWE-400
Dereference of a NULL Pointer
C++
CWE-476
Sans Top 25
Deserialization of Untrusted Data
C#, Java, JavaScript, Kotlin, PHP, Python, Ruby, Scala, Visual Basic
CWE-502
Sans Top 25, OWASP:A08
Device Authentication Bypass
Swift
CWE-287
Sans Top 25, OWASP:A07
Disabled Neutralization of CRLF Sequences in HTTP Headers
Java, Kotlin, Scala
CWE-113
OWASP:A03
Disabling Strict Contextual escaping (SCE) could provide additional attack surface for Cross-site Scripting (XSS)
JavaScript
CWE-79
Sans Top 25, OWASP:A03
Division By Zero
C++
CWE-369
Double Free
C++
CWE-415
Electron Disable Security Warnings
JavaScript
CWE-16
OWASP:A05
Electron Insecure Web Preferences
JavaScript
CWE-16
OWASP:A05
Electron Load Insecure Content
JavaScript
CWE-16
OWASP:A05
Exposure of Private Personal Information to an Unauthorized Actor
C#, C++
CWE-359
OWASP:A01
External Control of System or Configuration Setting
Java, Kotlin, Scala
CWE-15
OWASP:A05
File Access Enabled
Java, Kotlin
CWE-200
OWASP:A01
File Inclusion
PHP
CWE-98
OWASP:A03
Generation of Error Message Containing Sensitive Information
Go, XML
CWE-209
OWASP:A04
GraphQL Injection
JavaScript
CWE-89
Sans Top 25, OWASP:A03
Hardcoded Secret
Apex, C#, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, Visual Basic
CWE-547
OWASP:A05
Improper Access Control: Email Content Injection
Apex, Go, PHP
CWE-284
OWASP:A01
Improper Authentication
Java, Kotlin, Scala
CWE-287
Sans Top 25, OWASP:A07
Improper Certificate Validation
Go, Java, Kotlin, Python, Ruby, Scala, Swift
CWE-295
OWASP:A07
Improper Code Sanitization
JavaScript
CWE-116, CWE-79, CWE-94
Sans Top 25, OWASP:A03
Improper Handling of Insufficient Permissions or Privileges
Java, Kotlin, Python
CWE-280
OWASP:A04
Improper Input Validation
Ruby
CWE-20
Sans Top 25, OWASP:A03
Improper Neutralization of CRLF Sequences in HTTP Headers
C#, Java, Kotlin, Scala, Visual Basic
CWE-113
OWASP:A03
Improper Neutralization of Directives in Statically Saved Code
Go, JavaScript, Python, Ruby
CWE-96
OWASP:A03
Improper Null Termination
C++
CWE-170
Improper Restriction of Rendered UI Layers or Frames
JavaScript, PHP, XML
CWE-1021
OWASP:A04
Improper Type Validation
JavaScript
CWE-1287
Improper Validation of Certificate with Host Mismatch
Java, Kotlin, Scala
CWE-297
OWASP:A07
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Ruby
CWE-915
OWASP:A08
Inadequate Encryption Strength
C#, C++, Go, Java, Kotlin, PHP, Python, Scala, Swift, Visual Basic
CWE-326
OWASP:A02
Inadequate Padding for AES encryption
Java, Kotlin, Scala
CWE-326
OWASP:A02
Inadequate Padding for Public Key Encryption
PHP, Rust
CWE-326
OWASP:A02
Incorrect Permission Assignment
Java, Kotlin
CWE-732
Incorrect regular expression for validating values
Ruby
CWE-1286
Indirect Command Injection via User Controlled Environment
Java, Kotlin, Scala
CWE-78
Sans Top 25, OWASP:A03
Information Exposure
C#, Java, JavaScript, Kotlin, PHP, Ruby, Scala, Swift
CWE-200
OWASP:A01
Insecure Anonymous LDAP Binding
C++
CWE-287
Sans Top 25, OWASP:A07
Insecure Data Storage
Swift
CWE-922
OWASP:A01
Insecure Data Transmission
Apex, C#, Ruby
CWE-319
OWASP:A02
Insecure Deserialization
Swift
CWE-502
Sans Top 25, OWASP:A08
Insecure File Permissions
Python, Rust
CWE-732
Insecure JWT Verification Method
JavaScript
CWE-347
OWASP:A02
Insecure TLS Configuration
Go, JavaScript
CWE-327
OWASP:A02
Insecure Temporary File
Python
CWE-377
OWASP:A01
Insecure Xml Parser
Python
CWE-611
OWASP:A05
Insecure default value
Python
CWE-453
Insufficient Session Expiration
Java, Kotlin, Scala
CWE-613
OWASP:A07
Insufficient postMessage Validation
JavaScript
CWE-20
Sans Top 25, OWASP:A03
Integer Overflow
C++
CWE-190
Sans Top 25
Introspection Enabled
JavaScript
CWE-200
OWASP:A01
JWT 'none' Algorithm Supported
JavaScript
CWE-347
OWASP:A02
JWT Signature Verification Bypass
Java
CWE-347
OWASP:A02
JWT Signature Verification Method Disabled
JavaScript
CWE-347
OWASP:A02
Java Naming and Directory Interface (JNDI) Injection
Java, Kotlin, Scala
CWE-074
JavaScript Enabled
Java, Kotlin
CWE-79
Sans Top 25, OWASP:A03
Jinja auto-escape is set to false.
Python
CWE-79
Sans Top 25, OWASP:A03
LDAP Injection
C#, C++, Java, Kotlin, Python, Scala
CWE-90
OWASP:A03
Log Forging
C#
CWE-117
OWASP:A09
Memory Allocation Of String Length
C++
CWE-170
Memory Corruption
Swift
CWE-822
Missing Release of File Descriptor or Handle after Effective Lifetime
C++
CWE-775
Missing Release of Memory after Effective Lifetime
C++
CWE-401
No Weak Password Requirements
Ruby
CWE-521
OWASP:A07
NoSQL Injection
Java, JavaScript, Python
CWE-943
Observable Timing Discrepancy
Rust
CWE-208
Observable Timing Discrepancy (Timing Attack)
Java, JavaScript, Kotlin, Scala
CWE-208
Open Redirect
Apex, C#, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Visual Basic
CWE-601
OWASP:A01
Origin Validation Error
Java, JavaScript, Kotlin, PHP, Python, Rust, Scala
CWE-346, CWE-942
OWASP:A05, OWASP:A07
Password Requirements Not Enforced in Django Application
Python
CWE-521
OWASP:A07
Path Traversal
C#, C++, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, Visual Basic
CWE-23
OWASP:A01
Permissive Cross-domain Policy
JavaScript
CWE-942
OWASP:A05
Potential Negative Number Used as Index
C++
CWE-125, CWE-787
Sans Top 25
Potential buffer overflow from usage of unsafe function
C++
CWE-122
Privacy Leak
Java
CWE-532
OWASP:A09
Process Control
Java, Kotlin, Scala
CWE-114
Prototype Pollution
JavaScript
CWE-1321
Python 2 source code
Python
CWE-1104
OWASP:A06
Regular Expression Denial of Service (ReDoS)
JavaScript, PHP, Python, Ruby
CWE-400
Regular expression injection
Apex, C#, Java, Kotlin, Scala, Visual Basic
CWE-400, CWE-730
Remote Code Execution via Endpoint
Ruby
CWE-94
Sans Top 25, OWASP:A03
Request Validation Disabled
C#, Visual Basic, XML
CWE-554
SOQL Injection
Apex
CWE-89
Sans Top 25, OWASP:A03
SOSL Injection
Apex
CWE-89
Sans Top 25, OWASP:A03
SQL Injection
C#, C++, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, Visual Basic
CWE-89
Sans Top 25, OWASP:A03
Selection of Less-Secure Algorithm During Negotiation (Force SSL)
Ruby
CWE-311, CWE-757
OWASP:A04, OWASP:A02
Selection of Less-Secure Algorithm During Negotiation (SSL instead of TLS)
Python
CWE-757
OWASP:A02
Sensitive Cookie Without 'HttpOnly' Flag
C#, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Scala, Visual Basic
CWE-1004
OWASP:A05
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Apex, C#, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Scala, Swift, Visual Basic
CWE-614
OWASP:A05
Server Information Exposure
Java, Kotlin, Python, Scala
CWE-209
OWASP:A04
Server-Side Request Forgery (SSRF)
Apex, C#, C++, Go, Java, JavaScript, Kotlin, PHP, Python, Rust, Scala, Swift, Visual Basic
CWE-918
Sans Top 25, OWASP:A10
Session Manipulation
Ruby
CWE-285
OWASP:A01
Sinatra Protection Layers Disabled
Ruby
CWE-1021, CWE-16, CWE-348, CWE-35, CWE-352, CWE-693, CWE-79
Sans Top 25, OWASP:A01, OWASP:A05, OWASP:A03, OWASP:A04
Size Used as Index
C++
CWE-125, CWE-787
Sans Top 25
Spring Cross-Site Request Forgery (CSRF)
Java
CWE-352
Sans Top 25, OWASP:A01
Struts Development Mode Enabled
XML
CWE-489
The cipher text is equal to the provided input plain text
Java, Kotlin, Scala
CWE-311
OWASP:A04
Trust Boundary Violation
Java, Kotlin, Scala
CWE-501
OWASP:A04
Unauthorized File Access
Java, Kotlin
CWE-79
Sans Top 25, OWASP:A03
Unchecked Input for Loop Condition
JavaScript
CWE-400, CWE-606
Unprotected Storage of Credentials
Java, Kotlin, Scala
CWE-256
OWASP:A04
Unrestricted Android Broadcast
Java, Kotlin
CWE-862
Sans Top 25, OWASP:A01
Unsafe JQuery Plugin
JavaScript
CWE-116, CWE-79
Sans Top 25, OWASP:A03
Unsafe Reflection
Java, Ruby
CWE-470
OWASP:A03
Unsafe SOQL Concatenation
Apex
CWE-89
Sans Top 25, OWASP:A03
Unsafe SOSL Concatenation
Apex
CWE-89
Sans Top 25, OWASP:A03
Unverified Password Change
Apex
CWE-620
OWASP:A07
Usage of BinaryFormatter
C#, Visual Basic
CWE-502
Sans Top 25, OWASP:A08
Use After Free
C++
CWE-416
Sans Top 25
Use dangerouslySetInnerHTML to Explicitly Handle XSS Risks
JavaScript
CWE-79
Sans Top 25, OWASP:A03
Use of Expired File Descriptor
C++
CWE-910
Use of Externally-Controlled Format String
C++, Java, JavaScript, Kotlin, Scala
CWE-134
Use of Hardcoded Credentials
Apex, C#, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, Visual Basic
CWE-259, CWE-798
Sans Top 25, OWASP:A07
Use of Hardcoded Cryptographic Initialization Value
Python
CWE-329
OWASP:A02
Use of Hardcoded Cryptographic Key
C++, Python, Ruby
CWE-321
OWASP:A02
Use of Hardcoded Passwords
Apex, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, XML
CWE-259, CWE-798
Sans Top 25, OWASP:A07
Use of Hardcoded, Security-relevant Constants
Java, Kotlin, Scala
CWE-547
OWASP:A05
Use of Insufficiently Random Values
C#, Go, Java, JavaScript, Kotlin, PHP, Ruby, Rust, Scala, Swift, Visual Basic
CWE-330
OWASP:A02
Use of Password Hash With Insufficient Computational Effort
Apex, C#, C++, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, Visual Basic
CWE-916
OWASP:A02
Use of Potentially Dangerous Function
Java, Kotlin, Scala
CWE-676
Use of Sticky broadcasts
Java, Kotlin
CWE-265
Use of a Broken or Risky Cryptographic Algorithm
C#, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Rust, Scala, Swift, Visual Basic
CWE-327
OWASP:A02
User Controlled Pointer
C++
CWE-1285
Weak Password Recovery Mechanism for Forgotten Password
JavaScript
CWE-640
OWASP:A07
XAML Injection
C#
CWE-611
OWASP:A05
XML External Entity (XXE) Injection
C#, C++, Java, JavaScript, Kotlin, PHP, Ruby, Scala, Swift, Visual Basic
CWE-611
OWASP:A05
XML Injection
Apex, C#, Visual Basic
CWE-91
OWASP:A03
XPath Injection
C#, C++, Go, Java, JavaScript, Kotlin, PHP, Python, Ruby, Scala, Visual Basic
CWE-643
OWASP:A03
Last updated
Was this helpful?