90 Rules
| ID | Name | Severity |
|---|---|---|
| 7740 | Avoid HTTP response splitting |
critical
|
| 7742 | Avoid SQL injection |
critical
|
| 7746 | Avoid LDAP injection |
critical
|
| 7748 | Avoid OS command injection |
critical
|
| 7750 | Avoid XPath injection |
critical
|
| 7752 | Avoid file path manipulation |
high
|
| 8044 | Avoid log forging |
high
|
| 8098 | Avoid uncontrolled format string |
critical
|
| 8222 | Avoid hard-coded credentials |
critical
|
| 8238 | Avoid mixing trusted and untrusted data in HTTP requests |
high
|
| 8240 | Avoid using unsecured cookie |
critical
|
| 8242 | Avoid using insufficient random values for cookies |
high
|
| 8408 | Avoid reflected cross-site scripting (non persistent) |
critical
|
| 8410 | Avoid cross-site scripting (persistent) |
critical
|
| 8414 | Avoid weak cryptographic algorithm |
high
|
| 8416 | Avoid use of a reversible one-way hash |
high
|
| 8418 | Avoid NoSQL injection |
critical
|
| 8420 | Avoid second order SQL injection |
critical
|
| 8424 | Avoid using hard-coded HMAC keys |
critical
|
| 8434 | Avoid process control |
critical
|
| 8436 | Avoid thread injection |
critical
|
| 8438 | Avoid code injection |
critical
|
| 8440 | Avoid reflection injection |
critical
|
| 8442 | Avoid resource injection |
critical
|
| 8444 | Avoid resource URL manipulation |
critical
|
| 8446 | Avoid URL redirection to untrusted site |
critical
|
| 8482 | Avoid cross-site scripting through API requests |
critical
|
| 8484 | Avoid HTTP response splitting through API requests |
critical
|
| 8486 | Avoid resource injection through API requests |
critical
|
| 8488 | Avoid resource URL manipulation through API requests |
critical
|
| 8490 | Avoid SQL injection through API requests |
critical
|
| 8492 | Avoid LDAP injection through API requests |
critical
|
| 8494 | Avoid OS command injection through API requests |
critical
|
| 8496 | Avoid process control through API requests |
critical
|
| 8498 | Avoid thread injection through API requests |
critical
|
| 8500 | Avoid code injection through API requests |
critical
|
| 8502 | Avoid reflection injection through API requests |
critical
|
| 8504 | Avoid XPath injection through API requests |
critical
|
| 8506 | Avoid file path manipulation through API requests |
critical
|
| 8508 | Avoid log forging through API requests |
high
|
| 8510 | Avoid uncontrolled format string through API requests |
critical
|
| 8512 | Avoid mixing trusted and untrusted data in HTTP requests through API requests |
critical
|
| 8514 | Avoid NoSQL injection through API requests |
critical
|
| 8516 | Avoid URL redirection to untrusted site through API requests |
critical
|
| 8518 | Avoid regular expression injection |
critical
|
| 8520 | Avoid second order regular expression injection |
critical
|
| 8522 | Avoid regular expression injection through API requests |
critical
|
| 8524 | Avoid deserialization injection |
critical
|
| 8526 | Avoid second order deserialization injection |
critical
|
| 8528 | Avoid deserialization injection through API requests |
critical
|
| 8530 | Avoid XQuery injection |
critical
|
| 8532 | Avoid second order XQuery injection |
critical
|
| 8534 | Avoid XQuery injection through API requests |
critical
|
| 8536 | Avoid expression language injection |
critical
|
| 8538 | Avoid second order expression language injection |
critical
|
| 8540 | Avoid expression language injection through API requests |
critical
|
| 8542 | Avoid debug forging |
medium
|
| 8544 | Avoid debug forging through API requests |
medium
|
| 8554 | Avoid using insufficient random generator |
critical
|
| 8560 | Avoid server-side request forgery |
critical
|
| 8562 | Avoid server-side request forgery through API requests |
critical
|
| 8564 | Avoid second order server-side request forgery |
critical
|
| 1025000 | Avoid second order OS command injection |
critical
|
| 1025002 | Avoid second order XPath injection |
critical
|
| 1025004 | Avoid second order URL redirection to untrusted site |
critical
|
| 1025010 | Avoid second order LDAP injection |
critical
|
| 1025016 | Avoid using cookie without the HttpOnly flag |
critical
|
| 1025018 | Avoid cookie injection |
critical
|
| 1025020 | Avoid data filter injection |
critical
|
| 1025022 | Avoid data filter injection through API requests |
critical
|
| 1025024 | Avoid disabling the expiration time validation of a JWT token |
critical
|
| 1025026 | Avoid disabling the expiration time requirement of a JWT token |
critical
|
| 1025028 | Avoid disabling the signature requirement of a JWT token |
critical
|
| 1025030 | Avoid hard-coded JWT secret keys |
critical
|
| 1025032 | Avoid insecure parameters for PBKDF2 password encoder |
critical
|
| 1025034 | Avoid insecure parameters for BCrypt password encoder |
critical
|
| 1025036 | Avoid insecure parameters for Argon2 password encoder |
critical
|
| 1025038 | Avoid insecure parameters for SCrypt password encoder |
critical
|
| 1025040 | Avoid external control of system or configuration setting |
critical
|
| 1025042 | Avoid external control of system or configuration setting through API requests |
critical
|
| 1025044 | Avoid MVC injection |
critical
|
| 1025046 | Avoid MVC injection through API requests |
critical
|
| 1025048 | Avoid hard-coded password in connection string |
critical
|
| 1025050 | Avoid dangerous file inclusion |
critical
|
| 1025052 | Avoid using unnormalized input strings |
critical
|
| 1025054 | Avoid plaintext storage of password |
critical
|
| 1025056 | Avoid running SQL queries inside a loop |
critical
|
| 1025058 | Avoid numeric user inputs in SQL queries |
critical
|
| 1025060 | Avoid second order numeric user inputs in SQL queries |
critical
|
| 1025062 | Avoid numeric user inputs in SQL queries through API requests |
critical
|
