| 200000-1 |
SQL Injection - Single Quote (before) |
alpha |
High |
Tool |
| 200000-2 |
SQL Injection - Double Quote (before) |
alpha |
High |
Tool |
| 200000-3 |
SQL Injection - Single Quote (after) |
alpha |
High |
Tool |
| 200000-4 |
SQL Injection - Double Quote (after) |
alpha |
High |
Tool |
| 200001 |
OS Command Injection - Unix cat /etc/passwd (pipe) |
alpha |
High |
Tool |
| 200002-1 |
XSS - Unfiltered <script> tag |
alpha |
High |
Tool |
| 200002-2 |
XSS - Script tag after noscript tag |
alpha |
High |
Tool |
| 200002-3 |
XSS - Svg tag with animation event |
alpha |
High |
Tool |
| 200002-4 |
XSS - Img onerror |
alpha |
High |
Tool |
| 200002-5 |
XSS - Img onerror |
alpha |
High |
Tool |
| 200002-6 |
XSS - attribute context img onerror |
alpha |
High |
Tool |
| 200002-7 |
XSS - SVG onload polyglot |
alpha |
High |
Tool |
| 200002-8 |
XSS - JS string break-out |
alpha |
High |
Tool |
| 200002-9 |
XSS - JS template literal break-out |
alpha |
High |
Tool |
| 200002-10 |
XSS - JS expression replacement |
alpha |
High |
Tool |
| 200002-11 |
XSS - JS single-quoted string break-out |
alpha |
High |
Tool |
| 200002-12 |
XSS - JS slash/regex literal break-out |
alpha |
High |
Tool |
| 200002-13 |
XSS - JS block comment break-out |
alpha |
High |
Tool |
| 200002-14 |
XSS - double-quoted attribute event injection |
alpha |
High |
Tool |
| 200002-15 |
XSS - single-quoted attribute event injection |
alpha |
High |
Tool |
| 200002-16 |
XSS - unquoted attribute event injection |
alpha |
High |
Tool |
| 200002-17 |
XSS - attribute-name event injection |
alpha |
High |
Tool |
| 200002-18 |
XSS - tag-name SVG onload injection |
alpha |
High |
Tool |
| 200003-1 |
JWT Probe (Authorization + JWT cookies removed) |
alpha |
High |
Tool |
| 200003-2 |
JWT Probe (Authorization header removed) |
alpha |
High |
Tool |
| 200003-3 |
JWT Probe (JWT cookies removed) |
alpha |
High |
Tool |
| 200003-4 |
JWT None Algorithm (Cookie) |
alpha |
High |
Tool |
| 200003-5 |
JWT None Algorithm (Form body param) |
alpha |
High |
Tool |
| 200003-6 |
JWT None Algorithm (Authorization header) |
alpha |
High |
Tool |
| 200003-7 |
JWT None Algorithm (JSON body) |
alpha |
High |
Tool |
| 200004-1 |
Exposure of Git repository |
alpha |
Medium |
Tool |
| 200004-2 |
Exposure of SVN repository |
alpha |
Medium |
Tool |
| 200004-3 |
Exposure of Mercurial repository |
alpha |
Medium |
Tool |
| 200005-1 |
Missing Content-Security-Policy header |
alpha |
Low |
Tool |
| 200005-2 |
CSP allows inline/eval or wildcards in script/style |
alpha |
Low |
Tool |
| 200005-3 |
CSP 'frame-ancestors' missing or overly broad |
alpha |
Low |
Tool |
| 200005-4 |
CSP Report-Only present without enforcing CSP |
alpha |
Low |
Tool |
| 200005-5 |
Missing Strict-Transport-Security header (on HTTPS) |
alpha |
Low |
Tool |
| 200005-6 |
Strict-Transport-Security sent over HTTP (ineffective) |
alpha |
Low |
Tool |
| 200005-7 |
HSTS max-age too low or missing includeSubDomains |
alpha |
Low |
Tool |
| 200005-8 |
X-Powered-By header or equivalent present |
alpha |
Low |
Tool |
| 200005-9 |
Server banner discloses software/version |
alpha |
Low |
Tool |
| 200005-10 |
Missing or invalid X-Content-Type-Options |
alpha |
Low |
Tool |
| 200005-11 |
X-XSS-Protection header is a legacy directive |
alpha |
Low |
Tool |
| 200005-12 |
Expect-CT is deprecated |
alpha |
Low |
Tool |
| 200005-13 |
COOP set without COEP/CORP (incomplete cross-origin isolation) |
alpha |
Low |
Tool |
| 200005-14 |
COEP present but value is not 'require-corp' or 'credentialless' |
alpha |
Low |
Tool |
| 200005-15 |
Deprecated Feature-Policy or unknown/overly-permissive Permissions-Policy |
alpha |
Low |
Tool |
| 200005-16 |
Missing or weak Referrer-Policy |
alpha |
Low |
Tool |
| 200005-17 |
Clear-Site-Data present but missing executionContexts |
alpha |
Low |
Tool |
| 200005-18 |
Clear-Site-Data uses wildcard * |
alpha |
Low |
Tool |
| 200005-19 |
CORS allows any origin with credentials |
alpha |
Low |
Tool |
| 200005-20 |
Sensitive cookies missing security flags |
alpha |
Low |
Tool |
| 200005-21 |
Potentially authenticated content lacks no-store |
alpha |
Low |
Tool |
| 200005-22 |
Public-Key-Pins is deprecated |
alpha |
Low |
Tool |
| 200005-23 |
COOP present but value is not 'same-origin' |
alpha |
Low |
Tool |
| 200006-1 |
Credit Card Number |
alpha |
Low |
Tool |
| 200006-2 |
Social Security Number |
alpha |
Low |
Tool |
| 200007 |
SPA hash DOM XSS |
alpha |
High |
Tool |
| 200008 |
ws:// from HTTPS context |
alpha |
Low |
Tool |
| 200009-1 |
JavaScript includes sourceMappingURL |
alpha |
Low |
Tool |
| 200009-2 |
HTML references .map files |
alpha |
Low |
Tool |
| 200009-3 |
Webpack dev-server / hot reload artifacts |
alpha |
Low |
Tool |
| 200009-4 |
Next.js build metadata exposed |
alpha |
Low |
Tool |
| 200010-1 |
Node.js / Express stack trace |
alpha |
Medium |
Tool |
| 200010-2 |
Java stack trace |
alpha |
Medium |
Tool |
| 200010-3 |
.NET stack trace / YSOD |
alpha |
Medium |
Tool |
| 200010-4 |
Python traceback |
alpha |
Medium |
Tool |
| 200010-5 |
PHP fatal error / warning |
alpha |
Medium |
Tool |
| 200010-6 |
Internal file path disclosure |
alpha |
Medium |
Tool |
| 200011-1 |
Private key material exposed |
alpha |
Low |
Tool |
| 200011-2 |
AWS Access Key ID pattern |
alpha |
Low |
Tool |
| 200011-3 |
Slack token pattern |
alpha |
Low |
Tool |
| 200011-4 |
GitHub token pattern |
alpha |
Low |
Tool |
| 200011-5 |
Sentry DSN exposed |
alpha |
Low |
Tool |
| 200011-6 |
Firebase config exposed |
alpha |
Low |
Tool |
| 200011-7 |
Stripe publishable key exposed |
alpha |
Low |
Tool |
| 200011-8 |
Mapbox token exposed |
alpha |
Low |
Tool |
| 200011-9 |
Google API key pattern |
alpha |
Low |
Tool |
| 200012-1 |
Swagger UI detected |
alpha |
Informational |
Tool |
| 200012-2 |
OpenAPI spec detected |
alpha |
Informational |
Tool |
| 200012-3 |
API docs endpoint observed |
alpha |
Informational |
Tool |
| 200012-4 |
GraphQL endpoint observed |
alpha |
Informational |
Tool |
| 200012-5 |
GraphiQL / GraphQL Playground detected |
alpha |
Informational |
Tool |
| 200013-1 |
security.txt observed |
alpha |
Informational |
Tool |
| 200013-2 |
OIDC well-known configuration observed |
alpha |
Informational |
Tool |
| 200013-3 |
Android assetlinks.json observed |
alpha |
Informational |
Tool |
| 200013-4 |
Apple app-site-association observed |
alpha |
Informational |
Tool |
| 200014-1 |
access_token/id_token in URL |
alpha |
Medium |
Tool |
| 200014-2 |
JWT-like value in URL |
alpha |
Medium |
Tool |
| 200014-3 |
api_key/key in URL |
alpha |
Medium |
Tool |
| 200015-1 |
Open redirect candidate parameter |
alpha |
Informational |
Tool |
| 200015-2 |
SSRF / webhook URL candidate parameter |
alpha |
Informational |
Tool |
| 200015-3 |
File/path candidate parameter |
alpha |
Informational |
Tool |
| 200015-4 |
IDOR candidate parameter |
alpha |
Informational |
Tool |
| 200016-1 |
Internal IP address leaked in response |
alpha |
Low |
Tool |
| 200016-2 |
localhost/127.0.0.1 referenced in response |
alpha |
Low |
Tool |
| 200016-3 |
Environment hints (dev/staging/test) in response |
alpha |
Low |
Tool |
| 200016-4 |
Cloud metadata IP referenced |
alpha |
Low |
Tool |
| 200017-1 |
Dynamic ACAO without Vary: Origin |
alpha |
Low |
Tool |
| 200017-2 |
CORS allows broad methods |
alpha |
Low |
Tool |
| 200017-3 |
CORS allows broad headers |
alpha |
Low |
Tool |
| 200018 |
Cache-Control public/max-age with Set-Cookie |
alpha |
Low |
Tool |
| 200019-1 |
Admin/management path observed |
alpha |
Informational |
Tool |
| 200019-2 |
Debug/diagnostic path observed |
alpha |
Informational |
Tool |
| 200019-3 |
Spring Boot actuator endpoint observed |
alpha |
Informational |
Tool |
| 200019-4 |
Swagger/OpenAPI path observed |
alpha |
Informational |
Tool |
| 200019-5 |
GraphQL path observed |
alpha |
Informational |
Tool |
| 200019-6 |
Potential backup file observed |
alpha |
Informational |
Tool |
| 200019-7 |
Environment/config file observed |
alpha |
Informational |
Tool |
| 200019-8 |
Potential .git exposure path observed |
alpha |
Informational |
Tool |
| 200019-9 |
phpinfo endpoint observed |
alpha |
Informational |
Tool |
| 200021-1 |
AngularJS template injection - reflected 1.0.1 to 1.1.5 |
alpha |
High |
Tool |
| 200021-2 |
AngularJS expression injection - expression 1.0.1 to 1.1.5 |
alpha |
High |
Tool |
| 200021-3 |
AngularJS template injection - reflected short legacy 1.0.1 to 1.1.5 |
alpha |
High |
Tool |
| 200021-4 |
AngularJS template injection - reflected 1.2.0 to 1.2.1 |
alpha |
High |
Tool |
| 200021-5 |
AngularJS expression injection - expression 1.2.0 to 1.2.18 |
alpha |
High |
Tool |
| 200021-6 |
AngularJS template injection - reflected 1.2.2 to 1.2.5 |
alpha |
High |
Tool |
| 200021-7 |
AngularJS template injection - reflected 1.2.6 to 1.2.18 |
alpha |
High |
Tool |
| 200021-8 |
AngularJS expression injection - expression 1.2.6 to 1.2.18 |
alpha |
High |
Tool |
| 200021-9 |
AngularJS template injection - reflected 1.2.19 to 1.2.23 |
alpha |
High |
Tool |
| 200021-10 |
AngularJS expression injection - expression 1.2.19 to 1.2.23 |
alpha |
High |
Tool |
| 200021-11 |
AngularJS template injection - reflected 1.2.24 to 1.2.29 |
alpha |
High |
Tool |
| 200021-12 |
AngularJS expression injection - expression 1.2.24 to 1.2.26 |
alpha |
High |
Tool |
| 200021-13 |
AngularJS expression injection - expression 1.2.27 to 1.3.20 |
alpha |
High |
Tool |
| 200021-14 |
AngularJS template injection - reflected 1.4.0 to 1.4.9 |
alpha |
High |
Tool |
| 200021-15 |
AngularJS expression injection - expression 1.4.0 to 1.4.5 |
alpha |
High |
Tool |
| 200021-16 |
AngularJS template injection - reflected 1.5.0 to 1.5.8 |
alpha |
High |
Tool |
| 200021-17 |
AngularJS expression injection - expression 1.4.2 to 1.5.8 |
alpha |
High |
Tool |
| 200021-18 |
AngularJS template injection - reflected 1.6 and later |
alpha |
High |
Tool |
| 200021-19 |
AngularJS expression injection - expression 1.6 and later |
alpha |
High |
Tool |
| 200021-20 |
AngularJS expression injection - single-quote expression 1.2.19 to 1.2.23 |
alpha |
High |
Tool |
| 200021-21 |
AngularJS template injection - reflected eval 1.4.0 to 1.4.9 |
alpha |
High |
Tool |
| 200021-22 |
AngularJS template injection - HTML entity delimiters 1.4.0 to 1.4.9 |
alpha |
High |
Tool |
| 200021-23 |
AngularJS template injection - HTML entity alternate delimiters 1.4.0 to 1.4.9 |
alpha |
High |
Tool |
| 200021-24 |
AngularJS expression injection - eval expression 1.4.0 to 1.4.9 |
alpha |
High |
Tool |
| 200021-25 |
AngularJS template injection - alternate delimiters 1.6 and later |
alpha |
High |
Tool |
| 200022-1 |
DOM XSS via query param HTML image onerror |
alpha |
High |
Tool |
| 200022-2 |
DOM XSS via query param attribute breakout |
alpha |
High |
Tool |
| 200022-3 |
DOM XSS via query param JS double-quote breakout |
alpha |
High |
Tool |
| 200022-4 |
DOM XSS via query param JS single-quote breakout |
alpha |
High |
Tool |
| 200022-5 |
DOM XSS via query param JS template literal breakout |
alpha |
High |
Tool |
| 200022-6 |
DOM XSS via query param JS expression execution |
alpha |
High |
Tool |
| 200022-7 |
DOM XSS via query param JS regex breakout |
alpha |
High |
Tool |
| 200022-8 |
DOM XSS via query param JS block-comment breakout |
alpha |
High |
Tool |
| 200022-9 |
DOM XSS via query param script-tag breakout |
alpha |
High |
Tool |
| 200022-10 |
DOM XSS via query param event-handler value |
alpha |
High |
Tool |
| 200022-11 |
DOM XSS via query param attribute-name event injection |
alpha |
High |
Tool |
| 200022-12 |
DOM XSS via query param double-quoted attribute event breakout |
alpha |
High |
Tool |
| 200022-13 |
DOM XSS via query param double-quoted resource onerror breakout |
alpha |
High |
Tool |
| 200022-14 |
DOM XSS via query param single-quoted attribute event breakout |
alpha |
High |
Tool |
| 200022-15 |
DOM XSS via query param unquoted attribute event injection |
alpha |
High |
Tool |
| 200022-16 |
DOM XSS via query param SVG tag-name event injection |
alpha |
High |
Tool |
| 200022-17 |
DOM XSS via query param javascript: URL |
alpha |
High |
Tool |
| 200022-18 |
DOM XSS via query param style-block breakout |
alpha |
High |
Tool |
| 200023-1 |
Open redirect via common param names |
alpha |
Medium |
Tool |
| 200023-2 |
Open redirect reflected in form action |
alpha |
Medium |
Tool |
| 200023-3 |
Open redirect reflected in body destination |
alpha |
Medium |
Tool |
| 200024 |
JSONP callback parameter controls JavaScript response |
alpha |
Medium |
Tool |
| 210000-1 |
DOM XSS via inline event handler |
alpha |
High |
Tool |
| 210000-2 |
DOM XSS via Element.innerHTML |
alpha |
High |
Tool |
| 210000-3 |
DOM XSS via Element.outerHTML |
alpha |
High |
Tool |
| 210000-4 |
DOM XSS via insertAdjacentHTML |
alpha |
High |
Tool |
| 210000-5 |
DOM XSS via document.write |
alpha |
High |
Tool |
| 210000-6 |
DOM XSS via DOM mutations |
alpha |
High |
Tool |
| 210001-1 |
Dynamic code execution via eval |
alpha |
High |
Tool |
| 210001-2 |
Dynamic code execution via Function constructor |
alpha |
High |
Tool |
| 210001-3 |
Dynamic code execution via Function.apply |
alpha |
High |
Tool |
| 210002-1 |
Open redirect via window.open |
alpha |
Low |
Tool |
| 210002-2 |
Open redirect via Navigation API |
alpha |
Low |
Tool |
| 210003-1 |
javascript: URL assigned to href |
alpha |
High |
Tool |
| 210003-2 |
javascript: URL navigated via location.href |
alpha |
High |
Tool |
| 210003-3 |
javascript: URL assigned to iframe.src |
alpha |
High |
Tool |
| 210003-4 |
data: URL assigned to script.src |
alpha |
High |
Tool |
| 210003-5 |
data: URL assigned to href |
alpha |
High |
Tool |
| 210003-6 |
javascript: URL assigned to src |
alpha |
High |
Tool |
| 210003-7 |
data: URL assigned to src |
alpha |
High |
Tool |
| 210003-8 |
data: URL navigated via location.href |
alpha |
High |
Tool |
| 210003-9 |
javascript: URL navigated via location.assign |
alpha |
High |
Tool |
| 210003-10 |
data: URL navigated via location.assign |
alpha |
High |
Tool |
| 210003-11 |
javascript: URL navigated via location.replace |
alpha |
High |
Tool |
| 210003-12 |
data: URL navigated via location.replace |
alpha |
High |
Tool |
| 210003-13 |
javascript: URL opened via window.open |
alpha |
High |
Tool |
| 210003-14 |
data: URL opened via window.open |
alpha |
High |
Tool |
| 210003-15 |
data: URL assigned to iframe.src |
alpha |
High |
Tool |
| 210004-1 |
Route-controlled history.replaceState |
alpha |
Medium |
Tool |
| 210004-2 |
Route-controlled Navigation API transition |
alpha |
Medium |
Tool |
| 210004-3 |
Route-controlled history.pushState |
alpha |
Medium |
Tool |
| 210005-1 |
Form action manipulated by tainted route or body input |
alpha |
Medium |
Tool |
| 210005-2 |
formAction manipulated by tainted route or body input |
alpha |
Medium |
Tool |
| 210006-1 |
javascript: URL assigned to form action |
alpha |
High |
Tool |
| 210006-2 |
javascript: URL assigned to formAction |
alpha |
High |
Tool |
| 210006-3 |
data: URL assigned to form action |
alpha |
Medium |
Tool |
| 210006-4 |
data: URL assigned to formAction |
alpha |
Medium |
Tool |
| 210007-1 |
Response field rendered via innerHTML |
alpha |
High |
Tool |
| 210007-2 |
Response field rendered via document.write |
alpha |
High |
Tool |
| 210007-3 |
Response field rendered via outerHTML |
alpha |
High |
Tool |
| 210007-4 |
Response field rendered via insertAdjacentHTML |
alpha |
High |
Tool |
| 210007-5 |
Response field rendered via DOM mutation |
alpha |
Medium |
Tool |
| 210007-6 |
Response field parsed via DOMParser |
alpha |
Medium |
Tool |
| 210007-7 |
Response field parsed via createContextualFragment |
alpha |
Medium |
Tool |
| 210007-8 |
Response field rendered via setHTMLUnsafe |
alpha |
High |
Tool |
| 210007-9 |
Response field rendered via ShadowRoot.setHTMLUnsafe |
alpha |
High |
Tool |
| 210008-1 |
Prototype pollution influenced fetch() init |
alpha |
High |
Tool |
| 210008-2 |
Tainted dangerous key used in prototype write |
alpha |
Medium |
Tool |
| 210009-1 |
AngularJS expression executed through Function constructor |
alpha |
High |
Tool |
| 210009-2 |
AngularJS $parse expression from form input |
alpha |
High |
Tool |
| 210009-3 |
AngularJS $parse expression from cookie |
alpha |
High |
Tool |
| 210009-4 |
AngularJS $parse expression from localStorage |
alpha |
High |
Tool |
| 210009-5 |
AngularJS $parse expression from postMessage |
alpha |
High |
Tool |
| 210010-1 |
postMessage to wildcard origin with tainted payload |
alpha |
Medium |
Tool |
| 210010-2 |
postMessage to cross-origin target with tainted payload |
alpha |
Medium |
Tool |
| 210011-1 |
Tainted string executed via setTimeout |
alpha |
High |
Tool |
| 210011-2 |
Tainted string executed via setInterval |
alpha |
High |
Tool |
| 210012-1 |
IFrame navigation via src |
alpha |
Medium |
Tool |
| 210012-2 |
IFrame content injection via srcdoc |
alpha |
Medium |
Tool |
| 210013-1 |
Exfiltration via fetch URL |
alpha |
High |
Tool |
| 210013-2 |
Exfiltration via fetch headers |
alpha |
High |
Tool |
| 210013-3 |
Exfiltration via XMLHttpRequest URL |
alpha |
High |
Tool |
| 210013-4 |
Exfiltration via XMLHttpRequest body |
alpha |
High |
Tool |
| 210013-5 |
Exfiltration via XMLHttpRequest headers |
alpha |
High |
Tool |
| 210013-6 |
Exfiltration via navigator.sendBeacon |
alpha |
High |
Tool |
| 210013-7 |
Exfiltration via image.src beacon |
alpha |
Medium |
Tool |
| 210014-1 |
Tainted URL assigned to element.href |
alpha |
Low |
Tool |
| 210014-2 |
Tainted URL assigned to element.src |
alpha |
Low |
Tool |
| 210014-3 |
Tainted URL assigned to form action |
alpha |
Low |
Tool |
| 210014-4 |
Tainted URL assigned to formAction |
alpha |
Low |
Tool |
| 210015-1 |
Client-side redirect via location.href |
alpha |
Low |
Tool |
| 210015-2 |
Client-side redirect via location.assign |
alpha |
Low |
Tool |
| 210015-3 |
Client-side redirect via location.replace |
alpha |
Low |
Tool |
| 210015-4 |
Client-side redirect via history.pushState |
alpha |
Low |
Tool |
| 210015-5 |
Client-side route change via history.replaceState |
alpha |
Low |
Tool |
| 210016-1 |
DOM XSS via DOMParser.parseFromString |
alpha |
Medium |
Tool |
| 210016-2 |
DOM XSS via Range.createContextualFragment |
alpha |
High |
Tool |
| 210016-3 |
DOM XSS via Element.setHTMLUnsafe |
alpha |
High |
Tool |
| 210016-4 |
DOM XSS via ShadowRoot.setHTMLUnsafe |
alpha |
High |
Tool |
| 210017-1 |
DOM XSS via innerHTML (secondary sources) |
alpha |
High |
Tool |
| 210017-2 |
DOM XSS via outerHTML (secondary sources) |
alpha |
High |
Tool |
| 210017-3 |
DOM XSS via insertAdjacentHTML (secondary sources) |
alpha |
High |
Tool |
| 210017-4 |
DOM XSS via document.write (secondary sources) |
alpha |
High |
Tool |
| 210017-5 |
DOM XSS via inline handlers (secondary sources) |
alpha |
High |
Tool |
| 210017-6 |
DOM XSS via DOM mutation (secondary sources) |
alpha |
High |
Tool |
| 210017-7 |
DOM XSS via iframe.srcdoc (secondary sources) |
alpha |
High |
Tool |
| 210018-1 |
eval() from storage/referrer taint |
alpha |
High |
Tool |
| 210018-2 |
Function() from storage/referrer taint |
alpha |
High |
Tool |
| 210018-3 |
Function.apply() from storage/referrer taint |
alpha |
High |
Tool |
| 210018-4 |
setTimeout(string) from storage/referrer taint |
alpha |
High |
Tool |
| 210018-5 |
setInterval(string) from storage/referrer taint |
alpha |
High |
Tool |
| 210019-1 |
location.href redirect from tainted source |
alpha |
Medium |
Tool |
| 210019-2 |
location.assign redirect from tainted source |
alpha |
Medium |
Tool |
| 210019-3 |
location.replace redirect from tainted source |
alpha |
Medium |
Tool |
| 210019-4 |
window.open redirect from tainted source |
alpha |
Medium |
Tool |
| 210019-5 |
navigation.navigate redirect from tainted source |
alpha |
Medium |
Tool |
| 210019-6 |
Anchor href manipulated from tainted source |
alpha |
Medium |
Tool |
| 210019-7 |
Form action manipulated from tainted source |
alpha |
Medium |
Tool |
| 220000-1 |
Disallow innerHTML/outerHTML assignments |
alpha |
High |
Tool |
| 220000-2 |
Review uses of appendChild |
alpha |
High |
Tool |
| 220000-3 |
Disallow document.write()/writeln() |
alpha |
High |
Tool |
| 220000-4 |
Review DOMParser.parseFromString with dynamic HTML/XML |
alpha |
High |
Tool |
| 220000-5 |
template.innerHTML with dynamic content |
alpha |
High |
Tool |
| 220000-6 |
Inline event handler built from dynamic data |
alpha |
High |
Tool |
| 220000-7 |
Disallow insertAdjacentHTML() |
alpha |
High |
Tool |
| 220000-8 |
DOM-based XSS (taint flow) |
alpha |
High |
Tool |
| 220000-9 |
DOM XSS via innerHTML (Angular) |
alpha |
High |
Tool |
| 220001-1 |
Disallow direct document.cookie assignment (incl. bracket access) |
alpha |
Medium |
Tool |
| 220001-2 |
DOM-based Cookie Manipulation (taint flow) |
alpha |
Medium |
Tool |
| 220002-1 |
Disallow direct navigation primitives |
alpha |
Medium |
Tool |
| 220002-2 |
Same-origin URL mutations |
alpha |
Medium |
Tool |
| 220002-3 |
DOM-based Open Redirection (taint flow) |
alpha |
Medium |
Tool |
| 220003-1 |
Avoid string-based timers |
alpha |
High |
Tool |
| 220003-2 |
Avoid execScript dynamic execution |
alpha |
High |
Tool |
| 220003-3 |
Avoid eval with string literals |
alpha |
High |
Tool |
| 220003-4 |
Avoid Function constructor with strings |
alpha |
High |
Tool |
| 220003-5 |
DOM-based JavaScript Injection (taint flow) |
alpha |
High |
Tool |
| 220004-1 |
Tainted data passed to AngularJS $parse |
alpha |
High |
Tool |
| 220004-2 |
Tainted data compiled as AngularJS template |
alpha |
High |
Tool |
| 220004-3 |
Dynamic AngularJS $parse expression |
alpha |
High |
Tool |
| 220004-4 |
Dynamic AngularJS $compile/$interpolate template |
alpha |
High |
Tool |
| 220004-5 |
AngularJS interpolation delimiters in template string |
alpha |
High |
Tool |
| 220004-6 |
AngularJS ng-* expression attribute |
alpha |
High |
Tool |
| 220005-1 |
Dynamic template compilation |
alpha |
High |
Tool |
| 220005-2 |
Template output injected into DOM |
alpha |
High |
Tool |
| 220005-3 |
Review Vue v-html template usage |
alpha |
High |
Tool |
| 220005-4 |
Template injection (taint flow) |
alpha |
High |
Tool |
| 220005-5 |
React dangerouslySetInnerHTML taint flow |
alpha |
High |
Tool |
| 220005-6 |
Lit unsafeHTML taint flow |
alpha |
High |
Tool |
| 220006-1 |
Review sendBeacon destination |
alpha |
Medium |
Tool |
| 220006-2 |
Review sendBeacon body content |
alpha |
Medium |
Tool |
| 220006-3 |
Review EventSource constructor usage |
alpha |
Medium |
Tool |
| 220006-4 |
Review direct Axios destination usage |
alpha |
Medium |
Tool |
| 220006-5 |
Tainted network destination URL |
alpha |
Medium |
Tool |
| 220007-1 |
Review jQuery getScript usage |
alpha |
Medium |
Tool |
| 220007-2 |
Review System.import usage |
alpha |
Medium |
Tool |
| 220007-3 |
Review dynamic import usage |
alpha |
Medium |
Tool |
| 220007-4 |
Review Worker constructor usage |
alpha |
Medium |
Tool |
| 220007-5 |
Review SharedWorker constructor usage |
alpha |
Medium |
Tool |
| 220007-6 |
Review serviceWorker.register usage |
alpha |
Medium |
Tool |
| 220007-7 |
Review importScripts usage |
alpha |
Medium |
Tool |
| 220007-8 |
Tainted worker or script loader URL |
alpha |
Medium |
Tool |
| 220008-1 |
Avoid postMessage with wildcard targetOrigin |
alpha |
Medium |
Tool |
| 220008-2 |
Specify postMessage targetOrigin |
alpha |
Medium |
Tool |
| 220008-3 |
Avoid weak origin substring checks |
alpha |
Medium |
Tool |
| 220008-4 |
Avoid permissive regex origin checks |
alpha |
Medium |
Tool |
| 220008-5 |
Origin check uses host fragment only |
alpha |
Medium |
Tool |
| 220008-6 |
Review message event listeners |
alpha |
Medium |
Tool |
| 220008-7 |
Message handler without origin validation |
alpha |
Medium |
Tool |
| 220008-8 |
Wildcard reply from message handler |
alpha |
Medium |
Tool |
| 220008-9 |
Web Message Injection (taint flow) |
alpha |
Medium |
Tool |
| 220009-1 |
Review assignments to href/src/action |
alpha |
Medium |
Tool |
| 220009-2 |
DOM-based Link Manipulation (taint flow) |
alpha |
Medium |
Tool |
| 220010-1 |
Untrusted DOM data into navigation-adjacent sinks |
alpha |
Medium |
Tool |
| 220010-2 |
Untrusted DOM data into createHTMLDocument |
alpha |
Medium |
Tool |
| 220010-3 |
Untrusted DOM data into UI mutation sinks |
alpha |
Medium |
Tool |