Overview 5 scanners · 43 actionable findings
Attack surface categories detected
Findings by tool 43 total · 5 scanners
Top findings ranked by severity · top 10 of 43
| Severity | Type | Signature | Location | Message | Fixable |
|---|---|---|---|---|---|
| CRITICAL | code | javascript.express.security.audit.express-cookie-settings.express-cookie-session-default-name | /tmp/express-pin/examples/auth/index.js:22 | Don’t use the default session cookie name Using the default session cookie name can open your app to attacks. The security issue posed is similar to X-Powered-By: a potential attacker can use it to fingerprint the server and target attacks accordingly. | manual |
| CRITICAL | code | javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-domain | /tmp/express-pin/examples/auth/index.js:22 | Default session middleware settings: `domain` not set. It indicates the domain of the cookie; use it to compare against the domain of the server in which the URL is being requested. If they match, then check the path attribute next. | manual |
| CRITICAL | code | javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-expires | /tmp/express-pin/examples/auth/index.js:22 | Default session middleware settings: `expires` not set. Use it to set expiration date for persistent cookies. | manual |
| CRITICAL | code | javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-httponly | /tmp/express-pin/examples/auth/index.js:22 | Default session middleware settings: `httpOnly` not set. It ensures the cookie is sent only over HTTP(S), not client JavaScript, helping to protect against cross-site scripting attacks. | manual |
| CRITICAL | code | javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-path | /tmp/express-pin/examples/auth/index.js:22 | Default session middleware settings: `path` not set. It indicates the path of the cookie; use it to compare against the request path. If this and domain match, then send the cookie in the request. | manual |
| CRITICAL | code | javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-secure | /tmp/express-pin/examples/auth/index.js:22 | Default session middleware settings: `secure` not set. It ensures the browser only sends the cookie over HTTPS. | manual |
| CRITICAL | code | javascript.express.security.audit.express-session-hardcoded-secret.express-session-hardcoded-secret | /tmp/express-pin/examples/auth/index.js:25 | A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). | manual |
| CRITICAL | code | javascript.express.security.audit.express-cookie-settings.express-cookie-session-default-name | /tmp/express-pin/examples/cookie-sessions/index.js:13 | Don’t use the default session cookie name Using the default session cookie name can open your app to attacks. The security issue posed is similar to X-Powered-By: a potential attacker can use it to fingerprint the server and target attacks accordingly. | manual |
| CRITICAL | code | javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-domain | /tmp/express-pin/examples/cookie-sessions/index.js:13 | Default session middleware settings: `domain` not set. It indicates the domain of the cookie; use it to compare against the domain of the server in which the URL is being requested. If they match, then check the path attribute next. | manual |
| CRITICAL | code | javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-expires | /tmp/express-pin/examples/cookie-sessions/index.js:13 | Default session middleware settings: `expires` not set. Use it to set expiration date for persistent cookies. | manual |
Reasoning
javascript.express.security.audit.express-cookie-settings.express-cookie-session-default-name
Don’t use the default session cookie name Using the default session cookie name can open your app to attacks. The security issue posed is similar to X-Powered-By: a potential attacker can use it to fingerprint the server and target attacks accordingly. at index.js:22
javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-domain
Default session middleware settings: `domain` not set. It indicates the domain of the cookie; use it to compare against the domain of the server in which the URL is being requested. If they match, then check the path attribute next. at index.js:22
javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-expires
Default session middleware settings: `expires` not set. Use it to set expiration date for persistent cookies. at index.js:22
javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-httponly
Default session middleware settings: `httpOnly` not set. It ensures the cookie is sent only over HTTP(S), not client JavaScript, helping to protect against cross-site scripting attacks. at index.js:22
javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-path
Default session middleware settings: `path` not set. It indicates the path of the cookie; use it to compare against the request path. If this and domain match, then send the cookie in the request. at index.js:22
javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-secure
Default session middleware settings: `secure` not set. It ensures the browser only sends the cookie over HTTPS. at index.js:22
javascript.express.security.audit.express-session-hardcoded-secret.express-session-hardcoded-secret
A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). at index.js:25
javascript.express.security.audit.xss.ejs.explicit-unescape.template-explicit-unescape
Detected an explicit unescape in an EJS template, using '<%- ... %>' If external data can reach these locations, your application is exposed to a cross-site scripting (XSS) vulnerability. Use '<%= ... %>' to escape this data. If you need escaping, ensure no external data can reach this location. at login.ejs:5
javascript.express.security.audit.express-cookie-settings.express-cookie-session-default-name
Don’t use the default session cookie name Using the default session cookie name can open your app to attacks. The security issue posed is similar to X-Powered-By: a potential attacker can use it to fingerprint the server and target attacks accordingly. at index.js:13
javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-domain
Default session middleware settings: `domain` not set. It indicates the domain of the cookie; use it to compare against the domain of the server in which the URL is being requested. If they match, then check the path attribute next. at index.js:13
javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-expires
Default session middleware settings: `expires` not set. Use it to set expiration date for persistent cookies. at index.js:13
javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-httponly
Default session middleware settings: `httpOnly` not set. It ensures the cookie is sent only over HTTP(S), not client JavaScript, helping to protect against cross-site scripting attacks. at index.js:13
javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-path
Default session middleware settings: `path` not set. It indicates the path of the cookie; use it to compare against the request path. If this and domain match, then send the cookie in the request. at index.js:13
javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-secure
Default session middleware settings: `secure` not set. It ensures the browser only sends the cookie over HTTPS. at index.js:13
javascript.express.security.audit.express-cookie-settings.express-cookie-session-default-name
Don’t use the default session cookie name Using the default session cookie name can open your app to attacks. The security issue posed is similar to X-Powered-By: a potential attacker can use it to fingerprint the server and target attacks accordingly. at index.js:40
javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-domain
Default session middleware settings: `domain` not set. It indicates the domain of the cookie; use it to compare against the domain of the server in which the URL is being requested. If they match, then check the path attribute next. at index.js:40
javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-expires
Default session middleware settings: `expires` not set. Use it to set expiration date for persistent cookies. at index.js:40
javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-httponly
Default session middleware settings: `httpOnly` not set. It ensures the cookie is sent only over HTTP(S), not client JavaScript, helping to protect against cross-site scripting attacks. at index.js:40
javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-path
Default session middleware settings: `path` not set. It indicates the path of the cookie; use it to compare against the request path. If this and domain match, then send the cookie in the request. at index.js:40
javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-secure
Default session middleware settings: `secure` not set. It ensures the browser only sends the cookie over HTTPS. at index.js:40
javascript.express.security.audit.express-session-hardcoded-secret.express-session-hardcoded-secret
A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). at index.js:43
javascript.express.security.audit.xss.direct-response-write.direct-response-write
Detected directly writing to a Response object from user-defined input. This bypasses any HTML escaping and may expose your application to a Cross-Site-scripting (XSS) vulnerability. Instead, use 'resp.render()' to render safely escaped HTML. at index.js:67
javascript.express.security.audit.xss.direct-response-write.direct-response-write
Detected directly writing to a Response object from user-defined input. This bypasses any HTML escaping and may expose your application to a Cross-Site-scripting (XSS) vulnerability. Instead, use 'resp.render()' to render safely escaped HTML. at index.js:46
javascript.express.security.audit.xss.direct-response-write.direct-response-write
Detected directly writing to a Response object from user-defined input. This bypasses any HTML escaping and may expose your application to a Cross-Site-scripting (XSS) vulnerability. Instead, use 'resp.render()' to render safely escaped HTML. at index.js:37
javascript.express.security.audit.xss.direct-response-write.direct-response-write
Detected directly writing to a Response object from user-defined input. This bypasses any HTML escaping and may expose your application to a Cross-Site-scripting (XSS) vulnerability. Instead, use 'resp.render()' to render safely escaped HTML. at index.js:47
javascript.express.security.audit.xss.direct-response-write.direct-response-write
Detected directly writing to a Response object from user-defined input. This bypasses any HTML escaping and may expose your application to a Cross-Site-scripting (XSS) vulnerability. Instead, use 'resp.render()' to render safely escaped HTML. at index.js:51
javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string. at index.js:57
javascript.express.security.audit.express-cookie-settings.express-cookie-session-default-name
Don’t use the default session cookie name Using the default session cookie name can open your app to attacks. The security issue posed is similar to X-Powered-By: a potential attacker can use it to fingerprint the server and target attacks accordingly. at index.js:16
javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-domain
Default session middleware settings: `domain` not set. It indicates the domain of the cookie; use it to compare against the domain of the server in which the URL is being requested. If they match, then check the path attribute next. at index.js:16
javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-expires
Default session middleware settings: `expires` not set. Use it to set expiration date for persistent cookies. at index.js:16
javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-httponly
Default session middleware settings: `httpOnly` not set. It ensures the cookie is sent only over HTTP(S), not client JavaScript, helping to protect against cross-site scripting attacks. at index.js:16
javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-path
Default session middleware settings: `path` not set. It indicates the path of the cookie; use it to compare against the request path. If this and domain match, then send the cookie in the request. at index.js:16
javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-secure
Default session middleware settings: `secure` not set. It ensures the browser only sends the cookie over HTTPS. at index.js:16
javascript.express.security.audit.express-session-hardcoded-secret.express-session-hardcoded-secret
A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). at index.js:19
javascript.express.security.audit.express-cookie-settings.express-cookie-session-default-name
Don’t use the default session cookie name Using the default session cookie name can open your app to attacks. The security issue posed is similar to X-Powered-By: a potential attacker can use it to fingerprint the server and target attacks accordingly. at redis.js:20
javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-domain
Default session middleware settings: `domain` not set. It indicates the domain of the cookie; use it to compare against the domain of the server in which the URL is being requested. If they match, then check the path attribute next. at redis.js:20
javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-expires
Default session middleware settings: `expires` not set. Use it to set expiration date for persistent cookies. at redis.js:20
javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-httponly
Default session middleware settings: `httpOnly` not set. It ensures the cookie is sent only over HTTP(S), not client JavaScript, helping to protect against cross-site scripting attacks. at redis.js:20
javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-path
Default session middleware settings: `path` not set. It indicates the path of the cookie; use it to compare against the request path. If this and domain match, then send the cookie in the request. at redis.js:20
javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-secure
Default session middleware settings: `secure` not set. It ensures the browser only sends the cookie over HTTPS. at redis.js:20
javascript.express.security.audit.express-session-hardcoded-secret.express-session-hardcoded-secret
A hard-coded credential was detected. It is not recommended to store credentials in source-code, as this risks secrets being leaked and used by either an internal or external malicious adversary. It is recommended to use environment variables to securely provide credentials or retrieve credentials from a secure vault or HSM (Hardware Security Module). at redis.js:23
javascript.express.security.audit.xss.direct-response-write.direct-response-write
Detected directly writing to a Response object from user-defined input. This bypasses any HTML escaping and may expose your application to a Cross-Site-scripting (XSS) vulnerability. Instead, use 'resp.render()' to render safely escaped HTML. at index.js:30
javascript.express.security.audit.xss.direct-response-write.direct-response-write
Detected directly writing to a Response object from user-defined input. This bypasses any HTML escaping and may expose your application to a Cross-Site-scripting (XSS) vulnerability. Instead, use 'resp.render()' to render safely escaped HTML. at index.js:89
Recommendations
- Refactor insecure code
Remediation plan
-
javascript.express.security.audit.express-cookie-settings.express-cookie-session-default-name — manual code fix
# Fix: /tmp/express-pin/examples/auth/index.js:22 -
javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-domain — manual code fix
# Fix: /tmp/express-pin/examples/auth/index.js:22 -
javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-expires — manual code fix
# Fix: /tmp/express-pin/examples/auth/index.js:22 -
javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-httponly — manual code fix
# Fix: /tmp/express-pin/examples/auth/index.js:22 -
javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-path — manual code fix
# Fix: /tmp/express-pin/examples/auth/index.js:22 -
javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-secure — manual code fix
# Fix: /tmp/express-pin/examples/auth/index.js:22 -
javascript.express.security.audit.express-session-hardcoded-secret.express-session-hardcoded-secret — manual code fix
# Fix: /tmp/express-pin/examples/auth/index.js:25 -
javascript.express.security.audit.xss.ejs.explicit-unescape.template-explicit-unescape — manual code fix
# Fix: /tmp/express-pin/examples/auth/views/login.ejs:5 -
javascript.express.security.audit.express-cookie-settings.express-cookie-session-default-name — manual code fix
# Fix: /tmp/express-pin/examples/cookie-sessions/index.js:13 -
javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-domain — manual code fix
# Fix: /tmp/express-pin/examples/cookie-sessions/index.js:13 -
javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-expires — manual code fix
# Fix: /tmp/express-pin/examples/cookie-sessions/index.js:13 -
javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-httponly — manual code fix
# Fix: /tmp/express-pin/examples/cookie-sessions/index.js:13 -
javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-path — manual code fix
# Fix: /tmp/express-pin/examples/cookie-sessions/index.js:13 -
javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-secure — manual code fix
# Fix: /tmp/express-pin/examples/cookie-sessions/index.js:13 -
javascript.express.security.audit.express-cookie-settings.express-cookie-session-default-name — manual code fix
# Fix: /tmp/express-pin/examples/mvc/index.js:40 -
javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-domain — manual code fix
# Fix: /tmp/express-pin/examples/mvc/index.js:40 -
javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-expires — manual code fix
# Fix: /tmp/express-pin/examples/mvc/index.js:40 -
javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-httponly — manual code fix
# Fix: /tmp/express-pin/examples/mvc/index.js:40 -
javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-path — manual code fix
# Fix: /tmp/express-pin/examples/mvc/index.js:40 -
javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-secure — manual code fix
# Fix: /tmp/express-pin/examples/mvc/index.js:40 -
javascript.express.security.audit.express-session-hardcoded-secret.express-session-hardcoded-secret — manual code fix
# Fix: /tmp/express-pin/examples/mvc/index.js:43 -
javascript.express.security.audit.xss.direct-response-write.direct-response-write — manual code fix
# Fix: /tmp/express-pin/examples/params/index.js:67 -
javascript.express.security.audit.xss.direct-response-write.direct-response-write — manual code fix
# Fix: /tmp/express-pin/examples/resource/index.js:46 -
javascript.express.security.audit.xss.direct-response-write.direct-response-write — manual code fix
# Fix: /tmp/express-pin/examples/route-map/index.js:37 -
javascript.express.security.audit.xss.direct-response-write.direct-response-write — manual code fix
# Fix: /tmp/express-pin/examples/route-map/index.js:47 -
javascript.express.security.audit.xss.direct-response-write.direct-response-write — manual code fix
# Fix: /tmp/express-pin/examples/route-map/index.js:51 -
javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring — manual code fix
# Fix: /tmp/express-pin/examples/search/index.js:57 -
javascript.express.security.audit.express-cookie-settings.express-cookie-session-default-name — manual code fix
# Fix: /tmp/express-pin/examples/session/index.js:16 -
javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-domain — manual code fix
# Fix: /tmp/express-pin/examples/session/index.js:16 -
javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-expires — manual code fix
# Fix: /tmp/express-pin/examples/session/index.js:16 -
javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-httponly — manual code fix
# Fix: /tmp/express-pin/examples/session/index.js:16 -
javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-path — manual code fix
# Fix: /tmp/express-pin/examples/session/index.js:16 -
javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-secure — manual code fix
# Fix: /tmp/express-pin/examples/session/index.js:16 -
javascript.express.security.audit.express-session-hardcoded-secret.express-session-hardcoded-secret — manual code fix
# Fix: /tmp/express-pin/examples/session/index.js:19 -
javascript.express.security.audit.express-cookie-settings.express-cookie-session-default-name — manual code fix
# Fix: /tmp/express-pin/examples/session/redis.js:20 -
javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-domain — manual code fix
# Fix: /tmp/express-pin/examples/session/redis.js:20 -
javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-expires — manual code fix
# Fix: /tmp/express-pin/examples/session/redis.js:20 -
javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-httponly — manual code fix
# Fix: /tmp/express-pin/examples/session/redis.js:20 -
javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-path — manual code fix
# Fix: /tmp/express-pin/examples/session/redis.js:20 -
javascript.express.security.audit.express-cookie-settings.express-cookie-session-no-secure — manual code fix
# Fix: /tmp/express-pin/examples/session/redis.js:20 -
javascript.express.security.audit.express-session-hardcoded-secret.express-session-hardcoded-secret — manual code fix
# Fix: /tmp/express-pin/examples/session/redis.js:23 -
javascript.express.security.audit.xss.direct-response-write.direct-response-write — manual code fix
# Fix: /tmp/express-pin/examples/vhost/index.js:30 -
javascript.express.security.audit.xss.direct-response-write.direct-response-write — manual code fix
# Fix: /tmp/express-pin/examples/web-service/index.js:89