Skip to content

Insecure coding practices

This page lists all the insecure coding practices that BoostSecurity currently detects.

Name Description
bypass-framework-safe-default-output-encoding Ensure framework default output encoding
cookie-secure-flag-not-set Ensure cookies are set to secure
dangerous-function-buffer-alloc-unsafe Ensure buffer does not use allowUnsafe
dangerous-function-buffer-noassert Ensure buffer does not use noAssert
dangerous-function-buffer-non-literal-alloc Ensure buffer is initialized with a literal value
dangerous-function-deserialization Ensure safe deserialization
dangerous-raw-sql-used-with-orm Ensure no raw SQL queries
debugging-interface-publicly-exposed Ensure debug interface is not exposed
dos-via-decompression-bomb Ensure proper handling of highly compressed data
dynamic-code-injection Ensure no dynamic code injection
eval-with-expression Ensure no dynamic eval expression
express-detect-no-csrf-before-method-override Ensure express detects CSRF before override
insecure-crypto-algorithm Ensure usage of secure cryptograhic alogrithms
jwt-hardcoded-secret-key Ensure JWT secret is not hard coded
jwt-none-algorithm-usage Ensure JWT algorithm defined
missing-reverse-tabnabbing-protection Ensure secure link target
node-disable-ssl Ensure Node performs TLS validation
node-unsafe-property-access Ensure safe property access
node-vm-runinthiscontext Ensure node function runInThisContext used securely
non-literal-require Ensure node uses literal require statements
os-command-injection Ensure secure usage of os commands
path-traversal Ensure the function validates filesystem paths
plaintext-client-request Ensure XHR requests use encrypted transport
serialize-option-unsafe Ensure javascript serialize does not use unsafe
server-side-template-injection Ensure server side templates are validated
ssrf Ensure server side requests are validated
tls-disabled-cert-validation Ensure TLS validation is enabled
tls-insecure-protocol-config Ensure strong TLS protocols are used
unrestricted-server-socket-binding Ensure binding to limited interfaces
unsafe-child-process Ensure child_process usage is secure
wildcard-in-system-call Ensure system calls do not use wildcards
window-postmessage-unsafe-target-origin Ensure safe usage of window.postMessage
xss-request-parameter-reflected-in-response Ensure safe encoding of response