# Python Security Rules

97 detection rules for Python

- Total rules: 97
- CRITICAL: 14
- HIGH: 47
- MEDIUM: 31
- LOW: 4

## Frameworks

- ariadne
- bottle
- django
- falcon
- fastapi
- flask
- graphene
- jinja2
- motor
- pymongo
- pyramid
- python
- sanic
- strawberry
- tornado

## Rules by CWE

### Information Exposure (CWE-200)

- **Information Disclosure** [MEDIUM]: Detects information disclosure vulnerabilities: debug mode enabled, exposing
stack traces, returning detailed error messages, or leaking sensitive data.
- **LLM Model Theft** [HIGH]: Detects vulnerabilities that could lead to model theft or API key exposure.
OWASP LLM10 - Model Theft.

Model theft can occur through:
- API key exposure in source code or logs
- Model weights exposed via insecure endpoints
- Model extraction attacks via unrestricted API access
- Insecure model serialization and storage
- **LLM Sensitive Information Disclosure** [HIGH]: Detects potential sensitive information disclosure in AI/LLM implementations.
OWASP LLM06 - Sensitive Information Disclosure.

Sensitive information can be leaked through:
- PII (Personal Identifiable Information) in prompts
- Credentials or secrets in prompts or system messages
- Sensitive business data sent to third-party LLM APIs
- Logging LLM conversations containing sensitive data
- **Sensitive Field Exposure in API Response** [CRITICAL]: Detects when sensitive data fields (passwords, tokens, secrets) are
exposed through API endpoint responses. This commonly happens when:

1. Returning user dictionaries with sensitive fields
2. Serializing ORM objects without excluding sensitive fields
3. Including sensitive fields in JSON responses

Security Impact:
- Password hash exposure enabling offline cracking attacks
- API key/token leakage allowing account takeover
- Session token exposure enabling session hijacking
- PII disclosure violating privacy regulations (GDPR, CCPA)
- **Server Information Disclosure** [LOW]: Detects server configuration that exposes version information, framework details,
or other implementation details through HTTP headers. This information helps
attackers identify known vulnerabilities in specific versions.

### Code Injection (CWE-94)

- **Code Injection via eval/exec** [CRITICAL]: Detects untrusted user input flowing into code evaluation functions
(eval, exec, compile).
- **Dangerous Function Usage** [CRITICAL]: Detects usage of dangerous Python functions that can lead to arbitrary code
execution: eval(), exec(), compile(), __import__() with user input, or
pickle deserialization. These should be avoided or heavily restricted.
- **LLM Insecure Output Handling** [HIGH]: Detects LLM/AI outputs being used directly in dangerous operations without proper
validation or sanitization. OWASP LLM02 - Insecure Output Handling.

LLM outputs should be treated as untrusted input since:
- Prompt injection attacks can manipulate AI responses
- LLMs can hallucinate and produce unexpected outputs
- Model behavior may change between versions

Dangerous operations include:
- Code execution (eval, exec, compile)
- Command execution (os.system, subprocess)
- SQL queries (cursor.execute, raw queries)
- Template rendering (Jinja2, Django templates)
- File operations (open, write, unlink)
- Deserialization (pickle, yaml.load)
- **Server-Side Template Injection (SSTI)** [CRITICAL]: Detects user input used directly in template rendering, allowing arbitrary
code execution.

### CWE-942 (CWE-942)

- **FastAPI CORS Misconfiguration** [MEDIUM]: Detects overly permissive CORS configuration in FastAPI applications.
Allowing all origins (*) with credentials enabled can lead to CSRF
and data theft.
- **Flask CORS Misconfiguration** [MEDIUM]: Detects overly permissive CORS configuration in Flask applications using
flask-cors. Allowing all origins (*) with credentials enabled can lead to
cross-site request forgery and data theft.
- **CORS Misconfiguration** [MEDIUM]: Detects overly permissive CORS (Cross-Origin Resource Sharing) configurations
that allow any origin (*) with credentials, or reflect the Origin header without
validation. This can expose sensitive data to malicious sites.
- **CORS Regex Bypass Vulnerability** [HIGH]: Detects CORS implementations using weak regex patterns, prefix/suffix matching,
or substring checks that can be bypassed by attackers to allow unauthorized
cross-origin access from malicious domains.

Common bypass patterns:
1. Unanchored regex: r"https://.*\.example\.com" matches "https://evil.com/.example.com"
2. Unescaped dots: r"https://app.trusted.com" matches "https://appXtrusted.com"
3. Prefix matching: startswith("https://trusted.com") allows "https://trusted.com.evil.com"
4. Suffix matching: endswith(".trusted.com") can be abused with subdomain takeover
5. Contains check: "trusted.com" in origin matches "nottrusted.com"

### Deserialization of Untrusted Data (CWE-502)

- **LLM Training Data Poisoning** [HIGH]: Detects untrusted or unvalidated data flowing into AI/LLM fine-tuning or training
processes. OWASP LLM03 - Training Data Poisoning.

Training data poisoning can:
- Introduce backdoors into model behavior
- Bias model outputs maliciously
- Embed harmful content that appears in responses
- Compromise model accuracy and reliability
- Create security vulnerabilities in model behavior
- **Unsafe Deserialization** [CRITICAL]: Detects untrusted user input being deserialized using unsafe methods like
pickle.loads() or yaml.load().
- **Unsafe YAML Deserialization** [CRITICAL]: Detects unsafe YAML deserialization using yaml.load() without SafeLoader.

### Hardcoded Credentials (CWE-798)

- **Django Insecure SECRET_KEY** [CRITICAL]: Detects Django SECRET_KEY that is hardcoded, weak, or uses default values.
The SECRET_KEY is used for cryptographic signing and must be kept secret
and changed in production.
- **Hardcoded Credentials** [HIGH]: Detects hardcoded passwords, API keys, tokens, and other credentials in source
code. Credentials should be stored in environment variables or secure vaults.
- **Hardcoded Secrets / Credentials** [HIGH]: Detects hardcoded secrets, passwords, API keys, and cryptographic keys in
source code. Secrets should be stored in environment variables or secure
vaults, never committed to version control.

### Mass Assignment (CWE-915)

- **Django Mass Assignment Vulnerability** [HIGH]: Detects Django code that creates or updates models using all request data
without validation. This allows attackers to set arbitrary fields including
sensitive ones like is_admin, is_staff, or permissions.

NOTE: This rule only flags POST/PUT/PATCH request body data (request.POST,
request.data). It does NOT flag request.GET or request.query_params, as those
are typically used for read-only filtering operations and cannot cause
mass assignment vulnerabilities in standard Django ORM usage.
- **Class/Attribute Pollution** [HIGH]: Detects unsafe modification of class attributes or object __dict__ using
user input.
- **Serializer/Form Exposes Privilege Fields** [HIGH]: Detects serializers or forms that expose privilege-related fields without
marking them as read-only.

### Improper Input Validation (CWE-20)

- **FastAPI Missing Request Validation** [MEDIUM]: Detects FastAPI endpoints that accept raw Request objects instead of
Pydantic models. This bypasses FastAPI's automatic validation and can
lead to type confusion and injection vulnerabilities.
- **Business Logic Input Validation** [MEDIUM]: Detects business-critical input values (discount, refund, quantity, price)
that are used in operations without proper validation. Missing validation
can lead to financial fraud, inventory errors, or business logic bypass.

### Path Traversal (CWE-22)

- **Path Traversal / Directory Traversal** [HIGH]: Detects untrusted user input being used in file system operations without
proper validation.
- **Zip Slip / Archive Path Traversal** [HIGH]: Detects unsafe extraction of ZIP/TAR archives without path validation.
Malicious archives can contain filenames with "../" to write files outside
the intended directory (path traversal). Always validate extracted paths.

### SQL Injection (CWE-89)

- **GraphQL Injection / Unsafe Query Construction** [HIGH]: Detects unsafe GraphQL query construction with user input, missing query depth
limiting, or disabled introspection in production. These can lead to injection
attacks, DoS via deeply nested queries, or information disclosure.
- **SQL Injection via Database Queries** [CRITICAL]: Detects untrusted user input flowing into SQL database queries without proper
parameterization.

### Error Message Information Leak (CWE-209)

- **Error Message Information Disclosure** [MEDIUM]: Detects error messages that expose sensitive implementation details like
stack traces, database errors, file paths, or internal system information.
This information can help attackers understand the system architecture.
- **Internal Path and IP Address Disclosure** [MEDIUM]: Detects responses that include internal file paths, IP addresses, or system
information. This information helps attackers understand the system architecture,
file structure, and internal network topology.

### CWE-269 (CWE-269)

- **Default Privilege Assignment in User Creation** [HIGH]: Detects user creation flows that assign elevated privileges by default.
- **Missing Role/Permission Checks** [HIGH]: Detects privileged operations like role modification without verifying user permissions.

### Improper Certificate Validation (CWE-295)

- **SSL/TLS Certificate Validation Disabled** [HIGH]: Detects disabled SSL/TLS certificate validation. Disabling certificate
validation makes connections vulnerable to man-in-the-middle attacks.
- **SSL/TLS Certificate Verification Disabled** [HIGH]: Detects disabled SSL/TLS certificate verification in HTTP requests. This makes
the application vulnerable to man-in-the-middle (MITM) attacks where attackers
can intercept and modify encrypted traffic. Always verify SSL certificates.

### CWE-306 (CWE-306)

- **Django View Missing Authentication** [HIGH]: Detects Django views that should require authentication but lack
@login_required, @permission_required, or other authentication decorators.
- **FastAPI Endpoint Missing Authentication** [HIGH]: Detects FastAPI endpoints that perform sensitive operations without
authentication via Depends() dependency injection.

### CWE-326 (CWE-326)

- **JWT Signed with Weak Secret** [HIGH]: Detects JWT tokens signed with weak, hardcoded, or default secret keys that can be brute-forced.
- **Weak Cryptographic Key Generation** [HIGH]: Detects weak cryptographic key generation: insufficient key sizes, predictable
keys, or using weak algorithms. Cryptographic keys must be sufficiently long
and generated with secure random sources.

### Weak PRNG (CWE-338)

- **Insecure Random Number Generation** [MEDIUM]: Detects use of insecure random number generators (random module) for
security-critical operations. Use secrets module or os.urandom() for
cryptographic randomness (tokens, passwords, keys, nonces).
- **Cryptographically Weak Random Number Generation** [MEDIUM]: Detects use of the random module for security-sensitive operations like
tokens, passwords, or cryptographic keys. The random module is not
cryptographically secure. Use the secrets module instead.

### Improper Signature Verification (CWE-347)

- **FastAPI JWT Security Issues** [HIGH]: Detects JWT security issues in FastAPI applications including:
- Weak or hardcoded secrets
- Missing algorithm verification
- Insufficient token validation
- Insecure token storage patterns
- **JWT Algorithm Confusion Attack** [CRITICAL]: Detects JWT tokens decoded without algorithm verification or accepting the 'none' algorithm, allowing token forgery.

### Resource Exhaustion (CWE-400)

- **LLM Denial of Service** [MEDIUM]: Detects AI/LLM API calls that lack token limits, potentially enabling denial
of service attacks. OWASP LLM04 - Model Denial of Service.

DoS attacks against LLMs can:
- Exhaust API quotas through unbounded token generation
- Cause excessive costs via high token usage
- Degrade service availability

This rule detects:
- Missing max_tokens limits on completions
- Missing input length validation

NOTE: Rate limiting is covered separately by framework-specific rate-limiting rules.
- **Resource Exhaustion / Denial of Service** [MEDIUM]: Detects operations that can cause resource exhaustion: unbounded loops on user
input, reading entire large files into memory, recursive operations without
depth limits, or missing timeouts. These can lead to memory exhaustion or CPU
starvation (DoS).

### CWE-489 (CWE-489)

- **Django Debug Mode in Production** [CRITICAL]: Detects Django applications with DEBUG = True in settings. Debug mode exposes
sensitive information including settings, environment variables, SQL queries,
and stack traces. This must NEVER be enabled in production.
- **Flask Debug Mode in Production** [HIGH]: Detects Flask applications running with debug mode enabled. Debug mode exposes
sensitive information, allows code execution through the interactive debugger,
and should NEVER be enabled in production.

### Sensitive Cookie Without Secure Flag (CWE-614)

- **Flask Insecure Session Configuration** [MEDIUM]: Detects insecure Flask session configuration that can lead to session hijacking
or tampering. Sessions should use secure cookies and strong secret keys.
- **Insecure Cookie Configuration** [MEDIUM]: Detects cookies set without httpOnly, secure, or sameSite flags. Missing
flags make cookies vulnerable to XSS, MITM, and CSRF attacks.

### Authorization Bypass Through User-Controlled Key (CWE-639)

- **Insecure Direct Object Reference (IDOR)** [HIGH]: Detects database object access using user-provided IDs without ownership
verification.
- **Potential IDOR - Generic Data Access** [MEDIUM]: Detects route parameters flowing to generic data access without visible
ownership verification.

### CWE-755 (CWE-755)

- **Security Check Failing Open** [HIGH]: Detects security checks (authentication, authorization, validation) inside
try/except blocks that return success on exception. This causes the system
to "fail open" - granting access when security checks fail.
- **Missing Exception Handling in Critical Operations** [MEDIUM]: Detects critical operations (database, file I/O, network calls, external APIs)
that lack proper exception handling. Uncaught exceptions can crash the application,
leak sensitive information, or leave the system in an inconsistent state.

### Insufficient Logging (CWE-778)

- **Avoid print() when logging module exists** [low]: Detects print() calls when the logging module is used in the codebase.

CAPABILITY-GATED: This rule only fires when Python's logging module or a
logging library (loguru, structlog) is detected. If the project only uses
print(), that's an architectural choice - not a violation.

When logging infrastructure exists, print() calls are outliers that should be reviewed:
- They bypass structured logging
- They don't respect log levels
- They can't be easily filtered in production
- They go to stdout, not stderr (may interfere with output parsing)
- **Insufficient Security Event Logging** [MEDIUM]: Detects security-critical operations (authentication, authorization failures,
admin actions) without proper logging. Insufficient logging prevents detection
of attacks and hinders incident response.

This rule only triggers on files containing security-critical patterns like:
- Authentication (login, logout, authenticate, check_password)
- Authorization decorators (@login_required, @permission_required)
- Privilege checks (is_staff, is_superuser, is_admin, has_perm)
- Session management with auth/user/token data

NOTE: This rule only applies to authentication/authorization related code.
Not every view needs audit logging - focus on security-critical operations.

### CWE-16 (CWE-16)

- **Missing Security Headers** [MEDIUM]: Detects missing security headers like HSTS, X-Content-Type-Options,
X-XSS-Protection, Referrer-Policy, and Permissions-Policy. These headers
provide defense-in-depth against various attacks.

NOTE: This rule only applies to app setup files (settings.py, middleware,
app.py, etc.). Security headers should be configured at the application
level, not in individual view handlers.

### Injection (CWE-74)

- **AI Prompt Injection** [HIGH]: Detects untrusted user input flowing directly into AI/LLM prompts without
sanitization.

### OS Command Injection (CWE-78)

- **OS Command Injection** [CRITICAL]: Detects untrusted user input flowing into operating system command execution
functions without proper sanitization.

### Cross-Site Scripting (XSS) (CWE-79)

- **Cross-Site Scripting (XSS) in Templates** [HIGH]: Detects untrusted user input being rendered in HTML responses without proper
escaping.

### LDAP Injection (CWE-90)

- **LDAP Injection** [HIGH]: Detects LDAP queries constructed with unsanitized user input.

### CWE-93 (CWE-93)

- **Email Header Injection** [HIGH]: Detects user input used in email headers without newline sanitization.

### HTTP Response Splitting (CWE-113)

- **HTTP Header Injection** [HIGH]: Detects user input flowing into HTTP response headers without CRLF
sanitization.

### Log Injection (CWE-117)

- **Log Injection / Log Forging** [MEDIUM]: Detects user input flowing directly into log messages without sanitization.

### CWE-176 (CWE-176)

- **Unicode Normalization Issues** [MEDIUM]: Detects missing Unicode normalization leading to security bypasses.

### CWE-190 (CWE-190)

- **Integer Overflow / Large Number Handling** [LOW]: Detects potential integer overflow in numeric operations.

### CWE-201 (CWE-201)

- **Credential Exfiltration via User-Controlled Endpoint** [CRITICAL]: Detects when internal credentials (API keys, secrets, tokens) are sent in HTTP requests
to user-controlled endpoints. This allows attackers to exfiltrate server credentials
by providing a malicious webhook URL that captures the sensitive headers or body data.

Example vulnerable pattern:
```python
# User controls 'endpoint' from request
endpoint = request.form.get('webhook_url')

# Server sends its internal API key to attacker-controlled URL
requests.post(endpoint, headers={'X-API-Key': os.environ['INTERNAL_API_KEY']})
```

This is different from standard SSRF (which accesses internal resources) - here the attacker
exfiltrates server credentials to their own controlled endpoint.

### CWE-235 (CWE-235)

- **HTTP Parameter Pollution** [MEDIUM]: Detects handling of duplicate HTTP parameters without proper validation.

### Improper Access Control (CWE-284)

- **LLM Insecure Plugin Design** [HIGH]: Detects insecure plugin/function calling implementations in AI/LLM systems.
OWASP LLM07 - Insecure Plugin Design.

Insecure plugin design can lead to:
- Remote code execution via tool/function calls
- Unauthorized data access through plugins
- Privilege escalation via overly permissive tools
- SSRF through URL-handling plugins
- Command injection through shell plugins

### Improper Authentication (CWE-287)

- **Authentication Bypass Vulnerability** [CRITICAL]: Detects authentication checks that can be bypassed due to missing return statements or weak boolean logic.

### CWE-319 (CWE-319)

- **HTTP Used Instead of HTTPS** [HIGH]: Detects use of unencrypted HTTP for sensitive operations like API calls,
authentication, payment processing, or data transmission. HTTP traffic is
sent in cleartext and can be intercepted. Always use HTTPS.

### Broken Cryptographic Algorithm (CWE-327)

- **Weak Cryptographic Algorithm** [MEDIUM]: Detects use of weak or deprecated cryptographic algorithms like MD5, SHA-1,
DES, or RC4. Use modern algorithms like SHA-256, SHA-3, AES, or ChaCha20.

### Cross-Site Request Forgery (CWE-352)

- **Django Missing CSRF Protection** [HIGH]: Detects Django views that handle POST/PUT/DELETE requests without CSRF
protection. CSRF tokens prevent malicious sites from performing actions
on behalf of authenticated users.

### Race Condition (CWE-362)

- **Potential Race Condition** [MEDIUM]: Detects potential race conditions in concurrent Python code.

Common race condition patterns:
1. Global variables accessed from threads without locking
2. TOCTOU (Time-of-check Time-of-use) file operations
3. Shared data structures modified in threads without synchronization
4. Check-then-act patterns without atomicity

Python's GIL doesn't prevent all race conditions, especially with I/O
operations and multi-process code.

### CWE-367 (CWE-367)

- **Time-of-Check Time-of-Use (TOCTOU) Race Condition** [MEDIUM]: Detects potential race conditions where a resource is checked (exists, permissions)
and then used later. Between check and use, the resource state can change,
leading to security issues. Use atomic operations or proper locking instead.

### CWE-377 (CWE-377)

- **Insecure Temporary File Creation** [MEDIUM]: Detects insecure temporary file creation using tempfile.mktemp(), predictable
names, or world-readable permissions. These can lead to symlink attacks, race
conditions, or information disclosure. Use tempfile.mkstemp() or NamedTemporaryFile.

### Session Fixation (CWE-384)

- **Session Fixation Vulnerability** [HIGH]: Detects missing session regeneration after authentication, which enables session
fixation attacks.

Session fixation is a serious authentication vulnerability where an attacker forces
a victim to use a session ID that the attacker already knows. The attack works like this:

1. Attacker obtains a valid session ID (e.g., by visiting the login page)
2. Attacker tricks victim into authenticating with that session ID (via URL, cookie injection, etc.)
3. Victim logs in, and the pre-known session ID becomes authenticated
4. Attacker uses the same session ID to hijack the victim's authenticated session

Why this matters:
- Attackers can gain full access to victim accounts without knowing credentials
- Session tokens are often long-lived, giving attackers extended access windows
- The attack is invisible to the victim who authenticated normally
- Multi-factor authentication may be bypassed since attacker rides on legitimate auth

Always regenerate session IDs immediately after successful authentication to invalidate
any pre-existing session tokens an attacker might possess.

### CWE-391 (CWE-391)

- **Empty Exception Handler** [MEDIUM]: Detects empty except blocks that silently swallow exceptions. This can hide
security-critical errors, authentication failures, or data validation issues.

### CWE-396 (CWE-396)

- **Overly Broad Exception Handler** [LOW]: Detects overly broad exception handlers (bare except: or except BaseException)
that catch system exceptions like KeyboardInterrupt, SystemExit, which should
not be caught in normal error handling.

### CWE-425 (CWE-425)

- **Exposed Administrative Endpoint** [HIGH]: Detects administrative endpoints (admin, debug, internal, system) that lack
proper authentication or authorization checks. These endpoints should require
admin privileges and be protected from public access.

### Unrestricted File Upload (CWE-434)

- **Insecure File Upload** [HIGH]: Detects file uploads without proper validation of file type, size, or content.
Malicious uploads can lead to code execution, path traversal, or denial of service.
Always validate file extensions, MIME types, content, and size.

### CWE-444 (CWE-444)

- **HTTP Cache Poisoning** [MEDIUM]: Detects cache key construction using unsanitized user input. Cache poisoning
occurs when attackers manipulate cache keys to serve malicious content to
other users or bypass security controls.

### Information Exposure Through Logs (CWE-532)

- **Sensitive Data in Logging** [HIGH]: Detects logging of sensitive data like passwords, API keys, tokens, credit
cards, or authentication credentials. Logged sensitive data can be exposed
through log files, monitoring systems, or error tracking services.

### CWE-547 (CWE-547)

- **Hardcoded Development URLs** [LOW]: Detects hardcoded development URLs such as localhost or 127.0.0.1
in production code. This indicates:

1. Configuration management issues
2. Potential production deployment problems
3. Leftover development/test code
4. API endpoints pointing to local services

Development URLs should be configurable via environment variables.

### CWE-598 (CWE-598)

- **Sensitive Tokens in URL Parameters** [HIGH]: Detects sensitive tokens, API keys, or credentials being passed as URL query
parameters. URLs are logged by browsers, proxies, and servers, exposing
secrets. Use HTTP headers (Authorization) or request body instead.

### Open Redirect (CWE-601)

- **Open Redirect** [MEDIUM]: Detects unvalidated redirects using user input.

### XXE (CWE-611)

- **XML External Entity (XXE) Injection** [HIGH]: Detects XML parsing with external entity processing enabled. XXE attacks
allow attackers to read local files, perform SSRF, or cause denial of service.
Always disable external entity processing when parsing untrusted XML.

### CWE-626 (CWE-626)

- **Null Byte Injection** [HIGH]: Detects file operations that may be vulnerable to null byte injection.

### Weak Password Recovery (CWE-640)

- **Weak Password Reset Token** [HIGH]: Detects password reset tokens generated using weak or predictable methods like timestamps or non-cryptographic random.

### Allocation Without Limits (CWE-770)

- **Missing API Rate Limiting** [MEDIUM]: Detects API endpoints without rate limiting. Unprotected endpoints are
vulnerable to brute force attacks, credential stuffing, and denial of service.
Always implement rate limiting on authentication, expensive operations, and
public APIs.

### CWE-807 (CWE-807)

- **Client-Controlled Authorization Data** [CRITICAL]: Detects authorization decisions based on client-controllable data such as
cookies, query parameters, or form fields.

### Inclusion of Untrusted Functionality (CWE-829)

- **LLM Supply Chain Vulnerabilities** [HIGH]: Detects potential supply chain vulnerabilities in AI/LLM implementations.
OWASP LLM05 - Supply Chain Vulnerabilities.

Supply chain attacks in AI can occur through:
- Loading models from untrusted sources
- Using pickle for model serialization (RCE risk)
- trust_remote_code=True in HuggingFace
- Compromised training data sources
- Third-party plugins without verification

### CWE-840 (CWE-840)

- **Business Logic Bypass** [HIGH]: Detects client-controlled business-critical values (price, quantity, discount)
flowing to payment or business operations without server-side validation.

### Missing Authorization (CWE-862)

- **LLM Excessive Agency** [HIGH]: Detects LLM implementations with excessive autonomy that can lead to unintended
consequences. OWASP LLM08 - Excessive Agency.

Excessive agency occurs when LLMs are granted:
- Ability to perform destructive operations without confirmation
- Auto-execution of LLM-generated code or commands
- Direct database modifications without approval
- Financial transactions without human oversight

### CWE-916 (CWE-916)

- **Weak Password Hashing Algorithm** [HIGH]: Detects use of weak password hashing algorithms like MD5 or SHA-1 instead of bcrypt, argon2, or PBKDF2.

### Server-Side Request Forgery (CWE-918)

- **Server-Side Request Forgery (SSRF)** [HIGH]: Detects user input controlling URLs in HTTP requests, allowing requests to
arbitrary destinations including internal services and cloud metadata endpoints.

### NoSQL Injection (CWE-943)

- **NoSQL Injection** [HIGH]: Detects untrusted user input being used in NoSQL queries without proper
validation.

### ReDoS (CWE-1333)

- **Regular Expression Denial of Service (ReDoS)** [MEDIUM]: Detects regular expressions with catastrophic backtracking patterns that can
cause exponential time complexity when matching certain inputs. Attackers can
exploit this to cause denial of service. Use simpler patterns or set timeouts.

### CWE-clickjacking (CWE-other)

- **Missing Clickjacking Protection** [MEDIUM]: Detects missing clickjacking protection headers (X-Frame-Options or CSP
frame-ancestors). Without these headers, attackers can embed your site in
iframes to perform clickjacking attacks, tricking users into clicking
malicious elements.