4. Security & Compliance

Detects LDAP injection vulnerabilities (CWE-90) by identifying unescaped special characters in LDAP filters and user input handling during code review.

Provides a security pattern for implementing audit trails and logging security events to ensure non-repudiation and support incident response.

Identifies unescaped user input in XML queries to prevent XPath injection vulnerabilities during code review.

Detects unsanitized user input in log messages to prevent log injection (CWE-117) and CRLF injection vulnerabilities during code review.

Detects insecure password hashing (e.g., MD5, SHA1 without salt) and recommends secure alternatives like bcrypt, Argon2, or scrypt.

Detects integer overflow vulnerabilities in code handling user-controlled arithmetic, sizes, and quantities to prevent CWE-190.

Provides a security pattern for rate limiting and throttling to protect against brute-force attacks, DoS/DDoS, and API abuse.

Detects weak encryption anti-patterns including DES, ECB mode, static IVs, and custom crypto implementations in code reviews.

Detects and prevents debug mode in production by identifying hardcoded debug flags and development features in code configurations.

Detects insecure random number generation in security-critical code, such as tokens and keys, by identifying unsafe practices like Math.random().

Detects padding oracle vulnerabilities in CBC-mode decryption code by analyzing error handling patterns that expose cryptographic weaknesses.

Detects improper hash(secret + message) usage in authentication and integrity checks, preventing length extension attacks.

Detects missing file extension, MIME type, and size validation in user-uploaded files to prevent security vulnerabilities (CWE-434).

Detects missing security headers (CSP, HSTS, X-Frame-Options) in web applications to prevent common vulnerabilities.

Detects path traversal vulnerabilities (CWE-22) in code processing user input for file paths, ensuring proper sanitization and validation.

Detects unsafe shell command concatenation patterns and recommends argument arrays to prevent OS Command Injection (CWE-78).

Provides security anti-pattern guidance to prevent Cross-Site Scripting (XSS) vulnerabilities in web applications, covering common code mistakes and best practices.

Detects mutation XSS (mXSS) anti-patterns in code that sanitizes HTML, preventing browser parsing bypasses in user content handling.

Detects mass assignment vulnerabilities (CWE-915) in code processing user input, forms, or API requests to prevent privilege escalation.

Detects timing side-channel vulnerabilities in code comparing secrets, tokens, or cryptographic values through early-exit comparisons.

Detects Unicode security anti-patterns including confusable characters, normalization issues, and bidirectional text attacks in code handling text inputs.

Detects DOM Clobbering security vulnerabilities by identifying unsafe DOM element access patterns and global variable overwrites in code.

Detects session fixation vulnerabilities by identifying failure to regenerate session IDs after authentication in user session handling code.

Detects missing or broken authentication in code, including unprotected endpoints and weak password policies, to prevent security vulnerabilities.