.dev
Unsanitized user input passed directly to database query constructor allows arbitrary SQL execution.
db.query(`SELECT * FROM users WHERE id = ${req.params.id}`);User-supplied search parameter rendered directly into DOM without escaping.
element.innerHTML = req.query.search;MD5 used for password hashing without salting. Vulnerable to rainbow table attacks.
const hash = md5(password);File path constructed from user input without sanitization allows reading arbitrary files from the filesystem. An attacker can navigate directory structure using ../ sequences to access sensitive configuration files, environment variables, and private keys.
const file = fs.readFileSync(`./uploads/${req.params.filename}`);Untrusted data deserialized without validation. Attacker can craft payloads to achieve remote code execution through prototype pollution or object injection vectors.
const session = JSON.parse(Buffer.from(cookie, 'base64').toString());
Object.assign(userConfig, session.preferences);Redirect URL taken from query parameter without domain validation.
res.redirect(req.query.next);State-changing POST endpoint lacks CSRF token validation. Session cookie alone used for authentication enables cross-site request forgery.
app.post('/transfer', authenticate, (req, res) => {
transferFunds(req.body.to, req.body.amount);
});API key embedded directly in source code. Exposed in version control history.
const API_KEY = "sk-a8f3...";Login endpoint has no rate limiting. Allows brute-force credential attacks.
app.post('/login', handler);