Explore
1-25 of 91
Authentication: Username Enumeration: avoid UsernameNotFoundException
Avoid throwing a UsernameNotFoundException as it could lead to username enumeration
- warning
- java
- Spring
- security
- framework specific
- web
- Spring Security
- OWASP Top 10
Authentication: Username Enumeration: setHideUserNotFoundExceptions should be set to true
Prevent enumeration by not throwing an exception that reveals the existence of the username
- warning
- java
- Spring
- security
- framework specific
- web
- Spring Security
- OWASP Top 10
CSRF: Disabled CSRF protection (AbstractHttpConfigurer)
Disabling Spring Security's CSRF protection makes the application vulnerable
- error
- java
- Spring
- security
- framework specific
- web
- Spring Security
- CSRF
- OWASP Top 10
CSRF: Disabled CSRF protection (HttpSecurity)
Disabling Spring Security's CSRF protection makes the application vulnerable
- error
- java
- Spring
- security
- framework specific
- web
- Spring Security
- CSRF
- OWASP Top 10
Data: Injection: Parameterize LDAP Filters: DirContext#search
Could lead to LDAP Injection
- error
- java
- security
- LDAP
- injection
- OWASP Top 10
Email: Disabled SSL on Connect
When sending an email, SSL has been disabled on connection
- error
- java
- security
- Apache Commons
- web
- OWASP Top 10
Email: Disabled SSL Server Identity check
When sending an email, the setSSLCheckServerIdentity has been set to false
- error
- java
- security
- Apache Commons
- web
- OWASP Top 10
Hibernate: Missing transport-level security: No SSL for database connection
Use transport level security to connect to the database
- warning
- xml
- database
- security
- Hibernate
- framework specific
- OWASP Top 10
- TLS
Injection: Avoid Code Injection: Use SafeConstructor: 1st argument of type Constructor
Could lead to Remote Code Execution
- error
- java
- security
- basic protection set
- injection
- YAML
- OWASP Top 10
Injection: Avoid Code Injection: Use SafeConstructor: arguments, but no Constructor argument
Could lead to Remote Code Execution
- error
- java
- security
- basic protection set
- injection
- YAML
- OWASP Top 10
Injection: Avoid Code Injection: Use SafeConstructor: no arguments
Could lead to Remote Code Execution
- error
- java
- security
- basic protection set
- injection
- YAML
- OWASP Top 10
Injection: Avoid SQL Injection: Use Parameterized Queries (PreparedStatement)
Could lead to SQL Injection
- error
- java
- security
- SEI CERT
- basic protection set
- injection
- SQL
- OWASP Top 10
Injection: Avoid SQL Injection: Use Parameterized Queries (Statement)
Could lead to SQL Injection
- error
- java
- security
- SEI CERT
- basic protection set
- injection
- SQL
- OWASP Top 10
Injection - SQL Injection in JPA: EntityManager#createNativeQuery
Avoid SQLi by using parameterized queries, instead of string concatenation with untrusted input
- error
- java
- security
- JPA
- injection
- SQL
- OWASP Top 10
Injection - SQL Injection in JPA: EntityManager#createQuery
Avoid SQLi by using parameterized queries, instead of string concatenation with untrusted input
- error
- java
- security
- JPA
- injection
- SQL
- OWASP Top 10
Injection: XXE: Jaxb2Marshaller#setProcessExternalEntities set to true
Prevent XXE by disabling the processing of external entities
- error
- java
- Spring
- security
- XXE
- framework specific
- Spring XML
- OWASP Top 10
Injection: XXE: Jaxb2Marshaller#setSupportDtd set to true
Prevent XXE by disabling DTDs
- error
- java
- Spring
- security
- XXE
- framework specific
- Spring XML
- OWASP Top 10
Injection: XXE: Jaxb2RootElementHttpMessageConverter#setProcessExternalEntities set to true
Prevent XXE by disabling the processing of External Entities
- error
- java
- Spring
- security
- XXE
- framework specific
- Spring XML
- OWASP Top 10
Injection: XXE: Jaxb2RootElementHttpMessageConverter#setSupportDtd set to true
Prevent XXE by disabling DTDs
- error
- java
- Spring
- security
- XXE
- framework specific
- Spring XML
- OWASP Top 10
Injection: XXE: SourceHttpMessageConverter#setProcessExternalEntities set to true
Prevent XXE by disabling the processing of External Entities
- error
- java
- Spring
- security
- XXE
- framework specific
- Spring XML
- OWASP Top 10
Injection: XXE: SourceHttpMessageConverter#setSupportDtd set to true
Prevent XXE by disabling DTDs
- error
- java
- Spring
- security
- XXE
- framework specific
- Spring XML
- OWASP Top 10
Input Validation: Avoid Expression Language Injection: Do not evaluate expressions controlled by user input (javax)
Could lead to Expression Language Injection
- error
- java
- expression language
- security
- injection
- OWASP Top 10
Input Validation: Avoid JDBC Injection: Bind variables in prepared statements: single parameter
Could lead to JDBC Injection
- error
- java
- Spring
- security
- Spring Data
- framework specific
- injection
- SQL
- OWASP Top 10
Input Validation: Avoid JDBC Injection: Bind variables in prepared statements: Two parameters
Could lead to JDBC Injection
- error
- java
- Spring
- security
- Spring Data
- framework specific
- injection
- SQL
- OWASP Top 10
Input Validation: Avoid Spring Expression Language Injection: Do not evaluate expressions controlled by user input (ExpressionParser)
Could lead to Spring Expression Language Injection
- error
- java
- expression language
- Spring
- Spring Core
- security
- framework specific
- injection
- OWASP Top 10