CWE / OWASP Glossary
A finding appeared in your report? Find here what it means, why it matters, and how to fix it.
A finding appeared in your report? Find here what it means, why it matters, and how to fix it.
Each entry below follows the same shape: what it is, why it matters, a realistic attack, how to fix it, and which Hykaro scanner catches it.
A secret (API key, password, token, private key) written straight into the source code instead of read from the environment at runtime.
This is the one AI assistants produce most. They drop real-looking keys into .env.example, fixtures, and generated tests, and the key ships with the repo. Anyone who reads the code reads the secret: a contractor with repo access, a client you handed the project to, a public mirror you forgot was public.
Picture a freelancer pushing a Next.js project to a client's GitHub. An OPENAI_API_KEY sits in lib/ai.ts. Three weeks later someone runs up a four-figure bill on that key before anyone notices.
The fix is to move every secret to an environment variable and keep .env out of git. If a key ever touched git history, rotate it. Deleting the line does not help, the value is already in the history and is already compromised.
Hykaro catches this with gitleaks, which scans the full git history, not just the current files, for high-entropy strings and known key formats.
References: CWE-798, OWASP A07:2021.
Untrusted input rendered into a page without escaping, so an attacker's text becomes executable script in someone else's browser.
In React you mostly get this for free, until you reach for dangerouslySetInnerHTML or build HTML by hand. Then user content can carry a <script> or an onerror handler that runs with your user's session.
A comment field accepts <img src=x onerror="fetch('/api/me')">. Every user who views the comment ships their session data to the attacker.
Escape on output, not just on input. Sanitize any HTML you must render with a library like DOMPurify. Set a Content-Security-Policy so injected script has nowhere to run.
Hykaro flags risky sinks with semgrep (security profile), including dangerouslySetInnerHTML fed from variables.
References: CWE-79, OWASP A03:2021.
User input concatenated into a SQL query, letting an attacker change what the query does.
It still happens, usually when someone builds a query with template strings to save time. The database cannot tell your intent from the attacker's payload, because both arrive as one string.
A login form sends ' OR '1'='1 as the email. The query returns the first row and logs the attacker in as that user.
Use parameterized queries or an ORM that parameterizes for you. Never build SQL by string concatenation, even for an internal admin tool.
Hykaro detects string-built queries with semgrep and bearer, whose data-flow rules track tainted input into a query.
References: CWE-89, OWASP A03:2021.
A file path built from user input without validation, letting an attacker reach files outside the intended directory.
The classic payload is ../../../../etc/passwd. If your code joins user input onto a base path and reads the result, the user decides which file you open.
A download endpoint takes ?file=invoice.pdf and reads ./uploads/ plus the value. An attacker sends ../../.env and downloads your secrets.
Resolve the final path and check it still sits inside the directory you meant. Reject any input containing .. or absolute paths. Prefer an allowlist of known files over free-form names.
Hykaro flags this with semgrep data-flow rules from request input into filesystem calls.
References: CWE-22, OWASP A01:2021.
A request your server trusts because it carries the user's cookie, but which the user never meant to send.
If a state-changing endpoint relies only on the session cookie, any other site can trigger it. The browser attaches the cookie automatically, so a hidden form on a malicious page can POST to your /account/email as your logged-in user.
The user visits a forum while logged into your app. A hidden form there posts a new email to your account endpoint. The attacker now controls password recovery.
Require a CSRF token on state-changing requests, or set SameSite=Lax (or Strict) on session cookies so they are not sent on cross-site POSTs. Most frameworks ship CSRF protection, so the bug is usually a disabled or skipped check.
Hykaro flags missing CSRF protection and weak cookie attributes during the configuration checks.
References: CWE-352.
Turning untrusted bytes back into an object, where the act of rebuilding the object runs attacker-controlled code.
This bites Node apps that deserialize into class instances with a library that supports type hints, and PHP apps that call unserialize() on user input. The payload is not data, it is instructions.
An app stores a session as a serialized object in a cookie and trusts it on the way back in. An attacker crafts a payload that, when rebuilt, calls a method that runs a shell command.
Do not deserialize untrusted input into rich objects. Use plain JSON.parse for data, validate the shape with a schema, and never unserialize() anything a user can reach.
Hykaro flags unsafe deserialization sinks with semgrep and bearer.
References: CWE-502, OWASP A08:2021.
Your server makes an HTTP request to a URL the user controls, and the attacker points it somewhere internal.
Anything that fetches a user-supplied URL is a candidate: webhooks, link previews, image proxies, PDF renderers. From the outside the attacker cannot reach your internal network. Your server can, so they borrow it.
A link-preview feature fetches whatever URL a user pastes. An attacker pastes http://169.254.169.254/latest/meta-data/, and your server returns the cloud credentials from the metadata endpoint.
Validate the URL against an allowlist of hosts. Block private and link-local address ranges after resolving DNS. Do not follow redirects into ranges you just blocked.
Hykaro flags user-controlled outbound requests with semgrep data-flow rules.
References: CWE-918, OWASP A10:2021.
The app hands out data it should keep private: stack traces, internal paths, tokens in URLs, verbose errors, or another user's record.
Most leaks are mundane. A production app runs with debug mode on and returns a full stack trace, including the database connection string, on any error. Or an API returns the whole user object, password hash included, because nobody trimmed the response.
Turn off debug output in production. Return generic error messages to clients and log the detail server-side. Send only the fields the client needs, never the raw record.
Hykaro flags verbose error configuration and checks responses and headers for leaked internals.
References: CWE-200, OWASP A01:2021.
Hykaro labels each finding critical, high, medium, low, or informational.
Critical and high are findings an attacker can use now: a live secret, an injection, a remote code path. Medium needs a condition to line up first. Low is hygiene that rarely leads to a breach on its own. Informational is context, not a problem.
The grade on your report weights the open critical and high findings most, because those are what a client (or an attacker) reacts to first.
Missing an entry you saw in your report? Email hello@hykaro.security and we will add it.