Issue Types (Java)

RIPS scans your Java code for previously unknown security flaws. These are classified as exploitable security vulnerabilities or security-related code quality issues.

Exploitable Security Issues (82)

NameSeverityCWE [?]OWASP Top 10 (2010) [?]OWASP Top 10 (2013) [?]OWASP Top 10 (2017) [?]SANS 25 [?]PCI DSS [?]ASVS 3.01 [?]
Command InjectionCritical78A1A1A126.5.15.12
Code InjectionCritical95A1A1A1186.5.116.4
File Write (Arbitrary)Critical96A1A1A1106.5.816.2
File Write (PHP file)Critical96A1A1A1106.5.8
SQL InjectionCritical89A1A1A116.5.15.1
SQL Injection (unquoted)Critical89A1A1A116.5.15.1
SQL Injection (single-quoted)Critical89A1A1A116.5.15.1
SQL Injection (double-quoted)Critical89A1A1A116.5.15.1
Object InjectionCritical502A4A4A8186.5.1
Path TraversalHigh22A4A4A5136.5.89.5
Path Traversal (limited)High626A4A4A5136.5.89.5
File InclusionHigh98A4A4A5136.5.85.13
LDAP InjectionHigh90A1A1A1
6.5.1
Object InstantiationHigh470A4A4A5106.5.816.4
Expression Language InjectionHigh917A1A1A1
6.5.1
Expression Language Injection (Spring)High917A1A1A1
6.5.1
Expression Language Injection (OGNL)High917A1A1A1
6.5.1
CVEHighYes

A9A9
6.2
Denial of ServiceHigh730A1A5A1
6.5.5
Denial of Service (regex)High400





Cross-Site ScriptingMedium79A2A3A746.5.75.15
Cross-Site Scripting (normal tag)Medium80A2A3A746.5.75.15
Cross-Site Scripting (script tag)Medium79A2A3A746.5.75.15

Cross-Site Scripting (style tag)

Medium79A2A3A746.5.75.15
Cross-Site Scripting (comment)Medium80A2A3A746.5.75.15
Cross-Site Scripting (attribute name)Medium79A2A3A746.5.75.15
Cross-Site Scripting (unquoted attribute)Medium79A2A3A746.5.75.15
Cross-Site Scripting (single-quoted attribute)Medium79A2A3A746.5.75.15
Cross-Site Scripting (double-quoted attribute)Medium79A2A3A746.5.75.15
Cross-Site Scripting (eventhandler)Medium83A2A3A746.5.75.15
Cross-Site Scripting (url attribute)Medium84A2A3A746.5.75.15
Cross-Site Scripting (style attribute)Medium79A2A3A746.5.75.15
File CreateMedium73A4A4A5136.5.816.2
File DeleteMedium73A4A4A10136.5.89.5
File ManipulationMedium732A4A4A5176.5.89.5
File WriteMedium96A4A1A1106.5.816.2
File Write (JSON file)Medium96A4A4A5106.5.816.2
File Write (CSS file)Medium96A2A3A7106.5.816.2
File Write (HTML file)Medium96A2A3A7106.5.816.2
XML/XXE InjectionMedium91A1A1A4
6.5.15.14
XQuery InjectionMedium652A1A1A1
6.5.15.14
XPath InjectionMedium643A1A1A1
6.5.15.14
XPath Injection (unquoted)Medium643A1A1A1
6.5.15.14
XPath Injection (single-quoted)Medium643A1A1A1
6.5.15.14
XPath Injection (double-quoted)Medium643A1A1A1
6.5.15.14
HTTP Response SplittingMedium113A10A10A1

3.1
Session FixationMedium384A3A2A2
6.5.103.1
Server-Side Request ForgeryMedium918A8A10A2
6.5.116.1
File UploadMedium434
A5A596.5.8
Reflection InjectionMedium470A1A7A5166.5.816.4
Open RedirectMedium601A10A10A2226.5.816.1
JSON InjectionMedium74A1A1A1
6.5.15.15
NoSQL InjectionMedium94A1A1A1
6.5.1
MongoDB InjectionMedium94A1A1A1
6.5.1
XSLT InjectionMedium494A1A1A196.5.15.14
Weak Cryptography (user-controlled parameter)Medium327A7---6.5.37.11
Weak Cryptography (insufficient key size)Medium326A6A5A6-6.5.37.8
Weak Cryptography (insufficient iteration count)Medium326A6A5A6-6.5.37.8
Log ForgingLow117A4A4A10

8.8
Directory ListingLow548A4A4A5136.5.84.5
Information LeakageLow209
A6A3
6.5.58.1
Information Leakage (System)Low214
A6A3
6.5.58.1
Information Leakage (Session Token in URL)Low201A3A2A2
6.5.103.6
Weak CryptographyLow310A9A6A3
6.5.3
Weak Cryptography (broken algorithm)Low327A9A6A3196.5.37.8
Weak Cryptography (static parameter)Low328A9A6A3
6.5.3
Weak Cryptography (low entropy)Low330A9A6A3
6.5.37.15
Weak Cryptography (missing padding)Low325A9A6A3
6.5.3
Weak Cryptography (cert verification)Low295A9A6A3
6.5.410.3
Weak Cryptography (byte array to string conversion)Low320A7A5A6-6.5.37.9
Connection String InjectionLow99A3A5A2166.5.4
Connection String Injection (FTP)Low99A3A5A2166.5.4
Connection String Injection (DBMS)Low99A3A5A2166.5.4
Resource InjectionLow93A9A4A5166.5.1
Resource Injection (Mail)Low93A9A4A5166.5.1
Resource Injection (FTP)Low93A9A4A5166.5.1
Environment ManipulationLow471A4A5A2106.5.8
Library InjectionLow114A1A5A111

HTTP Parameter PollutionLow233A10A10A2
6.5.45.17
Denial of Service (StringBuilder)Low400





Denial of Service (CVE-2010-4476)Low400
A9A9
6.2
Format String Information LeakageLow134
A6A3
6.5.5


Code Quality Issues (35)

NameSeverityCWE [?]OWASP Top 10 (2010)OWASP Top 10 (2013) [?]OWASP Top 10 (2017)SANS 25 [?]PCI DSS [?]ASVS 3.01 [?]
Execution After RedirectLow698
A7A2


Cookie MisconfigurationLow494A6A5A6
6.5.103.12
Cookie Misconfiguration (expiry)Low539A6A5A6
6.5.103.4
Cookie Misconfiguration (secure flag)Low614A6A5A6
6.5.10
Cookie Misconfiguration (path)Low287A6A5A6
6.5.10
Cookie Misconfiguration (domain)Low287A6A5A6
6.5.10
Cookie Misconfiguration (httpOnly flag)Low200A6A5A6
6.5.10
Weak HTTP headerLow644A6A5A6
6.5.4
Weak CORS HeaderLow346A6A5A6
6.5.416.5
Weak Strict-Transport-Security headerLow523A6A5A6
6.5.410.11
Weak X-XSS Protection headerLow693A6A5A6
4.1.g11.8
Weak CSP headerLow693A6A5A6
6.5.411.7
Weak XFO headerLow1021A6A6A6
6.5.411.4
Trust Boundary ViolationLow501





Divide By ZeroLow369





Dynamic SQL QueryLow89





Generic Exception ThrowLow397





Generic Exception CatchLow396





Empty Exception CatchLow755





Return Inside FinallyLow584





Missing Error HandlingLow390





Missing Default CaseLow478





Omitted Break StatementLow484





Deprecated FeatureLow477





Dangerous FeatureLow242





Suspicious CommentLow546





Ignored Return ValueLow253





Assign Instead CompareLow481





Decision by CookieLow784A3A2A2


Decision by DNSLow350A3A2A2


Decision by IPLow291A3A2A2


Permissive RegexLow625





Hard-coded PasswordLow259





Weak Hash FunctionLow328A7




Parse errorLow