Skip to main content

What types of vulnerabilities does Snyk API & Web detect?

A comprehensive list with each vulnerability type detected by Snyk API & Web.

Tiago Mendo avatar
Written by Tiago Mendo
Updated over a month ago

The list of vulnerabilities that Snyk API & Web currently detects is the following one. Please refer to this page periodically for an updated list. Keep in mind that some vulnerabilities are grouped together.

  • Reflected cross-site scripting

  • Stored cross-site scripting

  • Operating system command injection

  • XML external entity injection

  • ASP.NET debugging enabled

  • Insecure crossdomain.xml policy

  • Insecure Silverlight clientaccesspolicy.xml policy

  • SQL Injection

  • Cross-Origin Resource Sharing: Arbitrary Origin Trusted

  • Unencrypted communications

  • Mixed content

  • Expired TLS certificate

  • TLS certificate about to expire

  • Certificate without revocation information

  • Insecure SSL protocol version 2 supported

  • Insecure SSL protocol version 3 supported

  • Deprecated TLS protocol version 1.0 supported

  • Deprecated TLS protocol version 1.1 supported

  • Secure TLS protocol version 1.2 not supported

  • Weak cipher suites enabled

  • Server Cipher Order not configured

  • Untrusted TLS certificate (invalid CN, SAN, issuer or chain)

  • Heartbleed

  • Potential DoS on TLS Client Renegotiation

  • Secure Renegotiation is not supported

  • TLS Downgrade attack prevention not supported

  • WordPress version with known vulnerabilities

  • WordPress plugin with known vulnerabilities

  • Joomla! version with known vulnerabilities

  • Log file disclosure

  • Backup file disclosure

  • Full path disclosure

  • HSTS header not enforced

  • HSTS header set in HTTP

  • HSTS header with low duration and no subdomain protection

  • HSTS header with low duration

  • HSTS header does not protect subdomains

  • Inclusion of cryptocurrency mining script

  • Browser content sniffing allowed

  • Referrer policy not defined

  • Insecure referrer policy

  • Missing Content Security Policy header (CSP)

  • Insecure Content Security Policy (CSP)

  • HTTP TRACE method enabled

  • JQuery library with known vulnerabilities

  • AngularJS library with known vulnerabilities

  • Bootstrap library with known vulnerabilities

  • JQuery Mobile library with known vulnerabilities

  • JQuery Migrate library with known vulnerabilities

  • Moment.js library with known vulnerabilities

  • Prototype library with known vulnerabilities

  • React library with known vulnerabilities

  • SWFObject library with known vulnerabilities

  • TinyMCE library with known vulnerabilities

  • Backbone library with known vulnerabilities

  • Mustache library with known vulnerabilities

  • Handlebars library with known vulnerabilities

  • Dojo library with known vulnerabilities

  • jPlayer library with known vulnerabilities

  • CKEditor library with known vulnerabilities

  • DWR library with known vulnerabilities

  • Flowplayer library with known vulnerabilities

  • DOMPurify library with known vulnerabilities

  • Plupload library with known vulnerabilities

  • easyXDM library with known vulnerabilities

  • Ember library with known vulnerabilities

  • YUI library with known vulnerabilities

  • Sessvars library with known vulnerabilities

  • jQuery UI library with known vulnerabilities

  • prettyPhoto library with known vulnerabilities

  • Vue.js library with known vulnerabilities

  • Knockout library with known vulnerabilities

  • Next.js library with known vulnerabilities

  • Underscore.js library with known vulnerabilities

  • Chart.js library with known vulnerabilities

  • JSZip library with known vulnerabilities

  • Svelte library with known vulnerabilities

  • Axios library with known vulnerabilities

  • Froala library with known vulnerabilities

  • Highcharts library with known vulnerabilities

  • Cookie without HttpOnly flag

  • SSL cookie without Secure flag

  • Cookie with SameSite attribute set to None

  • Open redirection

  • Directory Listing

  • HTTP response header injection

  • ASP.NET tracing enabled

  • Path traversal

  • Remote File Inclusion

  • Missing cross-site request forgery protection

  • Missing clickjacking protection

  • ASP.NET ViewState without MAC

  • Session Token in URL

  • Application error message

  • Private IP addresses disclosed

  • Server-side template injection

  • Server-side JavaScript injection

  • Insecure PHP Object deserialization

  • PHP code injection (also known as Local File Inclusion)

  • GraphQL Introspection enabled

  • Log4Shell (CVE-2021-42287)

  • Spring Cloud SPEL Code Injection (CVE-2022-22963)

  • Spring4Shell (CVE-2022-22965)

  • Weak JWT HMAC secret

  • Using jwk parameter to verify JWTs

  • JWT signature is not being verified

  • JWT accepting none algorithm

  • JWT algorithm confusion

  • Python code injection

  • MongoDB Injection

  • Insecure browser XSS protection enabled

  • Hidden file found

  • Server-side request forgery

  • Drupal version with known vulnerabilities

  • XPath Injection

  • CRLF Injection

  • Supply Chain Compromise

  • PDF.js library with known vulnerabilities

  • Lodash library with known vulnerabilities

  • Select2 library with known vulnerabilities

  • UAParser.js library with known vulnerabilities

  • MathJax library with known vulnerabilities

List of deprecated vulnerabilities that are no longer detected:

  • Browser XSS protection disabled

Did this answer your question?