Node.Security

Security Audit of Sizzle

ISGroup SRL performed an automated Code Review (not a real Static Analysis, more a grep-on-steroid) of this NodeJS project in order to identify potential security vulnerabilities. We do not guarantee that all the findings are valid, and for sure there are plenty of false-positives and false-negatives (undetected issues) but it's free and your project could benefit from this security analisys. The following data is also available in JSON format!

Possible Security Issues
Issue Description Line File
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 107 test/data/testinit.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 803 external/benchmark/benchmark.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 1203 external/benchmark/benchmark.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 394 external/jquery-1.8.3/jquery.js
Server Side Injection(SSI) - new Function() User controlled data in 'new Function()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 523 external/jquery-1.8.3/jquery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 852 external/jquery-1.8.3/jquery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 887 external/jquery-1.8.3/jquery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 1954 external/jquery-1.8.3/jquery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 7979 external/jquery-1.8.3/jquery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 8528 external/jquery-1.8.3/jquery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 8605 external/jquery-1.8.3/jquery.js
Server Side Injection(SSI) - setInterval() User controlled data in 'setInterval()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 9199 external/jquery-1.8.3/jquery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 693 external/qunit/qunit.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 708 external/qunit/qunit.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 725 external/qunit/qunit.js
Server Side Injection(SSI) - eval() User controlled data in eval() can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 328 external/dojo/dojo.js
Server Side Injection(SSI) - new Function() User controlled data in 'new Function()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 328 external/dojo/dojo.js
Server Side Injection(SSI) - eval() User controlled data in eval() can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 649 external/dojo/dojo.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 721 external/dojo/dojo.js
Server Side Injection(SSI) - eval() User controlled data in eval() can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 1345 external/dojo/dojo.js
Server Side Injection(SSI) - eval() User controlled data in eval() can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 1354 external/dojo/dojo.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 1596 external/dojo/dojo.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 2114 external/dojo/dojo.js
Server Side Injection(SSI) - setInterval() User controlled data in 'setInterval()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 2266 external/dojo/dojo.js
Server Side Injection(SSI) - new Function() User controlled data in 'new Function()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 3133 external/dojo/dojo.js
Server Side Injection(SSI) - eval() User controlled data in eval() can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 3150 external/dojo/dojo.js
Server Side Injection(SSI) - eval() User controlled data in eval() can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 3164 external/dojo/dojo.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 3340 external/dojo/dojo.js
Server Side Injection(SSI) - eval() User controlled data in eval() can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 3912 external/dojo/dojo.js
Server Side Injection(SSI) - eval() User controlled data in eval() can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 3927 external/dojo/dojo.js
Server Side Injection(SSI) - eval() User controlled data in eval() can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 3932 external/dojo/dojo.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 4272 external/dojo/dojo.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 4341 external/dojo/dojo.js
Server Side Injection(SSI) - eval() User controlled data in eval() can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 6168 external/dojo/dojo.js
Server Side Injection(SSI) - eval() User controlled data in eval() can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 6758 external/dojo/dojo.js
Server Side Injection(SSI) - eval() User controlled data in eval() can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 6774 external/dojo/dojo.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 12041 external/dojo/dojo.js
Server Side Injection(SSI) - eval() User controlled data in eval() can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 13147 external/dojo/dojo.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 14571 external/dojo/dojo.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 14587 external/dojo/dojo.js
Server Side Injection(SSI) - setInterval() User controlled data in 'setInterval()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 14893 external/dojo/dojo.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 15320 external/dojo/dojo.js
Server Side Injection(SSI) - new Function() User controlled data in 'new Function()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 15599 external/dojo/dojo.js
Server Side Injection(SSI) - eval() User controlled data in eval() can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 15954 external/dojo/dojo.js
Server Side Injection(SSI) - eval() User controlled data in eval() can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 15962 external/dojo/dojo.js
Server Side Injection(SSI) - eval() User controlled data in eval() can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 16917 external/dojo/dojo.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 423 external/jquery-1.7.2/jquery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 455 external/jquery-1.7.2/jquery.js
Server Side Injection(SSI) - new Function() User controlled data in 'new Function()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 573 external/jquery-1.7.2/jquery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 973 external/jquery-1.7.2/jquery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 2044 external/jquery-1.7.2/jquery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 2168 external/jquery-1.7.2/jquery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 7712 external/jquery-1.7.2/jquery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 8693 external/jquery-1.7.2/jquery.js
Server Side Injection(SSI) - setInterval() User controlled data in 'setInterval()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 8834 external/jquery-1.7.2/jquery.js
Server Side Injection(SSI) - new Function() User controlled data in 'new Function()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 886 external/nwmatcher/nwmatcher.js
Server Side Injection(SSI) - new Function() User controlled data in 'new Function()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 890 external/nwmatcher/nwmatcher.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 712 external/requirejs/require.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 1783 external/requirejs/require.js
Server Side Injection(SSI) - eval() User controlled data in eval() can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 2098 external/requirejs/require.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 421 external/jquery/jquery.js
Server Side Injection(SSI) - new Function() User controlled data in 'new Function()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 560 external/jquery/jquery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 895 external/jquery/jquery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 930 external/jquery/jquery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 1995 external/jquery/jquery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 7971 external/jquery/jquery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 8608 external/jquery/jquery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 8685 external/jquery/jquery.js
Server Side Injection(SSI) - setInterval() User controlled data in 'setInterval()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 9338 external/jquery/jquery.js
Server Side Injection(SSI) - new Function() User controlled data in 'new Function()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 362 speed/speed.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 384 speed/speed.js
Missing Security Features
Issue Description
Missing Security Header - X-Frame-Options (XFO) X-Frame-Options (XFO) header provides protection against Clickjacking attacks.
Missing Security Header - Content-Security-Policy (CSP) Content Security Policy (CSP), a mechanism web applications can use to mitigate a broad class of content injection vulnerabilities, such as cross-site scripting (XSS). CSP Header was not found.
Missing Security Header - Strict-Transport-Security (HSTS) Strict-Transport-Security (HSTS) header enforces secure (HTTP over SSL/TLS) connections to the server.
Missing 'httpOnly' in Cookie JavaScript can access Cookies if they are not marked httpOnly.
Infromation Disclosure - X-Powered-By Remove the X-Powered-By header to prevent information gathering.
Missing Security Header - X-Content-Type-Options X-Content-Type-Options header prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type.
Missing Security Header - X-Download-Options: noopen X-Download-Options header set to noopen prevents IE users from directly opening and executing downloads in your site's context.
Missing Security Header - X-XSS-Protection:1 X-XSS-Protection header set to 1 enables the Cross-site scripting (XSS) filter built into most recent web browsers.
Missing Security Header - Public-Key-Pins (HPKP) Public-Key-Pins (HPKP) ensures that certificate is Pinned.
Outdated Libraries
File Library Reference