Detection Categories Vulnerability classes detected by Secbez — injection, XSS, access control, IDOR/BOLA, business logic, transaction integrity, secrets, crypto, SSRF.
Secbez detects vulnerabilities across the categories below. Rule IDs follow the stable SEC.<CATEGORY>.<RULE> namespace and are public identifiers — baseline matching, suppression rules, and analytics key off them.
Type Description SQL injection User input in DB queries without parameterization (raw queries, builders, ORM escape hatches like $queryRaw, knex.raw, query()). Command injection User input passed to exec, execSync, spawn(..., {shell: true}), subprocess.*(shell=True), or equivalent. Template injection (SSTI) User input rendered by a server-side template engine (Jinja, Handlebars, EJS, Twig) without escaping. Deserialization Unsafe deserialization of attacker-controlled data (pickle.loads, unserialize, vulnerable JSON-to-class mapping).
Type Description Reflected XSS User input reflected back in HTTP responses without sanitization. Stored XSS User input stored and later rendered to other users. DOM-based XSS Client-side JS that writes user input to the DOM unsafely (innerHTML, outerHTML, insertAdjacentHTML, document.write). Framework XSS dangerouslySetInnerHTML (React), v-html (Vue), bypassSecurityTrustHtml (Angular) on untrusted input.
Type Description Broken access control Missing or insufficient authorization checks on sensitive operations. IDOR / BOLA User-controlled IDs reaching DB sinks without an ownership predicate. Object- and function-level. Privilege escalation Users can elevate their own role or permissions, vertically or horizontally. Missing authentication Sensitive endpoints reachable without any authentication step. Tenant isolation Operations not bound to a server-derived tenant or owner identity.
Type Description JWT misuse Algorithm none, missing signature verification, weak secret, expired-but-accepted, missing claim checks. OAuth / SSO callback State / PKCE missing, open redirector, unverified iss/aud. Session management Predictable IDs, missing rotation on auth, missing fixation protection. Cookie flags Missing Secure, HttpOnly, SameSite, or scoped paths on session cookies.
Type Description Race conditions / TOCTOU Time-of-check vs. time-of-use windows in state-changing flows. Double-spend Concurrent execution paths allow the same value to be spent more than once. Workflow bypass Steps in a multi-step process can be skipped or replayed. Replay attacks Idempotency keys / nonces missing on sensitive operations. Invariant violation Domain invariants (balance ≥ 0, quantity > 0) not enforced server-side.
User-controlled URLs reaching outbound HTTP clients without an allowlist or scheme/host check, including indirect SSRF through URL parsers.
Rule ID Detects SEC.SECRETS.GITHUB_TOKENGitHub PATs, OAuth tokens SEC.SECRETS.AWS_ACCESS_KEY_IDAWS access key IDs SEC.SECRETS.AWS_SECRET_KEYAWS secret access keys SEC.SECRETS.GOOGLE_API_KEYGoogle API keys SEC.SECRETS.PEM_PRIVATE_KEYPEM-encoded private keys SEC.SECRETS.STRIPE_KEYStripe secret / publishable keys SEC.SECRETS.SLACK_WEBHOOKSlack webhook URLs SEC.SECRETS.SENDGRID_KEYSendGrid API keys SEC.SECRETS.GENERIC_SECRETEntropy-based heuristic catch-all
The secrets detector combines regex matching with Shannon entropy analysis (MIN_SECRET_ENTROPY = 3.5, HIGH_ENTROPY_THRESHOLD = 4.0) and applies placeholder heuristics (changeme, xxx, your-key-here) to suppress obvious non-secrets.
Weak algorithms (MD5, SHA-1 for passwords, single DES, RC4).
ECB mode for block ciphers on multi-block plaintext.
Hardcoded IVs / keys.
Predictable randomness (Math.random, random.random) used for security purposes.
Missing constant-time comparison for secret material.
SEC.<CATEGORY>.<RULE_NAME> Prefix Meaning SEC.SECRETS.*Secret leaks SEC.SQLI.*SQL injection SEC.CMDI.*Command injection SEC.XSS.*Cross-site scripting SEC.SSTI.*Server-side template injection SEC.AUTHZ.*Authorization / access control SEC.AUTHN.*Authentication / protocol SEC.RCE.*Remote code execution SEC.IDOR.*Insecure direct object reference SEC.BL.*Business logic SEC.TXN.*Transaction integrity SEC.SSRF.*Server-side request forgery SEC.CRYPTO.*Cryptographic misuse
Rule IDs are stable. Once published, they are not renamed, because baseline matching and suppression rules depend on them.