All 158 Security Rules
Every rule XploitScan uses, organized by OWASP Top 10 category. Each rule maps to CWE, SOC 2, and ISO 27001 controls.
About our rule set
These rules detect security patterns specific to AI-generated code (Cursor, Bolt, Lovable, Replit) and modern web frameworks (Next.js, Supabase, Clerk, Stripe). They use a two-layer approach: a fast pattern-matching pre-filter plus a Babel-parsed AST layer with taint tracking for data-flow rules (SSRF, prototype pollution, mass assignment, SSTI, and more). Detection quality is scored publicly against a labeled fixture corpus on the benchmark page.
Free plan: 30 core rules covering the most common vulnerabilities. Pro plan: all 158 rules including framework-specific patterns, payment security, and IDE/mobile code.
Note: XploitScan is not a replacement for professional security auditing. Pattern-based scanning cannot catch every vulnerability, especially logic flaws and business-logic issues. For production applications handling sensitive data, we recommend combining automated scanning with penetration testing and manual code review.
A01:2021 — Broken Access Control
15 rules| Rule | Description | CWE |
|---|---|---|
| VC003 | Missing auth on API routes | CWE-306 |
| VC004 | Insecure direct object reference | CWE-639 |
| VC005 | Missing CSRF protection | CWE-352 |
| VC010 | Missing authorization checks | CWE-862 |
| VC013 | Path traversal | CWE-22 |
| VC023 | Open redirect | CWE-601 |
| VC029 | Missing access control on file operations | CWE-732 |
| VC041 | Insecure redirect handling | CWE-601 |
| VC042 | Missing role-based access control | CWE-285 |
| VC057 | Missing least privilege enforcement | CWE-250 |
| VC070 | Insecure file permissions | CWE-732 |
| VC085 | Missing privilege escalation protection | CWE-269 |
| VC117 | Path traversal | CWE-22 |
| VC127 | Insecure HTTP methods | CWE-862 |
| VC158 | IDOR / missing ownership check | CWE-639 |
A02:2021 — Cryptographic Failures
25 rules| Rule | Description | CWE |
|---|---|---|
| VC001 | Hardcoded secrets | CWE-798 |
| VC002 | Hardcoded passwords | CWE-259 |
| VC014 | Sensitive data in source code | CWE-200 |
| VC031 | Weak cryptographic algorithm | CWE-327 |
| VC032 | HTTP used instead of HTTPS | CWE-319 |
| VC034 | Hardcoded encryption keys | CWE-321 |
| VC035 | Insecure random number generation | CWE-338 |
| VC043 | Insecure password storage | CWE-916 |
| VC049 | Insecure API key handling | CWE-798 |
| VC050 | Missing data encryption at rest | CWE-311 |
| VC058 | Hardcoded database credentials | CWE-798 |
| VC060 | Insecure TLS configuration | CWE-326 |
| VC061 | Missing certificate validation | CWE-295 |
| VC078 | Insecure secrets management | CWE-798 |
| VC079 | Missing encryption in transit | CWE-319 |
| VC086 | Insecure data storage | CWE-922 |
| VC087 | Missing data masking | CWE-200 |
| VC096 | Insecure local storage usage | CWE-922 |
| VC107 | Missing data encryption for PII | CWE-311 |
| VC119 | Hardcoded OAuth client secret | CWE-798 |
| VC122 | Deprecated TLS version | CWE-326 |
| VC123 | Weak RSA key size | CWE-326 |
| VC124 | ECB mode encryption | CWE-327 |
| VC126 | Terraform state exposed | CWE-200 |
| VC129 | Unencrypted PII in database | CWE-312 |
A03:2021 — Injection
12 rules| Rule | Description | CWE |
|---|---|---|
| VC006 | SQL injection | CWE-89 |
| VC007 | XSS vulnerability | CWE-79 |
| VC012 | Missing input sanitization | CWE-20 |
| VC015 | Command injection | CWE-78 |
| VC016 | Prototype pollution | CWE-1321 |
| VC030 | eval() usage | CWE-95 |
| VC080 | Insecure database queries | CWE-89 |
| VC100 | Insecure XML processing | CWE-611 |
| VC101 | Missing input encoding | CWE-116 |
| VC106 | Insecure PDF generation | CWE-918 |
| VC116 | Insecure AI/LLM integration | CWE-74 |
| VC154 | Missing request body validation | CWE-20 |
A04:2021 — Insecure Design
19 rules| Rule | Description | CWE |
|---|---|---|
| VC008 | Missing rate limiting | CWE-770 |
| VC028 | Insecure file upload | CWE-434 |
| VC036 | Missing input length validation | CWE-20 |
| VC051 | Insecure WebSocket handling | CWE-1385 |
| VC053 | Insecure email handling | CWE-200 |
| VC064 | Insecure GraphQL endpoint | CWE-200 |
| VC065 | Missing query depth limiting | CWE-400 |
| VC067 | Missing API versioning | CWE-1059 |
| VC069 | Missing request validation | CWE-20 |
| VC074 | Insecure postMessage usage | CWE-345 |
| VC088 | Insecure caching | CWE-524 |
| VC089 | Missing data retention policy | CWE-212 |
| VC092 | Insecure service worker | CWE-349 |
| VC104 | Insecure SSR data leakage | CWE-200 |
| VC113 | Missing vulnerability disclosure policy | CWE-1059 |
| VC115 | Missing security training indicators | CWE-1059 |
| VC130 | Missing rate limit on auth | CWE-307 |
| VC155 | Missing rate limit on AI/LLM calls | CWE-770 |
| VC156 | Missing pagination on list endpoint | CWE-770 |
A05:2021 — Security Misconfiguration
31 rules| Rule | Description | CWE |
|---|---|---|
| VC009 | CORS misconfiguration | CWE-942 |
| VC017 | Insecure default configuration | CWE-1188 |
| VC019 | Debug mode in production | CWE-489 |
| VC020 | Information exposure in error messages | CWE-209 |
| VC024 | Missing content security policy | CWE-1021 |
| VC025 | Insecure cookie flags | CWE-614 |
| VC026 | Missing security headers | CWE-693 |
| VC027 | Unsafe regular expressions | CWE-1333 |
| VC038 | Missing timeout configuration | CWE-400 |
| VC040 | Missing helmet/security middleware | CWE-693 |
| VC056 | Insecure DNS configuration | CWE-350 |
| VC059 | Missing environment separation | CWE-489 |
| VC066 | Insecure GraphQL introspection | CWE-200 |
| VC068 | Insecure middleware ordering | CWE-696 |
| VC072 | Insecure iframe embedding | CWE-1021 |
| VC073 | Missing clickjacking protection | CWE-1021 |
| VC076 | Insecure deployment configuration | CWE-16 |
| VC077 | Missing container security | CWE-250 |
| VC090 | Insecure backup configuration | CWE-530 |
| VC091 | Missing cross-origin isolation | CWE-346 |
| VC093 | Missing HSTS | CWE-523 |
| VC095 | Missing network segmentation | CWE-923 |
| VC097 | Missing secure flag on cookies | CWE-614 |
| VC099 | Missing secure headers in API responses | CWE-693 |
| VC102 | Insecure regex | CWE-1333 |
| VC103 | Missing HTTP method restriction | CWE-749 |
| VC105 | Missing referrer policy | CWE-200 |
| VC108 | Insecure server configuration | CWE-16 |
| VC128 | HTTP request smuggling | CWE-444 |
| VC153 | Reflected CORS origin with credentials | CWE-942 |
| VC157 | Exposed database studio | CWE-16 |
A06:2021 — Vulnerable Components
8 rules| Rule | Description | CWE |
|---|---|---|
| VC039 | Outdated dependencies | CWE-1104 |
| VC048 | Missing dependency vulnerability check | CWE-1104 |
| VC081 | Missing malware scanning | CWE-509 |
| VC082 | Insecure third-party scripts | CWE-829 |
| VC083 | Missing supply chain security | CWE-1104 |
| VC094 | Insecure dependency pinning | CWE-1104 |
| VC114 | Insecure third-party integration | CWE-829 |
| VC131 | Known vulnerable dependencies | CWE-1104 |
A07:2021 — Identification & Auth Failures
30 rules| Rule | Description | CWE |
|---|---|---|
| VC011 | Insecure session management | CWE-384 |
| VC045 | JWT misconfiguration | CWE-347 |
| VC046 | Missing token expiration | CWE-613 |
| VC047 | Insecure token storage | CWE-922 |
| VC052 | Missing brute force protection | CWE-307 |
| VC054 | Missing multi-factor authentication | CWE-308 |
| VC062 | Weak password policy | CWE-521 |
| VC063 | Missing account lockout | CWE-307 |
| VC084 | Insecure OAuth implementation | CWE-346 |
| VC098 | Insecure password reset flow | CWE-640 |
| VC120 | Missing OAuth state parameter | CWE-352 |
| VC125 | Insecure password reset | CWE-640 |
| VC132 | Hardcoded Anthropic API key | CWE-798 |
| VC133 | Hardcoded GitHub PAT | CWE-798 |
| VC134 | Hardcoded SendGrid API key | CWE-798 |
| VC135 | Hardcoded Slack token | CWE-798 |
| VC136 | Hardcoded GCP service account key | CWE-798 |
| VC137 | Hardcoded Shopify access token | CWE-798 |
| VC138 | Hardcoded GitLab token | CWE-798 |
| VC139 | Hardcoded Twilio API key | CWE-798 |
| VC140 | Hardcoded Mailgun API key | CWE-798 |
| VC141 | Hardcoded Datadog API key | CWE-798 |
| VC142 | Hardcoded Vercel token | CWE-798 |
| VC143 | Hardcoded Supabase service role key | CWE-798 |
| VC144 | Hardcoded Vault token | CWE-798 |
| VC145 | Hardcoded Pinecone API key | CWE-798 |
| VC146 | Secret in URL parameter | CWE-598 |
| VC149 | Secret in client bundle config | CWE-798 |
| VC150 | Secret in HTML attribute | CWE-615 |
| VC151 | Secret in CLI argument | CWE-214 |
A08:2021 — Software & Data Integrity
7 rules| Rule | Description | CWE |
|---|---|---|
| VC021 | Insecure deserialization | CWE-502 |
| VC055 | Missing code signing | CWE-353 |
| VC071 | Missing subresource integrity | CWE-353 |
| VC075 | Missing CI/CD security checks | CWE-1127 |
| VC112 | Insecure release management | CWE-1127 |
| VC121 | Unpinned GitHub Actions | CWE-829 |
| VC152 | Missing webhook signature verification | CWE-345 |
A09:2021 — Security Logging Failures
10 rules| Rule | Description | CWE |
|---|---|---|
| VC018 | Missing error handling | CWE-755 |
| VC033 | Missing logging for security events | CWE-778 |
| VC037 | Insufficient logging | CWE-223 |
| VC044 | Missing audit trail | CWE-778 |
| VC109 | Missing security monitoring | CWE-778 |
| VC110 | Insecure log management | CWE-532 |
| VC111 | Missing intrusion detection | CWE-778 |
| VC118 | PII in logs | CWE-532 |
| VC147 | Secret logged to console | CWE-532 |
| VC148 | Secret in error response | CWE-209 |
A10:2021 — Server-Side Request Forgery
1 rule| Rule | Description | CWE |
|---|---|---|
| VC022 | Server-side request forgery | CWE-918 |
Run these rules against your own code
Free, no signup required. Drag and drop a zip or run npx xploitscan scan .