Path traversal
Path traversal — user-controlled filenames concatenated into filesystem paths. Lets attackers read arbitrary files like `/etc/passwd` or your `.env`.
What this rule detects
VC013 finds `fs.readFile`, `fs.writeFile`, `fs.createReadStream`, and similar calls where the path includes a value that came from request input. The classic exploit is appending `../../` to escape the intended directory.
Vulnerable vs. safe code
// Attacker requests ?file=../../../../etc/passwd
app.get("/download", (req, res) => {
const filePath = path.join("/var/uploads", req.query.file);
res.sendFile(filePath);
});// Resolve to an absolute path and verify it's still inside the allowed root.
import path from "node:path";
const UPLOADS = path.resolve("/var/uploads");
app.get("/download", (req, res) => {
const requested = path.resolve(UPLOADS, req.query.file);
if (!requested.startsWith(UPLOADS + path.sep)) {
return res.status(400).send("Invalid path");
}
res.sendFile(requested);
});About A01:2021 — Broken Access Control
Access-control bugs let users do things they shouldn't — view another user's data, modify records they don't own, or hit admin-only endpoints without admin rights. This class moved to #1 in the 2021 OWASP Top 10 because 94% of audited apps had at least one access-control flaw.
Impact: An attacker who finds an access-control bug typically gets a much bigger blast radius than other vulnerability classes. Examples we've seen in AI-generated code: a /api/user/[id] route that returns any user's profile, a delete endpoint that doesn't check ownership, an admin dashboard with no role check.
How to fix it: Check authentication AND authorization on every server-side route. Never rely on the client to enforce permissions. Default to deny. For per-resource checks, fetch the resource and verify the requesting user owns it before returning or modifying it.
Common patterns in this category:
- Missing auth check on API routes (the resource is returned to anyone with the URL)
- Authorization based on a parameter the client controls (e.g. trusting `?userId=` in the URL)
- Direct object references where the resource ID isn't validated against the requesting user
- Public access to administrative or internal endpoints
- Privilege escalation via mass assignment (user POSTs `{role: 'admin'}` and the ORM accepts it)
Compliance coverage
Findings from this rule map to the following framework controls:
See the full compliance coverage page for how XploitScan maps every rule to SOC 2, ISO 27001, and OWASP Top 10 controls.
Scan your code for VC013 and 157 other rules
Free, no signup. Drag and drop a zip or run npx xploitscan scan .