// прожектор уязвимостей
Каждая проверка FixVibe,
разобранная по полочкам.
69+ классов уязвимостей в комплекте FixVibe. Каждая запись запускает до 35 под-проверок за скан и разбирает, как работает баг, что получает атакующий, как мы его проверяем и что нужно для защиты.
01 / 07
HTTP и поверхность
Session Cookie Attributes
HttpOnly, Secure, SameSite — three flags that turn a session cookie into something attackers can't easily steal.
Читать прожектор →
HTTP Security Headers
Headers are free defense — most apps still ship without them.
Читать прожектор →
TLS Configuration
Old cipher suites plus missing HSTS equals a hostile WiFi away from session hijack.
Читать прожектор →
Vercel Deployment Protection
Generated deployment URLs should not become public staging doors.
Читать прожектор →
02 / 07
Секреты
Hard-coded Secret Patterns
Stripe keys, AWS credentials, OpenAI tokens — pattern matching catches the easy mistakes.
Читать прожектор →
Secrets in JavaScript Bundles
If it shipped in your client bundle, it's not a secret — it's a publication.
Читать прожектор →
JWT Integrity (alg confusion, weak secrets)
If your JWT verifier trusts the token's own header, it will believe whatever the attacker types.
Читать прожектор →
Tokens in Browser Storage
localStorage is JavaScript-readable. Auth tokens stored there are XSS-stealable by design.
Читать прожектор →
Exposed Source Maps
If your .map files are public, the attacker is reading your TypeScript.
Читать прожектор →
Information Leakage in JavaScript
Internal API hosts, version banners, and TODO comments — small leaks add up to a map of your stack.
Читать прожектор →
03 / 07
Backend-as-a-Service
Firebase Security Rules
`allow read, write: if true` is somebody's production database right now.
Читать прожектор →
Supabase Row-Level Security
Without RLS on every public table, your anon key is a license to read anything.
Читать прожектор →
Clerk & Auth0 Configuration
Identity providers leak more than they should when defaults aren't tightened.
Читать прожектор →
Supabase Storage and API Posture
Public buckets and anon-listable objects are where BaaS data leaks start.
Читать прожектор →
04 / 07
DNS
05 / 07
Discovery
CVE Cross-Reference
Detected version + public CVE database = a list of attacks already documented.
Читать прожектор →
Debug & Admin Endpoints
/debug, /admin, /server-status — paths that should never be reachable from the internet.
Читать прожектор →
Exposed Files & Backup Directories
.env, .git, .DS_Store, backup.sql — files that should never be public, accidentally are.
Читать прожектор →
SPIP Template RCE Version Exposure
Public SPIP version banners can reveal an RCE-class patch gap.
Читать прожектор →
Cloudflare Origin & Proxy Posture
If your origin IP is discoverable, Cloudflare's WAF is bypassable.
Читать прожектор →
GraphQL Introspection Exposed
Introspection in production hands the attacker your full type system.
Читать прожектор →
Threat-Intel Cross-Reference
Spamhaus DBL, URLhaus — your domain's reputation, externally seen.
Читать прожектор →
Exposed API Documentation
/swagger.json, /openapi.json, /docs — public API maps for both you and the attacker.
Читать прожектор →
Netlify-Specific Exposure
Netlify deploy preview URLs, x-nf-* headers, _redirects mistakes.
Читать прожектор →
Privacy & Cookie Compliance Markers
GDPR-required pages — present and linked, or you're at risk of a complaint.
Читать прожектор →
Technology Fingerprinting
Knowing your stack is half the recon — outdated frameworks turn that into the other half.
Читать прожектор →
Vercel-Specific Exposure
_next/static, x-vercel-* headers, preview URLs — Vercel-isms that leak more than they should.
Читать прожектор →
06 / 07
Активные пробы
Cross-Tenant Data Leaks
Multi-tenant SaaS without tenant ID enforcement leaks customer data across orgs.
Читать прожектор →
JWT alg=none Acceptance
A decoded token is not an authenticated identity.
Читать прожектор →
OS Command Injection
When user input becomes part of a shell command, the shell runs whatever the attacker writes.
Читать прожектор →
Server-Side Template Injection (SSTI)
When a template engine treats user input as a template, the server treats user input as code.
Читать прожектор →
SQL Injection
When user input becomes part of a query, the database stops being yours.
Читать прожектор →
Auth Flow Defects
Login, signup, and password reset are where most account takeovers actually happen.
Читать прожектор →
Blind SSRF (Out-of-Band)
If the server fetches user-supplied URLs, the user can make it fetch internal services.
Читать прожектор →
CKAN DataStore SQL Authorization Bypass
Public DataStore SQL access can turn open data APIs into private data exposure.
Читать прожектор →
CORS Misconfiguration
Permissive Access-Control-Allow-Origin plus credentials means your API is everyone's API.
Читать прожектор →
DOM-based XSS via URL Fragment
Modern SPAs read location.hash and write it into the DOM — attacker payloads ride along.
Читать прожектор →
File Upload Validation
User-uploaded files are arbitrary bytes — accepting them as 'images' without checking is asking for RCE.
Читать прожектор →
FUXA Hardcoded JWT Fallback Secret
Default token-signing secrets can turn an HMI login into a weak boundary.
Читать прожектор →
GraphQL Depth Bombing & Batch Bypass
GraphQL's flexibility is also its vulnerability — depth bombs, alias batching, and field-suggestion leaks.
Читать прожектор →
HTTP Request Smuggling
Front-end proxy and back-end disagree on where one request ends — attacker rides the seam.
Читать прожектор →
IDOR / BOLA
If your API trusts the client to send the correct ID, the client can send any ID.
Читать прожектор →
LLM Prompt Injection
If your AI feature trusts user input as instruction, the user can rewrite the system prompt.
Читать прожектор →
NoSQL Operator Injection
MongoDB-style operators in user-controlled JSON turn your query into a wildcard.
Читать прожектор →
Reflected Cross-Site Scripting (XSS)
The silent hijack: when a single unsanitized parameter executes attacker code in your users' browsers.
Читать прожектор →
XML External Entity (XXE)
If your XML parser resolves external entities, your server reads files for the attacker.
Читать прожектор →
ZoneMinder Directory Listing Exposure
A camera management UI should not publish its web root index.
Читать прожектор →
Account Enumeration
If your login responds differently when the email exists vs doesn't, attackers can build a customer list.
Читать прожектор →
Confirming Next.js middleware bypass exposure
Confirming Next.js middleware bypass exposure
Читать прожектор →
CRLF / Response Splitting
If user input lands in a response header, line breaks let the attacker write their own headers.
Читать прожектор →
CSRF Protection
If your state-changing endpoints don't require a CSRF token, third-party sites can act as your users.
Читать прожектор →
Missing Rate Limiting
Without rate limits on auth endpoints, the attacker can credential-stuff at line speed.
Читать прожектор →
Next.js Header Configuration Drift
Headers set on `/` do not always protect nested routes.
Читать прожектор →
Open Redirect
Your /redirect?url=… that doesn't validate the destination is a phishing kit.
Читать прожектор →
07 / 07
Исходный код
Ghost Content API SQL Injection Advisory
A vulnerable Ghost dependency can put public content APIs on the database boundary.
Читать прожектор →
LibreNMS Command Injection Advisory
A vulnerable monitoring stack can become an execution path inside the network.
Читать прожектор →
LiteLLM SQL Injection Advisory
A vulnerable LiteLLM Proxy version can turn API-key verification into database exposure.
Читать прожектор →
Committed AI-Generated Secrets
AI snippets should not ship provider keys into git.
Читать прожектор →
electerm Install-Script Command Injection Advisory
A vulnerable terminal-client dependency can put build or developer hosts at install-time risk.
Читать прожектор →
OpenCms XXE Information-Disclosure Advisory
A vulnerable OpenCms dependency can put XML-processing routes on a file-read boundary.
Читать прожектор →
PDF.js JavaScript Execution Advisory
A vulnerable PDF viewer can turn a malicious document into script execution.
Читать прожектор →
Risky Source-Code Patterns
eval(), dangerouslySetInnerHTML, hard-coded secrets — the patterns SAST has been catching for 25 years.
Читать прожектор →
Supabase RLS in Migrations
A public table without RLS is a future data leak.
Читать прожектор →
Vulnerable Dependencies
Your package-lock.json includes thousands of packages. Some have known CVEs.
Читать прожектор →
Webhook Signature Verification
If your webhook handler doesn't verify the signature, anyone can forge events.
Читать прожектор →
AI-Generated Code Guardrails
Fast AI-assisted changes need repo-level security rails.
Читать прожектор →
Repo Security Hygiene
Branch protection, action pinning, secret hygiene — how your repo is run matters more than the code.
Читать прожектор →
Reviewing repo code against web app risk patterns
Reviewing repo code against web app risk patterns
Читать прожектор →