oauthlint

Appearance

OAuthLint rule catalogue

90 rules grouped by category.

RuleSeverityLLMCWEOWASP
auth.cookie.long-livedINFOMEDIUMCWE-613API2:2023
auth.cookie.no-httponlyWARNINGHIGHCWE-1004API8:2023
auth.cookie.no-samesiteINFOMEDIUMCWE-1275API1:2023
auth.cookie.no-secureWARNINGHIGHCWE-614API8:2023

CORS

RuleSeverityLLMCWEOWASP
auth.cors.null-originERRORMEDIUMCWE-942A05:2021
auth.cors.reflect-originERRORMEDIUMCWE-942A05:2021
auth.cors.wildcard-with-credentialsERRORHIGHCWE-942API8:2023

FLOW

RuleSeverityLLMCWEOWASP
auth.flow.credentials-in-urlERRORHIGHCWE-598API2:2023
auth.flow.insecure-randomERRORHIGHCWE-338API2:2023
auth.flow.no-rate-limitINFOHIGHCWE-307API4:2023
auth.flow.password-min-lengthWARNINGMEDIUMCWE-521API2:2023
auth.flow.password-plaintextERRORMEDIUMCWE-256API2:2023
auth.flow.secret-in-logWARNINGHIGHCWE-532API8:2023
auth.flow.timing-unsafe-compareWARNINGMEDIUMCWE-208API2:2023
auth.flow.weak-bcrypt-roundsWARNINGMEDIUMCWE-916A02:2021
auth.flow.weak-password-hashERRORHIGHCWE-916A02:2021
RuleSeverityLLMCWEOWASP
auth.go.cookie.insecureERRORHIGHCWE-614A05:2021

GO-CORS

RuleSeverityLLMCWEOWASP
auth.go.cors.allow-allERRORHIGHCWE-942A05:2021

GO-CRYPTO

RuleSeverityLLMCWEOWASP
auth.go.crypto.bcrypt-low-costWARNINGMEDIUMCWE-916A02:2021
auth.go.crypto.weak-cipherERRORMEDIUMCWE-327A02:2021
auth.go.crypto.weak-password-hashERRORHIGHCWE-916A02:2021

GO-FLOW

RuleSeverityLLMCWEOWASP
auth.go.flow.weak-randERRORHIGHCWE-330A02:2021

GO-JWT

RuleSeverityLLMCWEOWASP
auth.go.jwt.hardcoded-secretERRORHIGHCWE-798API2:2023
auth.go.jwt.none-algorithmERRORHIGHCWE-347API2:2023
auth.go.jwt.parse-unverifiedERRORHIGHCWE-347API2:2023
auth.go.jwt.unchecked-methodERRORHIGHCWE-347API2:2023

GO-TLS

RuleSeverityLLMCWEOWASP
auth.go.tls.insecure-skip-verifyERRORHIGHCWE-295A02:2021
auth.go.tls.min-versionERRORMEDIUMCWE-326A02:2021
RuleSeverityLLMCWEOWASP
auth.java.cookie.insecureERRORHIGHCWE-614A05:2021

JAVA-CORS

RuleSeverityLLMCWEOWASP
auth.java.cors.allow-allERRORHIGHCWE-942A05:2021

JAVA-CRYPTO

RuleSeverityLLMCWEOWASP
auth.java.crypto.ecb-modeERRORMEDIUMCWE-327A02:2021
auth.java.crypto.insecure-randomERRORHIGHCWE-330A02:2021
auth.java.crypto.weak-password-hashERRORHIGHCWE-916A02:2021

JAVA-JWT

RuleSeverityLLMCWEOWASP
auth.java.jwt.hardcoded-secretERRORHIGHCWE-798API2:2023
auth.java.jwt.unsigned-jwtERRORMEDIUMCWE-347API2:2023

JAVA-SESSION

RuleSeverityLLMCWEOWASP
auth.java.session.fixation-disabledERRORMEDIUMCWE-384A07:2021

JAVA-TLS

RuleSeverityLLMCWEOWASP
auth.java.tls.trust-all-certsERRORHIGHCWE-295A02:2021

JAVA-WEB

RuleSeverityLLMCWEOWASP
auth.java.web.csrf-disabledERRORHIGHCWE-352A01:2021
auth.java.web.frame-options-disabledWARNINGMEDIUMCWE-1021A05:2021
auth.java.web.permit-allERRORHIGHCWE-862A01:2021

JWT

RuleSeverityLLMCWEOWASP
auth.jwt.alg-noneERRORHIGHCWE-327API2:2023
auth.jwt.algorithm-confusionERRORMEDIUMCWE-327API2:2023
auth.jwt.decode-without-verifyWARNINGHIGHCWE-347API2:2023
auth.jwt.in-urlERRORMEDIUMCWE-598API1:2023
auth.jwt.localstorageWARNINGHIGHCWE-922API8:2023
auth.jwt.no-algorithms-allowlistWARNINGHIGHCWE-347API2:2023
auth.jwt.no-audienceWARNINGMEDIUMCWE-345API2:2023
auth.jwt.no-expirationWARNINGHIGHCWE-613API2:2023
auth.jwt.no-issuerINFOLOWCWE-345API2:2023
auth.jwt.weak-secretERRORHIGHCWE-798API2:2023

OAUTH

RuleSeverityLLMCWEOWASP
auth.oauth.broad-scopeINFOHIGHCWE-272API1:2023
auth.oauth.hardcoded-secretERRORHIGHCWE-798API8:2023
auth.oauth.implicit-flowERRORMEDIUMCWE-1004API1:2023
auth.oauth.long-token-lifetimeWARNINGMEDIUMCWE-613API2:2023
auth.oauth.no-nonceWARNINGMEDIUMCWE-294API2:2023
auth.oauth.no-pkceWARNINGHIGHCWE-345API1:2023
auth.oauth.no-stateERRORHIGHCWE-352API1:2023
auth.oauth.no-state-validationWARNINGHIGHCWE-352API1:2023
auth.oauth.open-redirect-callbackERRORHIGHCWE-601API1:2023
auth.oauth.pkce-plainWARNINGMEDIUMCWE-757API2:2023
auth.oauth.wildcard-redirectERRORMEDIUMCWE-601API1:2023
RuleSeverityLLMCWEOWASP
auth.py.cookie.insecure-flagsERRORHIGHCWE-614A05:2021

PY-FLOW

RuleSeverityLLMCWEOWASP
auth.py.flow.csrf-exemptWARNINGHIGHCWE-352A01:2021
auth.py.flow.debug-enabledWARNINGHIGHCWE-489A05:2021
auth.py.flow.insecure-random-tokenERRORHIGHCWE-330A02:2021
auth.py.flow.requests-verify-disabledERRORHIGHCWE-295API8:2023
auth.py.flow.weak-password-hashERRORHIGHCWE-916A02:2021

PY-JWT

RuleSeverityLLMCWEOWASP
auth.py.jwt.alg-noneERRORHIGHCWE-347API2:2023
auth.py.jwt.hardcoded-secretERRORHIGHCWE-798API2:2023
auth.py.jwt.no-algorithmsWARNINGHIGHCWE-347API2:2023
auth.py.jwt.no-verifyERRORHIGHCWE-347API2:2023

PY-SECRET

RuleSeverityLLMCWEOWASP
auth.py.secret.django-hardcoded-keyERRORHIGHCWE-798A07:2021
auth.py.secret.flask-hardcoded-keyERRORHIGHCWE-798A07:2021
RuleSeverityLLMCWEOWASP
auth.rust.cookie.insecureERRORHIGHCWE-614A05:2021

RUST-CORS

RuleSeverityLLMCWEOWASP
auth.rust.cors.permissiveERRORMEDIUMCWE-942A05:2021

RUST-CRYPTO

RuleSeverityLLMCWEOWASP
auth.rust.crypto.bcrypt-low-costWARNINGMEDIUMCWE-916A02:2021
auth.rust.crypto.weak-cipherERRORMEDIUMCWE-327A02:2021
auth.rust.crypto.weak-password-hashERRORHIGHCWE-916A02:2021

RUST-FLOW

RuleSeverityLLMCWEOWASP
auth.rust.flow.timing-unsafe-compareWARNINGMEDIUMCWE-208API2:2023

RUST-JWT

RuleSeverityLLMCWEOWASP
auth.rust.jwt.disable-signature-validationERRORMEDIUMCWE-347API2:2023
auth.rust.jwt.hardcoded-secretERRORHIGHCWE-798API2:2023
auth.rust.jwt.no-aud-validationWARNINGMEDIUMCWE-287API2:2023
auth.rust.jwt.no-expiration-validationERRORMEDIUMCWE-613API2:2023

RUST-TLS

RuleSeverityLLMCWEOWASP
auth.rust.tls.accept-invalid-certsERRORHIGHCWE-295A02:2021
auth.rust.tls.accept-invalid-hostnamesERRORHIGHCWE-297A02:2021

SECRET

RuleSeverityLLMCWEOWASP
auth.secret.provider-keyERRORHIGHCWE-798API8:2023
auth.secret.public-env-secretERRORHIGHCWE-200A02:2021

SESSION

RuleSeverityLLMCWEOWASP
auth.session.hardcoded-secretERRORHIGHCWE-798A07:2021
auth.session.id-in-urlERRORMEDIUMCWE-598API1:2023
auth.session.no-regenerationWARNINGMEDIUMCWE-384API2:2023

Released under the MIT License · powered by Semgrep

An Auspeo project