DEMO MODE - Sign up to scan your own repos
DEMO REPOSITORY

vulnerable-demo/sample-app

Scanned just now • 42 issues found

F

Security Score: 8/100

Critical security issues detected

28
Critical
8
High
5
Medium
1
Low

Sample Findings

critical

OpenAI API Key

secrets.ts:4

   3 | // OpenAI API Key
>  4 | export const OPENAI_KEY = "sk-proj-abcdefghijklmnopqrstuvwxyz1234567890";
   5 |

EXPOSED SECRET

sk-proj-abcdefghijklmnopqrstuvwxyz1234567890

⚠️ WHY THIS IS DANGEROUS

API keys in code are visible on GitHub and can be scraped by bots within minutes.

💥 POTENTIAL IMPACT

Unauthorized API usage. Attackers rack up charges on your account or steal your data.

✅ HOW TO FIX

Move to environment variables: process.env.OPENAI_API_KEY. Rotate the exposed key immediately.

critical

Stripe Live Key

secrets.ts:10

   9 | // Stripe Live Key
> 10 | export const STRIPE_KEY = "sk_live_51AbCdEfGh123456789012345678";
  11 |

EXPOSED SECRET

sk_live_51AbCdEfGh123456789012345678

⚠️ WHY THIS IS DANGEROUS

Stripe live keys grant full access to your payment processing and customer data.

💥 POTENTIAL IMPACT

Financial fraud, customer data theft, or unauthorized refunds.

✅ HOW TO FIX

URGENT: Revoke this key in Stripe dashboard immediately. Use environment variables only.

critical

AWS Access Key

secrets.ts:13

  12 | // AWS Access Key
> 13 | export const AWS_KEY = "AKIAIOSFODNN7EXAMPLE";
  14 |

EXPOSED SECRET

AKIAIOSFODNN7EXAMPLE

⚠️ WHY THIS IS DANGEROUS

AWS access keys provide programmatic access to your cloud infrastructure.

💥 POTENTIAL IMPACT

Attackers can spin up servers (costing you money), access S3 buckets, or delete resources.

✅ HOW TO FIX

Rotate immediately in AWS IAM. Use IAM roles instead of access keys when possible.

critical

Database Connection String

secrets.ts:19

  18 | // Database Connection Strings
> 19 | export const DB_URL = "postgres://admin:SuperSecret123!@db.production.com:5432/myapp";
  20 |

SECURITY ISSUE

postgres://admin:SuperSecret123!@db.production.com:5432/myapp

⚠️ WHY THIS IS DANGEROUS

Database URLs contain credentials. Anyone with this can access your database.

💥 POTENTIAL IMPACT

Complete data breach. Attackers can read, modify, or delete all data.

✅ HOW TO FIX

Store in environment variables. Rotate the database password immediately.

critical

GitHub Personal Access Token

secrets.ts:31

  30 | // GitHub Personal Access Token
> 31 | export const GITHUB_TOKEN = "ghp_1234567890abcdefghijklmnopqrstuvw";
  32 |

EXPOSED SECRET

ghp_1234567890abcdefghijklmnopqrstuvw

⚠️ WHY THIS IS DANGEROUS

GitHub tokens can access private repos, create releases, or modify code.

💥 POTENTIAL IMPACT

Source code theft, malicious commits, or repo deletion.

✅ HOW TO FIX

Revoke in GitHub Settings → Developer settings → Personal access tokens. Use fine-grained tokens with minimal scope.

high

SQL Injection (Raw Query)

vulnerabilities.ts:7

   6 | export async function getUserData(userId: string) {
>  7 |   const query = `SELECT * FROM users WHERE id = ${userId}`;
   8 |   return await db.execute(query);

CODE VULNERABILITY

SELECT * FROM users WHERE id = ${userId}

⚠️ WHY THIS IS DANGEROUS

Your database query includes user input directly without sanitization. An attacker can inject malicious SQL commands.

💥 POTENTIAL IMPACT

Attackers can read, modify, or delete your entire database. They can steal user data, change passwords, or wipe everything.

✅ HOW TO FIX

Use parameterized queries or an ORM. Never concatenate user input into SQL strings.

Learn more →
high

Use of eval()

vulnerabilities.ts:18

  17 | export function executeCode(userInput: string) {
> 18 |   return eval(userInput);
  19 | }

INSECURE CODE PATTERN

eval(userInput)

⚠️ WHY THIS IS DANGEROUS

eval() executes arbitrary code. If user input reaches it, attackers control your app.

💥 POTENTIAL IMPACT

Complete application compromise. Attackers can access all data and perform any action.

✅ HOW TO FIX

Remove eval() entirely. Use JSON.parse() for data, or refactor to avoid dynamic code execution.

high

Command Injection (exec)

vulnerabilities.ts:28

  27 |   const { filename } = req.body;
> 28 |   exec(`cat ${filename}`, (error: any, stdout: any) => {
  29 |     res.send(stdout);

CODE VULNERABILITY

exec(`cat ${filename}`

⚠️ WHY THIS IS DANGEROUS

User input is passed directly to system commands, allowing attackers to execute arbitrary code on your server.

💥 POTENTIAL IMPACT

Complete server takeover. Attackers can install malware, steal secrets, or use your server for attacks.

✅ HOW TO FIX

Never pass user input to exec/system. Use libraries that sanitize inputs or avoid shell commands entirely.

high

Potential XSS (dangerouslySetInnerHTML)

vulnerabilities.ts:40

  39 | export function UserComment({ comment }: { comment: string }) {
> 40 |   return <div dangerouslySetInnerHTML={{ __html: comment }} />;
  41 | }

CODE VULNERABILITY

dangerouslySetInnerHTML={{ __html: comment }}

⚠️ WHY THIS IS DANGEROUS

Setting HTML directly from user input allows attackers to inject malicious scripts.

💥 POTENTIAL IMPACT

Attackers can steal session tokens, redirect users to phishing sites, or deface your app.

✅ HOW TO FIX

Use React's normal rendering (which auto-escapes). Only use dangerouslySetInnerHTML with sanitized, trusted content.

medium

Weak Random Number Generation

vulnerabilities.ts:49

  48 | export function generateToken() {
> 49 |   return Math.random().toString(36).substring(7);
  50 | }

INSECURE CODE PATTERN

Math.random()

⚠️ WHY THIS IS DANGEROUS

Math.random() is predictable and NOT cryptographically secure. Attackers can guess "random" values.

💥 POTENTIAL IMPACT

Broken session tokens, predictable passwords, or compromised security features.

✅ HOW TO FIX

Use crypto.randomBytes() (Node.js) or crypto.getRandomValues() (browser) for security-critical randomness.

medium

Hardcoded Password

vulnerabilities.ts:57

  56 |   user: 'admin',
> 57 |   password: 'SuperSecret123!',
  58 |   database: 'production'

EXPOSED SECRET

password: "SuperSecret123!"

⚠️ WHY THIS IS DANGEROUS

Passwords in code are visible to anyone with access to the repository or compiled app.

💥 POTENTIAL IMPACT

Immediate credential compromise. Attackers can access your systems, databases, or APIs.

✅ HOW TO FIX

Move all secrets to environment variables. Use .env files (never commit them) or a secrets manager.

low

Deprecated moment.js

package.json:8

   7 |     "axios": "0.21.0",
>  8 |     "moment": "2.29.1",
   9 |     "express": "*"

DEPENDENCY ISSUE

"moment": "2.29.1"

⚠️ WHY THIS IS DANGEROUS

Moment.js is deprecated and has known vulnerabilities. The maintainers recommend switching.

💥 POTENTIAL IMPACT

Potential security issues and no future patches.

✅ HOW TO FIX

Switch to date-fns or Luxon: npm uninstall moment && npm install date-fns

Ready to scan YOUR repositories?

Connect your GitHub account and scan unlimited repositories for free. Upgrade to Pro for detailed findings and AI-powered fixes.

Sign Up Free