You don't need a security degree. Here are the terms that actually matter when you're shipping an app — what they mean, why they show up in AI-generated code, and how to fix them.
When changing an ID in a URL or API request lets you access someone else's data. The #1 access control bug in AI-generated code.
Read moreA database-level rule that controls which rows a user can read, insert, update, or delete. If your AI tool forgot to enable it, every row is public.
Read moreWhen an attacker injects a script into your app that runs in another user's browser. Three types: reflected, stored, and DOM-based.
Read moreWhen user input is stitched directly into a database query, letting an attacker read, modify, or delete data they should never touch.
Read moreWhen your server fetches a URL that an attacker controls, giving them access to internal services, cloud metadata, or private networks.
Read moreWhen secret keys end up in client-side code, public repos, or accessible config files. AI tools do this more than you'd expect.
Read moreWhen a malicious site tricks a logged-in user's browser into making unwanted requests to your app, like changing their email or transferring funds.
Read moreThe API-specific cousin of IDOR. When an API endpoint lets you access or modify objects belonging to other users by manipulating object IDs in requests.
Read moreWhen JWTs are decoded without verification, signed with weak secrets, or accept the 'none' algorithm — letting attackers forge tokens and impersonate users.
Read moreWhen an API blindly accepts all fields from a request body, letting attackers set fields they shouldn't — like role, isAdmin, or accountBalance.
Read moreWhen your app redirects users to a URL from a query parameter without validation, letting attackers send victims to phishing sites that look legitimate.
Read moreWhen an attacker uses ../ sequences in file paths to escape the intended directory and read sensitive files like .env, /etc/passwd, or source code.
Read moreWhen API endpoints have no throttling, letting attackers try thousands of passwords, enumerate users, or abuse expensive operations without limit.
Read moreWhen your API allows requests from any origin — or worse, reflects the Origin header — letting malicious sites steal data from authenticated users.
Read moreMissing headers like Content-Security-Policy, Strict-Transport-Security, and X-Frame-Options that tell browsers how to protect your users.
Read moreWhen login flows have fundamental flaws — plaintext passwords, no session rotation, credential stuffing vulnerability — that let attackers take over accounts.
Read moreWhen a regular user can promote themselves to admin — usually because the API trusts a role field in the request body instead of checking the session.
Read moreWhen your app leaks internal details — stack traces, database schemas, environment variables, or user data — through error messages or verbose API responses.
Read moreWhen your app accepts any file type without validation — letting attackers upload executable scripts, HTML files with XSS payloads, or oversized files that crash the server.
Read moreWhen an attacker embeds your app in a transparent iframe on their malicious page, tricking users into clicking buttons they can't see — like 'Delete Account' or 'Transfer Funds'.
Read moreWhen a DNS record points to a cloud service you've deprovisioned — letting an attacker claim that service and serve malicious content on your subdomain.
Read moreWhen admin-only endpoints are accessible to regular users because the server only checks if someone is logged in — not what their role is.
Read moreWhen GraphQL introspection is left on in production and queries have no depth limits — letting attackers map your entire schema and craft resource-exhaustion attacks.
Read moreWhen WebSocket connections skip authentication entirely — letting anyone connect and receive real-time data meant for authenticated users.
Read moreWhen OAuth flows skip state parameter validation, allow open redirects in callbacks, or leak tokens — letting attackers hijack user sessions through third-party login.
Read moreWhen an attacker injects properties into JavaScript's Object.prototype through user input, affecting every object in the application and potentially bypassing security checks.
Read moreWhen parallel requests exploit a timing gap between checking and acting — letting attackers spend credits twice, claim multiple free trials, or bypass one-time-use tokens.
Read moreWhen your app deserializes data from untrusted sources without validation — letting attackers inject malicious objects that execute code or manipulate application state.
Read moreWhen a public package with the same name as your private package gets installed instead — letting attackers run arbitrary code in your build pipeline or production server.
Read moreWhen your app doesn't log security events — failed logins, permission denials, data access — making it impossible to detect breaches or understand what happened after one.
Read moreFlowpatrol checks for all of these — and more. Paste a URL, get a report in minutes.