A template expression injected into parameter 'name' was evaluated by the server. The product 49660049 appeared in the response but the literal payload did not, confirming server-side evaluation. Engine hint: jinja2/twig/django.
Fix. Never pass user input to template rendering functions. Use template variables with auto-escaping and sandboxed template engines where dynamic template construction is needed.
payload: {{7919*6271}}, evaluated product: 49660049 found in response
The environment secrets file at /.env is served publicly and returned HTTP 200 with plausible content, potentially leaking secrets, source, or infrastructure details.
Fix. Block access to dotfiles, VCS metadata, backups, and config from the web root. Serve only intended public assets.
Appending a quote character to this parameter produced a database error signature in the response, indicating input is concatenated into a SQL statement.
Fix. Use parameterized queries or prepared statements. Never build SQL by string concatenation and suppress verbose database errors.
A unique probe injected into this parameter was reflected in the HTML response without encoding, so attacker-controlled markup executes in the victim browser.
Fix. Contextually encode all user input on output and apply a strict Content-Security-Policy. Prefer framework auto-escaping.
A unique probe injected into this parameter was reflected in the HTML response without encoding, so attacker-controlled markup executes in the victim browser.
Fix. Contextually encode all user input on output and apply a strict Content-Security-Policy. Prefer framework auto-escaping.
A CR LF sequence injected into parameter 'lang' caused the server to emit an attacker-controlled response header ('Fya-Test: fya3341886fa529'). This enables HTTP response splitting, cache poisoning, and cookie injection.
Fix. Strip or reject CR (\r) and LF (\n) characters from any value that flows into response headers. Use framework abstractions that handle header encoding.
The response reflects an attacker-supplied Origin into Access-Control-Allow-Origin while also allowing credentials, letting a malicious site read authenticated responses.
Fix. Validate Origin against a strict server-side allowlist and never combine a wildcard or reflected origin with Access-Control-Allow-Credentials: true.
No Content-Security-Policy header was returned. CSP is the primary defense-in-depth control against cross-site scripting and data injection in the browser.
Fix. Set a Content-Security-Policy that restricts script and object sources to trusted origins.
The application reflects the HTTP Host header value into its response without validation. An attacker can poison password-reset links, cache entries, or absolute URLs by supplying a crafted Host header.
Fix. Maintain a server-side allowlist of valid hostnames. Never use the request Host header to construct absolute URLs or links.
reflected in response body; reflected in absolute link: http://fyaa18d9c9f2894.evil.example/
CSRF: POST form at 'http://127.0.0.1:5099/transfer' has no CSRF token
A01:2021 Broken Access Control | CWE CWE-352
| confidence medium | http://127.0.0.1:5099/transfer
A POST form targeting 'http://127.0.0.1:5099/transfer' contains no hidden input whose name matches known CSRF token field names (csrf, xsrf, _token, authenticity_token, csrfmiddlewaretoken, nonce). Without a token an attacker can forge requests on behalf of authenticated users.
Fix. Add a secret per-session CSRF token to every state-changing form and verify it server-side. Consider the SameSite=Strict cookie attribute as a defence-in-depth measure.