# SAST Java Rules

## Key Java Security Rules

* [GIT Leaks](/user-docs/4-sast/2-java/gitleaks.md)
* [Missing HTTP Only option in cookie configuration](https://github.com/sec0ne/user-docs/blob/main/docs/4-sast/2-java/go-gorilla-cookie-missing-http-only.md)
* [GIT Leaks](/user-docs/4-sast/2-java/gitleaks.md)
* [Leakage of Information in Logger Message](/user-docs/4-sast/2-java/leakage-of-information-in-logger-message.md)
* [Leakage of sensitive data in cookie](/user-docs/4-sast/2-java/leakage-of-sensitive-data-in-cookie.md)
* [Leakage of sensitive data in exception message](/user-docs/4-sast/2-java/leakage-of-sensitive-data-in-exception-message.md)
* [Leakage of sensitive data to Airbrake](/user-docs/4-sast/2-java/leakage-of-sensitive-data-to-airbrake.md)
* [Leakage of sensitive data to Algolia](/user-docs/4-sast/2-java/leakage-of-sensitive-data-to-algolia.md)
* [Leakage of Sensitive Data to Bugsnag](/user-docs/4-sast/2-java/leakage-of-sensitive-data-to-bugsnag.md)
* [Leakage of Sensitive Data to ClickHouse](/user-docs/4-sast/2-java/leakage-of-sensitive-data-to-clickhouse.md)
* [Leakage of Sensitive Data to Datadog](/user-docs/4-sast/2-java/leakage-of-sensitive-data-to-datadog.md)
* [Leakage of Sensitive Data to ElasticSearch](/user-docs/4-sast/2-java/leakage-of-sensitive-data-to-elasticsearch.md)
* [Leakage of Sensitive Data to New Relic](/user-docs/4-sast/2-java/leakage-of-sensitive-data-to-new-relic.md)
* [Leakage of Sensitive Data to OpenTelemetry](/user-docs/4-sast/2-java/leakage-of-sensitive-data-to-open-telemetry.md)
* [Leakage of Sensitive Data to RollBar](/user-docs/4-sast/2-java/leakage-of-sensitive-data-to-rollbar.md)
* [Leakage of Sensitive Data to Sentry](/user-docs/4-sast/2-java/leakage-of-sensitive-data-to-sentry.md)
* [Leakage of Sensitive Information in Exception Messages](/user-docs/4-sast/2-java/leakage-of-sensitive-information-in-exception-messages.md)
* [Leakage of sensitive information in logger message](/user-docs/4-sast/2-java/leakage-of-sensitive-information-in-logger-message.md)
* [Missing authentication for database](/user-docs/4-sast/2-java/missing-authentication-for-database.md)
* [Missing database password detected](/user-docs/4-sast/2-java/missing-database-password-detected.md)
* [Missing HTTP Only Option in Cookie Configuration](/user-docs/4-sast/2-java/missing-http-only-option-in-cookie-configuration.md)
* [Missing Optimal Asymmetric Encryption Padding (OAEP)](/user-docs/4-sast/2-java/missing-optimal-asymmetric-encryption-padding.md)
* [Missing or Permissive SSL Hostname Verifier](/user-docs/4-sast/2-java/missing-or-permissive-ssl-hostname-verifier.md)
* [Missing Protection against Session Fixation Attacks](/user-docs/4-sast/2-java/missing-protection-against-session-fixation-attacks.md)
* [Missing Secure option in cookie configuration](/user-docs/4-sast/2-java/missing-secure-option-in-cookie-configuration.md)
* [Missing signature verification of JWT](/user-docs/4-sast/2-java/missing-signature-verification-of-jwt.md)
* [Missing SSL host check in SMTP](/user-docs/4-sast/2-java/missing-ssl-host-check-in-smtp.md)
* [Missing Support for Integrity Check](/user-docs/4-sast/2-java/missing-support-for-integrity-check.md)
* [Missing TLS validation](/user-docs/4-sast/2-java/missing-tls-validation.md)
* [Observable Timing Discrepancy](/user-docs/4-sast/2-java/observable-timing-discrepancy.md)
* [Permissive Access-Control-Allow-Origin configuration](/user-docs/4-sast/2-java/permissive-access-control-allow-origin-configuration.md)
* [Permissive context mode for resources](/user-docs/4-sast/2-java/permissive-context-mode-for-resources.md)
* [Permissive cookie configuration](/user-docs/4-sast/2-java/permissive-cookie-configuration.md)
* [Permissive HTTP Only option in cookie configuration](/user-docs/4-sast/2-java/permissive-http-only-option-in-cookie-configuration.md)
* [Permissive Screenshot option set](/user-docs/4-sast/2-java/permissive-screenshot-option-set.md)
* [Possible CLRF injection detected](/user-docs/4-sast/2-java/possible-clrf-injection-detected.md)
* [Possible expression language (EL) injection detected](/user-docs/4-sast/2-java/possible-expression-language-el-injection-detected.md)
* [Possible HTTP Parameter Pollution detected](/user-docs/4-sast/2-java/possible-http-parameter-pollution-detected.md)
* [Unsanitized external input in SQL query](/user-docs/4-sast/2-java/unsanitized-external-input-in-sql-query.md)
* [Unsanitized use of FileUpload filename](/user-docs/4-sast/2-java/unsanitized-use-of-fileupload-filename.md)
* [Unsanitized user input in 'eval' type function](/user-docs/4-sast/2-java/unsanitized-user-input-in-eval-type-function.md)
* [Unsanitized user input in Access-Control-Allow-Origin](/user-docs/4-sast/2-java/unsanitized-user-input-in-access-control-allow-origin.md)
* [Unsanitized user input in AWS query](/user-docs/4-sast/2-java/unsanitized-user-input-in-aws-query.md)
* [Unsanitized user input in code generation](/user-docs/4-sast/2-java/unsanitized-user-input-in-code-generation.md)
* [Unsanitized user input in deserialization method](/user-docs/4-sast/2-java/unsanitized-user-input-in-deserialization-method.md)
* [Unsanitized User Input in File Path](/user-docs/4-sast/2-java/unsanitized-user-input-in-file-path-traversal.md)
* [Unsanitized User Input in File Path](/user-docs/4-sast/2-java/unsanitized-user-input-in-file-path.md)
* [Unsanitized user input in format string detected](/user-docs/4-sast/2-java/unsanitized-user-input-in-format-string-detected.md)
* [Unsanitized user input in HTTP request (SSRF)](/user-docs/4-sast/2-java/unsanitized-user-input-in-http-request-ssrf.md)
* [Unsanitized user input in HTTP response (XSS)](/user-docs/4-sast/2-java/unsanitized-user-input-in-http-response-xss.md)
* [Unsanitized user input in LDAP request](/user-docs/4-sast/2-java/unsanitized-user-input-in-ldap-request.md)
* [Unsanitized user input in logger message](/user-docs/4-sast/2-java/unsanitized-user-input-in-logger-message.md)
* [Unsanitized User Input in OS Command](/user-docs/4-sast/2-java/unsanitized-user-input-in-os-command.md)
* [Unsanitized User Input in Output Stream (XSS)](/user-docs/4-sast/2-java/unsanitized-user-input-in-output-stream.md)
* [Unsanitized User input in Redirect](/user-docs/4-sast/2-java/unsanitized-user-input-in-redirect.md)
* [Unsanitized User Input in Regular Expression](/user-docs/4-sast/2-java/unsanitized-user-input-in-regular-expression.md)
* [Unsanitized user input in SQL catalog configuration](/user-docs/4-sast/2-java/unsanitized-user-input-in-sql-catalog-configuration.md)
* [Unsanitized user input in XML External Entity](/user-docs/4-sast/2-java/unsanitized-user-input-in-xml-external-entity.md)
* [Unsanitized User Input in XPath](/user-docs/4-sast/2-java/unsanitized-user-input-in-xpath.md)
* [Usage of bad hex conversion on digest array](/user-docs/4-sast/2-java/usage-of-bad-hex-conversion-on-digest-array.md)
* [Usage of CBC (Cipher Block Chaining) Mode with Padding](/user-docs/4-sast/2-java/usage-of-cbc-mode-with-padding.md)
* [Usage of custom Digest class](/user-docs/4-sast/2-java/usage-of-custom-digest-class.md)
* [Usage of dangerous permissions](/user-docs/4-sast/2-java/usage-of-dangerous-permissions.md)
* [Usage of ECB Cipher Mode](/user-docs/4-sast/2-java/usage-of-ecb-cipher-mode.md)
* [Usage of External Input in Code Reflection](/user-docs/4-sast/2-java/usage-of-external-input-in-code-reflection.md)
* [Usage of hard-coded database password](/user-docs/4-sast/2-java/usage-of-hard-coded-database-password.md)
* [Usage of hard-coded secret](/user-docs/4-sast/2-java/usage-of-hard-coded-secret.md)
* [Usage of insufficient random value](/user-docs/4-sast/2-java/usage-of-insufficient-random-value.md)
* [Usage of naive Socket class to create SSL Socket](/user-docs/4-sast/2-java/usage-of-naive-socket-class-to-create-ssl-socket.md)
* [Usage of permissive file permission ('other')](/user-docs/4-sast/2-java/usage-of-permissive-file-permission-other.md)
* [Usage of small key size with Blowfish encryption](/user-docs/4-sast/2-java/usage-of-small-key-size-with-blowfish-encryption.md)
* [Usage of Trusted and Untrusted Data inside the same Data Structure](/user-docs/4-sast/2-java/usage-of-trusted-and-untrusted-data-inside-the-same-data-structure.md)
* [Usage of vulnerable Apache Commons Collections InvokeTransformer class](/user-docs/4-sast/2-java/usage-of-vulnerable-apache-commons-collections-invoketransformer-class.md)
* [Usage of weak encryption algorithm (DES)](/user-docs/4-sast/2-java/usage-of-weak-encryption-algorithm.md)
* [Usage of Weak Hashing Library on a Password (SHA-1)](/user-docs/4-sast/2-java/usage-of-weak-hashing-library-on-a-password.md)
* [Usage of Weak Hashing library (MD5)](/user-docs/4-sast/2-java/usage-of-weak-hashing-library.md)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.sec1.io/user-docs/4-sast/2-java.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.