# Sinks {% embed url="" %} ## Sinks | Vulnerability Type | Java Sinks | PHP Sinks | Node.js Sinks | | ---------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Remote Code Execution (RCE)** |

Runtime.getRuntime().exec()
ProcessBuilder.start()
Method.invoke()
ScriptEngine.eval()
InitialContext.lookup() (JNDI Injection)

shell\_exec()
exec()
system()
passthru()
proc\_open()
popen()
eval()
assert()
create\_function()

child\_process.exec()
child\_process.execSync()
child\_process.spawn()
vm.runInContext()
vm.runInNewContext()

| | **SQL Injection (SQLi)** |

Statement.executeQuery()
Statement.executeUpdate()
Statement.execute()
EntityManager.createQuery()

mysqli\_query()
mysql\_query()
pg\_query()
PDO::query() (without prepared statements)

db.collection.find({ user: req.query.user }) (NoSQLi in MongoDB)
sequelize.query() (raw queries)

| | **Path Traversal / Arbitrary File Read/Write** |

File(String)
FileReader(String)
FileWriter(String)
Files.readAllBytes(Path)
ZipInputStream.getNextEntry()

file\_get\_contents()
fopen()
readfile()
include()
require()
unlink()

fs.readFileSync()
fs.readFile()
fs.createReadStream()
fs.writeFileSync()
fs.unlinkSync()

| | **Server-Side Request Forgery (SSRF)** |

HttpURLConnection.openConnection()
URL.openStream()
RestTemplate.getForObject()
WebClient.get().uri()

file\_get\_contents("http\://...")
curl\_exec()
stream\_context\_create()

http.get()
axios.get()
fetch()
request()

| | **Cross-Site Scripting (XSS)** |

response.getWriter().write()
HttpServletResponse.getOutputStream().print()
JSP: <%= userInput %>

echo $\_GET\["input"];
print($\_POST\["input"]);
printf($\_GET\["input"]);
exit($\_GET\["input"]);

res.send(req.query.input)
res.write(req.body.input)
document.write(req.query.input) (in client-side JS)

| | **Cross-Site Request Forgery (CSRF)** |

doPost(HttpServletRequest req, HttpServletResponse res)
doPut(HttpServletRequest req, HttpServletResponse res)
doDelete(HttpServletRequest req, HttpServletResponse res)

Forms with method="POST" and no CSRF token
Session-modifying endpoints ($\_SESSION, setcookie())

| `app.post('/update', (req, res) => {...}` (without CSRF token verification) | | **XML External Entity (XXE) Injection** |

DocumentBuilder.parse()
SAXParser.parse()
XMLReader.parse()
TransformerFactory.newInstance().newTransformer().transform()

simplexml\_load\_string()
DOMDocument.loadXML()
xml\_parser\_create()

xml2js.parseString()
libxmljs.parseXml()

| | **LDAP Injection** |

DirContext.search()
LdapContext.search()

ldap\_search()
ldap\_list()
ldap\_read()

| `ldapClient.search()` (Node.js LDAP client) | | **Insecure Logging (Information Disclosure)** |

Logger.info()
Logger.debug()
System.out.println()
PrintWriter.println()

error\_log($\_GET\["input"]);
var\_dump($\_POST\["password"]);
print\_r($\_SERVER);

console.log(req.body.password)
winston.log('info', req.query.debug)

| | **Insecure Cryptography** |

MessageDigest.getInstance("MD5")
Cipher.getInstance("DES")
Cipher.getInstance("ECB")

md5()
sha1()
crypt("plaintext", "salt")
base64\_encode()

crypto.createHash('md5')
crypto.createCipher('des', key)

| | **Insecure Session Management** |

HttpSession.getAttribute()
request.getSession(true)

session\_start();
setcookie("PHPSESSID", ...)

| `req.session.user = "admin"` (without secure flags) |