Detection Categories

Pinata scans for vulnerabilities across 7 risk domains, each with specialized detection patterns.

45
Categories
7
Risk Domains
3
Languages
Security (16) Data (8) Concurrency (6) Reliability (6) Performance (3) Resource (3) Input (3)
🔒
Security
16 categories
SQL Injection
Critical
Detects SQL queries built with string concatenation or template literals that include user input. Attackers can inject malicious SQL to read, modify, or delete data.
CWE-89OWASP A03
Cross-Site Scripting (XSS)
Critical
Detects user input rendered in HTML without sanitization. Enables attackers to inject scripts that steal cookies, credentials, or perform actions as the victim.
CWE-79OWASP A03
Command Injection
Critical
Detects shell commands built with user input via exec, spawn, or system calls. Allows attackers to execute arbitrary commands on the server.
CWE-78OWASP A03
Path Traversal
Critical
Detects file operations with unsanitized paths containing user input. Attackers can use "../" sequences to access files outside intended directories.
CWE-22OWASP A01
Server-Side Request Forgery
Critical
Detects HTTP requests where the URL comes from user input. Attackers can make the server request internal resources or cloud metadata endpoints.
CWE-918OWASP A10
Insecure Deserialization
Critical
Detects deserialization of untrusted data using pickle, yaml.load, or eval. Can lead to remote code execution when processing malicious payloads.
CWE-502OWASP A08
XML External Entity (XXE)
Critical
Detects XML parsers with external entity processing enabled. Attackers can read local files, perform SSRF, or cause denial of service.
CWE-611OWASP A05
LDAP Injection
Critical
Detects LDAP queries built with user input. Attackers can modify queries to bypass authentication or access unauthorized directory data.
CWE-90
Hardcoded Secrets
Critical
Detects API keys, passwords, and tokens embedded in source code. Secrets in code are exposed in version control and compiled artifacts.
CWE-798OWASP A02
Cross-Site Request Forgery
High
Detects state-changing endpoints without CSRF token validation. Attackers can trick authenticated users into performing unintended actions.
CWE-352OWASP A01
Authentication Failures
High
Detects weak authentication patterns: missing password hashing, weak algorithms (MD5/SHA1), or authentication bypasses.
CWE-287OWASP A07
Timing Attack
High
Detects non-constant-time string comparisons for secrets. Attackers can guess secrets character-by-character by measuring response times.
CWE-208
Unrestricted File Upload
High
Detects file uploads without extension/type validation. Attackers can upload executable files to achieve code execution.
CWE-434
Excessive Data Exposure
High
Detects APIs returning sensitive fields (passwords, SSNs, tokens) without filtering. Overly verbose responses leak private data.
CWE-200OWASP A01
Missing Rate Limiting
High
Detects authentication and sensitive endpoints without rate limiting. Enables brute force attacks and credential stuffing.
CWE-307OWASP A04
Dependency Risks
High
Detects typosquatted package names and suspicious dependencies. Attackers register similar names to inject malicious code via supply chain.
CWE-1357
📊
Data Integrity
8 categories
Data Race
Critical
Detects concurrent access to shared data without synchronization. Causes corruption, lost updates, and non-deterministic behavior.
CWE-362
Data Truncation
High
Detects assignments to smaller types or database columns. Silent truncation corrupts data and causes logic errors.
CWE-197
Precision Loss
High
Detects floating-point arithmetic for currency or financial values. IEEE 754 floats cannot exactly represent most decimals, causing rounding errors.
CWE-681
Data Validation
High
Detects missing input validation on API boundaries. Unvalidated data causes type errors, crashes, and security vulnerabilities.
CWE-20
Null Handling
High
Detects missing null/undefined checks before property access or method calls. Causes runtime crashes and undefined behavior.
CWE-476
Encoding Mismatch
High
Detects character encoding assumptions (UTF-8 vs Latin-1). Mojibake, data corruption, and security bypasses from encoding confusion.
CWE-838
Schema Migration
High
Detects database migrations that may cause data loss or downtime. Non-reversible changes, missing backfills, and lock contention.
Bulk Operation
High
Detects unbounded bulk operations without batching. Large operations cause timeouts, memory exhaustion, and lock contention.
Concurrency
6 categories
Deadlock
Critical
Detects lock ordering violations and circular wait conditions. Threads waiting on each other forever, freezing the application.
CWE-833
Race Condition
Critical
Detects check-then-act patterns without atomicity. Time-of-check to time-of-use (TOCTOU) bugs cause security and correctness issues.
CWE-367
Missing Timeout
Critical
Detects blocking operations without timeout. Slow or unresponsive services cause thread exhaustion and cascading failures.
Missing Idempotency
Critical
Detects non-idempotent operations that may be retried. Duplicate charges, double sends, and data corruption from retry storms.
Retry Storm
Critical
Detects retry logic without exponential backoff or jitter. Synchronized retries amplify load on failing services.
Thread Safety
High
Detects shared mutable state in multi-threaded code. Missing synchronization causes data corruption and heisenbugs.
CWE-366
🛡️
Reliability
6 categories
Network Partition
Critical
Detects distributed operations without partition tolerance. Split-brain scenarios cause data inconsistency and availability loss.
Network Timeout
Critical
Detects network calls without explicit timeouts. Hung connections exhaust resources and cascade through the system.
Thundering Herd
Critical
Detects cache invalidation without stampede protection. All clients hitting origin simultaneously when cache expires.
Connection Failure
High
Detects database/API connections without error handling. Unhandled failures cause crashes instead of graceful degradation.
High Latency
High
Detects synchronous operations in request path without latency budgets. Slow dependencies cause cascading slowdowns.
Packet Loss
High
Detects UDP or unreliable transport without acknowledgment. Lost messages cause silent failures and data inconsistency.
🚀
Performance
3 categories
Blocking I/O
Critical
Detects synchronous file/network operations in async contexts. Blocks the event loop, destroying throughput in Node.js and async Python.
Memory Bloat
High
Detects unbounded memory growth: accumulating collections, string concatenation in loops, loading entire datasets. Causes OOM kills.
CWE-400
CPU Spin
High
Detects busy-wait loops and polling without sleep. Wastes CPU cycles and increases power consumption.
💧
Resource Management
3 categories
Memory Leak
Critical
Detects resources not freed: event listeners, intervals, closures capturing scope. Memory grows until OOM or restart.
CWE-401
Connection Pool Exhaustion
Critical
Detects database connections not returned to pool. All connections blocked, new requests fail.
CWE-400
File Handle Leak
High
Detects files opened without close or context manager. Exhausts file descriptors causing "too many open files" errors.
CWE-775
📝
Input Validation
3 categories
Injection and Fuzzing
Critical
Detects input handling without sanitization or validation. Enables injection attacks and undefined behavior from malformed input.
Boundary Testing
High
Detects missing edge case handling: empty arrays, max integers, zero values, negative numbers. Off-by-one errors and overflows.
Null and Undefined
High
Detects operations on potentially null/undefined values. Runtime crashes from "cannot read property of undefined".
CWE-476