Node.Security

Security Audit of Lightgallery.js

ISGroup SRL performed an automated Code Review (not a real Static Analysis, more a grep-on-steroid) of this NodeJS project in order to identify potential security vulnerabilities. We do not guarantee that all the findings are valid, and for sure there are plenty of false-positives and false-negatives (undetected issues) but it's free and your project could benefit from this security analisys. The following data is also available in JSON format!

Possible Security Issues
Issue Description Line File
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 7 demo/js/lg-zoom.min.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 99 demo/js/lg-pager.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 7 demo/js/lightgallery.min.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 87 demo/js/lg-share.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 395 demo/js/lightgallery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 410 demo/js/lightgallery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 461 demo/js/lightgallery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 485 demo/js/lightgallery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 534 demo/js/lightgallery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 570 demo/js/lightgallery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 905 demo/js/lightgallery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 1009 demo/js/lightgallery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 1053 demo/js/lightgallery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 1088 demo/js/lightgallery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 1092 demo/js/lightgallery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 1145 demo/js/lightgallery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 1177 demo/js/lightgallery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 1291 demo/js/lightgallery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 1309 demo/js/lightgallery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 1557 demo/js/lightgallery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 92 demo/js/lg-zoom.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 172 demo/js/lg-zoom.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 197 demo/js/lg-zoom.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 7 demo/js/lg-autoplay.min.js
Server Side Injection(SSI) - setInterval() User controlled data in 'setInterval()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 7 demo/js/lg-autoplay.min.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 7 demo/js/lg-thumbnail.min.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 7 demo/js/lg-pager.min.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 7 demo/js/lg-share.min.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 88 demo/js/lg-thumbnail.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 241 demo/js/lg-thumbnail.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 259 demo/js/lg-thumbnail.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 135 demo/js/lg-autoplay.js
Server Side Injection(SSI) - setInterval() User controlled data in 'setInterval()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 180 demo/js/lg-autoplay.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 181 src/js/lightgallery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 196 src/js/lightgallery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 251 src/js/lightgallery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 275 src/js/lightgallery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 338 src/js/lightgallery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 374 src/js/lightgallery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 713 src/js/lightgallery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 819 src/js/lightgallery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 863 src/js/lightgallery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 898 src/js/lightgallery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 902 src/js/lightgallery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 958 src/js/lightgallery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 990 src/js/lightgallery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 1104 src/js/lightgallery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 1122 src/js/lightgallery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 1379 src/js/lightgallery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 7 dist/js/lightgallery.min.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 395 dist/js/lightgallery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 410 dist/js/lightgallery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 461 dist/js/lightgallery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 485 dist/js/lightgallery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 534 dist/js/lightgallery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 570 dist/js/lightgallery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 905 dist/js/lightgallery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 1009 dist/js/lightgallery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 1053 dist/js/lightgallery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 1088 dist/js/lightgallery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 1092 dist/js/lightgallery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 1145 dist/js/lightgallery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 1177 dist/js/lightgallery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 1291 dist/js/lightgallery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 1309 dist/js/lightgallery.js
Server Side Injection(SSI) - setTimeout() User controlled data in 'setTimeout()' can result in Server Side Injection (SSI) or Remote Code Execution (RCE). 1557 dist/js/lightgallery.js
Missing Security Features
Issue Description
Missing Security Header - X-Frame-Options (XFO) X-Frame-Options (XFO) header provides protection against Clickjacking attacks.
Missing Security Header - Content-Security-Policy (CSP) Content Security Policy (CSP), a mechanism web applications can use to mitigate a broad class of content injection vulnerabilities, such as cross-site scripting (XSS). CSP Header was not found.
Missing Security Header - Strict-Transport-Security (HSTS) Strict-Transport-Security (HSTS) header enforces secure (HTTP over SSL/TLS) connections to the server.
Missing 'httpOnly' in Cookie JavaScript can access Cookies if they are not marked httpOnly.
Infromation Disclosure - X-Powered-By Remove the X-Powered-By header to prevent information gathering.
Missing Security Header - X-Content-Type-Options X-Content-Type-Options header prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type.
Missing Security Header - X-Download-Options: noopen X-Download-Options header set to noopen prevents IE users from directly opening and executing downloads in your site's context.
Missing Security Header - X-XSS-Protection:1 X-XSS-Protection header set to 1 enables the Cross-site scripting (XSS) filter built into most recent web browsers.
Missing Security Header - Public-Key-Pins (HPKP) Public-Key-Pins (HPKP) ensures that certificate is Pinned.
Outdated Libraries
File Library Reference