See Mikmbr In Action

Real vulnerable code examples with actual detection output. Every example below has been tested and verified to work.

CRITICAL

Server-Side Template Injection (SSTI)

Rule: TEMPLATE_INJECTION CWE-94 OWASP: A03:2021 - Injection
❌ Vulnerable Code
from jinja2 import Template
from flask import request

def render_page():
    user_input = request.args.get('template')
    template = Template(user_input)  # VULNERABLE!
    return template.render()
🔍 Mikmbr Detection
[CRITICAL] app.py:6 Rule: TEMPLATE_INJECTION CWE: CWE-94 OWASP: A03:2021 - Injection Potential SSTI: Template() with dynamic/user-controlled template string Remediation: Never pass user input directly to Template(). Use predefined templates and render with safe context.
✅ Fixed Code
from flask import request, render_template

def render_page():
    user_name = request.args.get('name')
    # Use predefined template file
    return render_template('page.html', name=user_name)

Why This Is Critical

Server-Side Template Injection allows attackers to execute arbitrary code on your server. An attacker could send a malicious template like {{config.__class__.__init__.__globals__['os'].popen('ls').read()}} to run system commands.

Real-world impact: Complete server takeover, data theft, ransomware deployment.

HIGH

SQL Injection

Rule: SQL_INJECTION CWE-89 OWASP: A03:2021 - Injection
❌ Vulnerable Code
import sqlite3
from flask import request

def get_user():
    user_id = request.args.get('id')
    conn = sqlite3.connect('db.sqlite')
    cursor = conn.cursor()
    query = f"SELECT * FROM users WHERE id = {user_id}"
    cursor.execute(query)  # VULNERABLE!
    return cursor.fetchone()
🔍 Mikmbr Detection
[HIGH] app.py:8 Rule: SQL_INJECTION CWE: CWE-89 OWASP: A03:2021 - Injection Possible SQL injection: SQL query built with string concatenation/formatting Remediation: Use parameterized queries with placeholders: cursor.execute('SELECT * FROM users WHERE id = ?', (user_id,))
✅ Fixed Code
def get_user():
    user_id = request.args.get('id')
    conn = sqlite3.connect('db.sqlite')
    cursor = conn.cursor()
    # Use parameterized query
    cursor.execute("SELECT * FROM users WHERE id = ?", (user_id,))
    return cursor.fetchone()

Why This Is Dangerous

SQL injection allows attackers to manipulate database queries. With input like 1 OR 1=1, attackers can bypass authentication or extract entire databases.

Real-world impact: Data breaches, authentication bypass, data deletion.

HIGH

Command Injection

Rule: COMMAND_INJECTION CWE-78 OWASP: A03:2021 - Injection
❌ Vulnerable Code
import subprocess
from flask import request

def list_files():
    directory = request.args.get('dir')
    # shell=True makes this vulnerable!
    result = subprocess.run(f"ls {directory}", shell=True)
    return result
🔍 Mikmbr Detection
[HIGH] app.py:7 Rule: COMMAND_INJECTION CWE: CWE-78 OWASP: A03:2021 - Injection subprocess call with shell=True is vulnerable to command injection Remediation: Use shell=False (default) and pass command as a list: subprocess.run(['ls', directory])
✅ Fixed Code
def list_files():
    directory = request.args.get('dir')
    # Use list of arguments, no shell=True
    result = subprocess.run(['ls', directory],
                              capture_output=True,
                              text=True)
    return result.stdout

Why This Is Dangerous

Command injection allows attackers to execute arbitrary system commands. Input like ; rm -rf / could delete your entire filesystem.

Real-world impact: Complete system compromise, ransomware, cryptocurrency mining.

HIGH

Hardcoded Secrets

Rule: HARDCODED_SECRET CWE-798 OWASP: A07:2021 - Authentication Failures
❌ Vulnerable Code
import requests

# Stripe API key hardcoded in source code
API_KEY = "sk_live_51HqT2KLm9N8pQr3X4vY5zW6aB7cD8eF"

def charge_customer(amount):
    headers = {"Authorization": f"Bearer {API_KEY}"}
    return requests.post("https://api.stripe.com/v1/charges",
                          headers=headers)
🔍 Mikmbr Detection
[HIGH] app.py:4 Rule: HARDCODED_SECRET CWE: CWE-798 OWASP: A07:2021 - Identification and Authentication Failures Hardcoded Stripe API Key detected in 'API_KEY' Remediation: Store Stripe API Key in environment variables or a secrets manager. Never commit secrets to version control.
✅ Fixed Code
import os
import requests

# Load from environment variable
API_KEY = os.getenv('STRIPE_API_KEY')

def charge_customer(amount):
    if not API_KEY:
        raise ValueError("STRIPE_API_KEY not configured")
    headers = {"Authorization": f"Bearer {API_KEY}"}
    return requests.post("https://api.stripe.com/v1/charges",
                          headers=headers)

Why This Is Dangerous

Hardcoded secrets end up in version control (Git), CI/CD logs, and production deployments. Anyone with access to your code can use these credentials.

Real-world impact: Unauthorized API charges ($$$), account takeover, data breaches.

Verified Test Results

26
Vulnerabilities Detected

100% detection accuracy

41
Tests Passing

87% test pass rate

18
Rules Fully Tested

75% coverage

0
False Positives

Safe code not flagged

Detection Breakdown

Real scan results from examples/showcase_examples.py

Rule Type Detections Test Status Example
TEMPLATE_INJECTION 3 found ✓ Tested Jinja2, Mako templates
HARDCODED_SECRET 3 found ✓ Tested API keys, passwords
WEAK_CRYPTO 3 found ✓ Tested MD5, SHA1 usage
COMMAND_INJECTION 2 found ✓ Tested os.system, subprocess
DANGEROUS_EXEC 2 found ✓ Tested eval(), exec()
INSECURE_RANDOM 2 found ✓ Tested random module tokens
LOG_INJECTION 2 found ✓ Tested Unescaped logging
SQL_INJECTION 1 found ✓ Tested String concatenation
SSRF 1 found ✓ Tested User-controlled URLs
PATH_TRAVERSAL 1 found ✓ Tested File path concat
XXE 1 found ✓ Tested Unsafe XML parsing
TIMING_ATTACK 1 found ✓ Tested String comparison
OPEN_REDIRECT 1 found ✓ Tested Unvalidated redirect
INSECURE_DESERIALIZATION 1 found ✓ Tested pickle.loads()
BARE_EXCEPT 1 found ✓ Tested Empty except clause
DEBUG_CODE 1 found ✓ Tested breakpoint()

How to Verify These Results

  1. Clone the repository: git clone https://github.com/tonybowen-me/Mikmbr.git
  2. Install Mikmbr: pip install -e .
  3. Scan the examples: mikmbr scan examples/showcase_examples.py
  4. Compare with our results: Check examples/scan_results.json
  5. Run the test suite: pytest tests/test_rule_matrix.py -v

Everything is publicly verifiable. No hidden test data.

Our Testing Methodology

✓ Positive Tests

We test that rules detect vulnerable code:

# Vulnerable code
result = eval(user_input)

# Mikmbr detects ✓
assert len(findings) == 1

✓ Negative Tests

We test that rules don't flag safe code:

# Safe code
result = ast.literal_eval(data)

# Mikmbr ignores ✓
assert len(findings) == 0

All test code is publicly available on GitHub

View Test Code →

Ready to Verify for Yourself?

Every detection is tested and verified. All results are reproducible.

Get Started with Mikmbr Full Transparency Report View Documentation