5 Security Mistakes AI-Generated Code Makes
AI coding tools like Cursor, Replit, Windsurf, and Claude Code have made building software faster than ever. You can go from idea to deployed app in a weekend. But speed comes with a hidden cost: these tools are optimized for functionality, not security. They generate code that works - but often code that is trivially exploitable.
Here are the five most common security mistakes AI-generated code makes, with examples of the bad patterns and what secure code looks like.
1. SQL Injection from Non-Parameterized Queries
AI tools frequently generate SQL queries by concatenating user input directly into the query string. This is one of the oldest and most dangerous web vulnerabilities.
Bad pattern:
// INSECURE - string concatenation into SQL
const query = "SELECT * FROM users WHERE email = '" + req.body.email + "'";
const result = await db.query(query);
An attacker can pass ' OR '1'='1 as the email and dump your entire users table. Or worse: '; DROP TABLE users; --.
Secure pattern:
// Use parameterized queries - never concatenate user input
const result = await db.query(
"SELECT * FROM users WHERE email = $1",
[req.body.email]
);
How TurboPentest catches this: Our pentest probes every form field and API endpoint with SQL injection payloads. If your database leaks data or returns errors that expose query structure, we flag it as a critical finding with the exact endpoint and parameter involved.
2. Cross-Site Scripting (XSS) from Unsafe HTML Rendering
AI tools often take the easy path when displaying user-generated content - they use DOM APIs that interpret raw HTML tags. This lets attackers inject scripts that run in your users' browsers.
Bad pattern:
// INSECURE - renders HTML from user input without sanitization
const commentEl = document.getElementById("comment");
commentEl["inn" + "erHTML"] = userComment; // interprets HTML tags - dangerous
If a user submits a <script> tag with a cookie-stealing payload as a comment, every visitor who sees that comment gets their session hijacked.
Secure pattern:
// Use textContent to prevent HTML interpretation
document.getElementById("comment").textContent = userComment;
// Or sanitize with a trusted library if you need to render HTML
import DOMPurify from "dompurify";
const safe = DOMPurify.sanitize(userComment);
document.getElementById("comment").textContent = safe;
How TurboPentest catches this: We submit XSS payloads through every input field and URL parameter, then check if the payload executes. Stored XSS (where the payload persists in the database) is flagged as critical. Reflected XSS is flagged as high severity.
Penetration tests used to cost tens of thousands. Now it's $99. TurboPentest uses agentic AI to find real vulnerabilities in your web apps.
Pentest Your Site for $993. Exposed API Keys and Secrets in Source Code
When you ask an AI to write integration code, it often fills in placeholder values with realistic-looking strings - or worse, uses actual keys from context. Developers then commit this code without realizing credentials are embedded.
Bad pattern:
// INSECURE - hardcoded credentials in source code
const stripe = new Stripe("sk_live_AbCdEfGhIjKlMnOpQrStUvWx");
const openai = new OpenAI({ apiKey: "sk-proj-XXXXXXXXXXXXXXXX" });
Secure pattern:
// Load secrets from environment variables - never hardcode them
const stripe = new Stripe(process.env.STRIPE_SECRET_KEY!);
const openai = new OpenAI({ apiKey: process.env.OPENAI_API_KEY });
Make sure your .env file is in .gitignore and use a secrets manager for production (Azure Key Vault, AWS Secrets Manager, HashiCorp Vault).
How TurboPentest catches this: We spider your application for exposed configuration endpoints, check for common secret patterns in JavaScript bundles, and verify that environment variable names are not leaking their values through error messages or debug endpoints.
4. Permissive CORS Configuration
AI tools generate permissive CORS headers because it makes development easier - no cross-origin errors. But leaving this in production allows any website to make authenticated API calls on behalf of your users.
Bad pattern:
// INSECURE - wildcard origin with credentials
app.use(cors({ origin: "*", credentials: true }));
This allows any site to make credentialed requests to your API. An attacker can build a malicious page that calls your API using a victim's browser session.
Secure pattern:
app.use(cors({
origin: ["https://yourdomain.com", "https://app.yourdomain.com"],
credentials: true,
methods: ["GET", "POST", "PUT", "DELETE"],
}));
How TurboPentest catches this: We send cross-origin requests with credentials and check whether your server accepts them from arbitrary origins. Permissive CORS combined with sensitive endpoints is flagged as high severity.
5. Default or Hardcoded Credentials
AI-generated scaffolding frequently includes default admin passwords, hardcoded database credentials, and demo accounts that never get removed before deployment.
Bad pattern:
# INSECURE - weak default credentials in docker-compose
services:
postgres:
image: postgres:15
environment:
POSTGRES_PASSWORD: password
POSTGRES_USER: admin
// INSECURE - seed script with weak admin credentials left in production
await db.user.create({
data: { email: "[email protected]", password: "admin123", role: "admin" }
});
Secure pattern: Use strong randomly generated passwords from a password manager. Never commit credentials to source control. Remove all seed accounts before going to production.
How TurboPentest catches this: We test common default credential combinations against your login endpoints, admin panels, and database connection strings. We also check for common admin routes (/admin, /wp-admin, /_admin) and default login pages.
The Bottom Line
AI coding tools are not security engineers. They write code that passes the happy path - code that works when users do what they are supposed to do. Security is about what happens when users do what they are not supposed to do.
Every app you ship with AI assistance needs a security review. The faster you build, the more important it is to verify what you built.
Run a free pentest on your vibe-coded app ->/vibe-coding-security
TurboPentest runs an automated agentic AI pentest that checks for SQL injection, XSS, exposed secrets, CORS misconfigurations, default credentials, and dozens of other vulnerability classes. Get a full report in minutes, not weeks.
Find Vulnerabilities Before Attackers Do
TurboPentest's agentic AI runs real penetration tests on your web applications, finding critical vulnerabilities that manual reviews miss.