Detections
Analytics
OpenAPI Unencrypted Traffic Allowed
high Web App Scanning Plugin ID 113143
Language:
Synopsis
OpenAPI Unencrypted Traffic AllowedDescription
OpenAPI specification is an API description format for REST APIs. An OpenAPI file is written in YAML or JSON and describes all the API properties like the available endpoints with the related operations or the authentication methods.As for web applications, allowing unencrypted protocols to access an API leaves it open to Man in the Middle attacks (MITM), impacting both the confidentiality and the integrity of the traffic. The scanner analyzed an OpenAPI file and detected the lack of encryption in the API endpoints URL used.
Solution
Ensure that the API endpoints are only available through an encryption based protocol (HTTPS or WebSocket Secure (WSS)) and update the OpenAPI specifications.See Also
https://swagger.io/docs/specification/2-0/api-host-and-base-path/
https://swagger.io/docs/specification/api-host-and-base-path/
https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet
Plugin Details
Severity: High
ID: 113143
Type: remote
Family: SSL/TLS
Published: 2/16/2022
Updated: 3/28/2023
Scan Template: api, basic, full, pci, scan
Risk Information
VPR
Risk Factor: Medium
Score: 5.9
CVSS v2
Risk Factor: High
Base Score: 7.1
Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:N
CVSS Score Source: Tenable
CVSS v3
Risk Factor: High
Base Score: 7.4
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CVSS Score Source: Tenable
CVSS v4
Risk Factor: High
Base Score: 7.6
Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
CVSS Score Source: Tenable
Reference Information
CWE: 319
OWASP: 2010-A9, 2013-A6, 2017-A3, 2021-A2
WASC: Insufficient Transport Layer Protection
DISA STIG: APSC-DV-000170
HIPAA: 164.312(a), 164.312(e)
ISO: 27001-A.10.1.1, 27001-A.14.1.2, 27001-A.14.1.3, 27001-A.18.1.5
NIST: sp800_53-SC-13
OWASP API: 2019-API7, 2023-API8
OWASP ASVS: 4.0.2-9.1.1
PCI-DSS: 3.2-6.5.4