OpenAPI Missing MIME Types

medium Web App Scanning Plugin ID 113170

Synopsis

OpenAPI Missing MIME Types

Description

OpenAPI specification is an API description format for REST APIs. An OpenAPI file is written in YAML or JSON and describes all the API properties like the available endpoints with the related operations or the authentication methods.

The `consumes` field defines the expected data types for `POST`, `PUT` or `PATCH` requests. When missing in the definition, the API implementation could potentially accept any data type, leaving it open to server-side vulnerabilities like SQL or XML External Entities (XXE) injections.

The `produces` field defines the MIME type of the response returned by the API. When missing, the API implementation could potentially respond with any data type, leaving it open to arbitrary data leaks or client-side attacks like Cross-Site Scripting (XSS).

The scanner analyzed an OpenAPI definition file (version 2) and detected the lack of either the `consumes` or the `produces` fields.

Solution

Specify the `consumes` and `produces` fields with supported MIME types in the OpenAPI description according to the specification. Ensure that the API implementation follows the description and does not accept other MIME types.

See Also

https://swagger.io/docs/specification/2-0/mime-types/

Plugin Details

Severity: Medium

ID: 113170

Type: remote

Published: 4/21/2022

Updated: 4/21/2022

Scan Template: api, basic, full, pci, scan

Risk Information

VPR

Risk Factor: Medium

Score: 5.0

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Medium

Base Score: 4.8

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

CVSS Score Source: Tenable

CVSS v4

Risk Factor: Medium

Base Score: 6.3

Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

CVSS Score Source: Tenable

Reference Information

CWE: 20

OWASP: 2010-A4, 2013-A4, 2017-A5, 2021-A3

WASC: Improper Input Handling

CAPEC: 10, 101, 104, 108, 109, 110, 120, 13, 135, 136, 14, 153, 182, 209, 22, 23, 230, 231, 24, 250, 261, 267, 28, 3, 31, 42, 43, 45, 46, 47, 473, 52, 53, 588, 63, 64, 67, 7, 71, 72, 73, 78, 79, 8, 80, 81, 83, 85, 88, 9

DISA STIG: APSC-DV-002560

HIPAA: 164.306(a)(1), 164.306(a)(2)

ISO: 27001-A.14.2.5

NIST: sp800_53-SI-10

OWASP API: 2019-API7, 2023-API8

OWASP ASVS: 4.0.2-5.1.3

PCI-DSS: 3.2-6.5