OpenAPI Permissive Input Validation

medium Web App Scanning Plugin ID 113258

Synopsis

OpenAPI Permissive Input Validation

Description

OpenAPI specification is an API description format for REST APIs. An OpenAPI file is written in YAML or JSON and describes all the API properties like the available endpoints with the related operations or the authentication methods.

The `Schema` object allows the definition of input and output data types which can be objects or primitives and arrays. When some data types properties are missing on objects specified in the definition file, the API implementation could potentially allow malicious input formats, leaving it open to multiple vulnerabilities like Denial of Service (DoS) or Remote Code Execution (RCE).

The scanner analyzed an OpenAPI definition file and detected the lack of properties on some data types.

Solution

Ensure that the missing properties are declared in the OpenAPI definition file according to the file specification and that the API backend enforces the validation of these properties on the inputs.

See Also

https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.2.md#schemaObject

Plugin Details

Severity: Medium

ID: 113258

Type: remote

Published: 6/28/2022

Updated: 10/5/2023

Scan Template: api, basic, full, pci, scan

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Medium

Base Score: 5.6

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

CVSS Score Source: Tenable

CVSS v4

Risk Factor: Medium

Base Score: 6.3

Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

CVSS Score Source: Tenable

Reference Information

CWE: 20

OWASP: 2010-A4, 2013-A4, 2017-A5, 2021-A3

WASC: Improper Input Handling

CAPEC: 10, 101, 104, 108, 109, 110, 120, 13, 135, 136, 14, 153, 182, 209, 22, 23, 230, 231, 24, 250, 261, 267, 28, 3, 31, 42, 43, 45, 46, 47, 473, 52, 53, 588, 63, 64, 67, 7, 71, 72, 73, 78, 79, 8, 80, 81, 83, 85, 88, 9

DISA STIG: APSC-DV-002560

HIPAA: 164.306(a)(1), 164.306(a)(2)

ISO: 27001-A.14.2.5

NIST: sp800_53-SI-10

OWASP API: 2019-API7, 2023-API8

OWASP ASVS: 4.0.2-5.1.3

PCI-DSS: 3.2-6.5