OpenAPI Unencrypted Traffic Allowed

high Web App Scanning Plugin ID 113143

Language:

Synopsis

OpenAPI Unencrypted Traffic Allowed

Description

OpenAPI specification is an API description format for REST APIs. An OpenAPI file is written in YAML or JSON and describes all the API properties like the available endpoints with the related operations or the authentication methods.

As for web applications, allowing unencrypted protocols to access an API leaves it open to Man in the Middle attacks (MITM), impacting both the confidentiality and the integrity of the traffic. The scanner analyzed an OpenAPI file and detected the lack of encryption in the API endpoints URL used.

Solution

Ensure that the API endpoints are only available through an encryption based protocol (HTTPS or WebSocket Secure (WSS)) and update the OpenAPI specifications.

See Also

https://swagger.io/docs/specification/2-0/api-host-and-base-path/

https://swagger.io/docs/specification/api-host-and-base-path/

https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet

Plugin Details

Severity: High

ID: 113143

Type: remote

Family: SSL/TLS

Published: 2/16/2022

Updated: 3/28/2023

Scan Template: api, basic, full, pci, scan

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.1

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: High

Base Score: 7.4

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS Score Source: Tenable

Reference Information

CWE: 319

OWASP: 2010-A9, 2013-A6, 2017-A3, 2021-A2

WASC: Insufficient Transport Layer Protection

CAPEC: 102, 117, 383, 477, 65

DISA STIG: APSC-DV-000170

HIPAA: 164.312(a), 164.312(e)

ISO: 27001-A.10.1.1, 27001-A.14.1.2, 27001-A.14.1.3, 27001-A.18.1.5

NIST: sp800_53-SC-13

OWASP API: 2019-API7, 2023-API8

OWASP ASVS: 4.0.2-9.1.1

PCI-DSS: 3.2-6.5.4