Detections
Analytics
OpenAPI Permissive Input Validation
medium Web App Scanning Plugin ID 113258
Language:
Synopsis
OpenAPI Permissive Input ValidationDescription
OpenAPI specification is an API description format for REST APIs. An OpenAPI file is written in YAML or JSON and describes all the API properties like the available endpoints with the related operations or the authentication methods.The `Schema` object allows the definition of input and output data types which can be objects or primitives and arrays. When some data types properties are missing on objects specified in the definition file, the API implementation could potentially allow malicious input formats, leaving it open to multiple vulnerabilities like Denial of Service (DoS) or Remote Code Execution (RCE).
The scanner analyzed an OpenAPI definition file and detected the lack of properties on some data types.
Solution
Ensure that the missing properties are declared in the OpenAPI definition file according to the file specification and that the API backend enforces the validation of these properties on the inputs.See Also
https://github.com/OAI/OpenAPI-Specification/blob/main/versions/3.0.2.md#schemaObject
Plugin Details
Severity: Medium
ID: 113258
Type: remote
Family: Web Applications
Published: 6/28/2022
Updated: 10/5/2023
Scan Template: api, basic, full, pci, scan
Risk Information
VPR
Risk Factor: Medium
Score: 4.9
CVSS v2
Risk Factor: Medium
Base Score: 6.8
Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS Score Source: Tenable
CVSS v3
Risk Factor: Medium
Base Score: 5.6
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
CVSS Score Source: Tenable
Reference Information
CWE: 20
OWASP: 2010-A4, 2013-A4, 2017-A5, 2021-A3
WASC: Improper Input Handling
CAPEC: 10, 101, 104, 108, 109, 110, 120, 13, 135, 136, 14, 153, 182, 209, 22, 23, 230, 231, 24, 250, 261, 267, 28, 3, 31, 42, 43, 45, 46, 47, 473, 52, 53, 588, 63, 64, 67, 7, 71, 72, 73, 78, 79, 8, 80, 81, 83, 85, 88, 9
DISA STIG: APSC-DV-002560
HIPAA: 164.306(a)(1), 164.306(a)(2)
ISO: 27001-A.14.2.5
NIST: sp800_53-SI-10
OWASP API: 2019-API7, 2023-API8
OWASP ASVS: 4.0.2-5.1.3
PCI-DSS: 3.2-6.5