Undefined Scope 'securityScheme' On Global 'security' Field

  • Query id: 23a9e2d9-8738-4556-a71c-2802b6ffa022
  • Query name: Undefined Scope 'securityScheme' On Global 'security' Field
  • Platform: OpenAPI
  • Severity: Low
  • Category: Access Control
  • URL: Github

Description

Using an scope on global security field that is undefined on 'securityScheme' can be defined by an attacker
Documentation

Code samples

Code samples with security vulnerabilities

Postitive test num. 1 - json file
{
  "openapi": "3.0.0",
  "info": {
    "title": "Simple API overview",
    "version": "1.0.0"
  },
  "paths": {
    "/": {
      "get": {
        "operationId": "listVersionsv2",
        "summary": "List API versions",
        "responses": {
          "200": {
            "description": "200 response",
            "content": {
              "application/json": null
            }
          }
        }
      }
    }
  },
  "security": {
    "oAuth2AuthCodeNeg2": [
      "read:api",
      "error:api"
    ]
  },
  "components": {
    "securitySchemes": {
      "oAuth2AuthCodeNeg2": {
        "type": "oauth2",
        "description": "For more information, see https://api.my.company.com/docs/oauth",
        "flows": {
          "authorizationCode": {
            "authorizationUrl": "https://api.my.company.com/oauth/authorize",
            "tokenUrl": "https://api.my.company.com/oauth/token",
            "scopes": {
              "read:api": "read your apis",
              "admin:api": "admin scope"
            }
          },
          "password": {
            "tokenUrl": "https://api.my.company.com/oauth/token",
            "scopes": {
              "write:api": "write your apis"
            }
          }
        }
      }
    }
  }
}
Postitive test num. 2 - json file
{
  "openapi": "3.0.0",
  "info": {
    "title": "Simple API overview",
    "version": "1.0.0"
  },
  "paths": {
    "/": {
      "get": {
        "operationId": "listVersionsv2",
        "summary": "List API versions",
        "responses": {
          "200": {
            "description": "200 response",
            "content": {
              "application/json": null
            }
          }
        }
      }
    }
  },
  "security": [
    {
      "oAuth2AuthCodeNeg2": [
        "error:api",
        "write:api"
      ]
    }
  ],
  "components": {
    "securitySchemes": {
      "oAuth2AuthCodeNeg2": {
        "type": "oauth2",
        "description": "For more information, see https://api.my.company.com/docs/oauth",
        "flows": {
          "authorizationCode": {
            "authorizationUrl": "https://api.my.company.com/oauth/authorize",
            "tokenUrl": "https://api.my.company.com/oauth/token",
            "scopes": {
              "read:api": "read your apis",
              "admin:api": "admin scope"
            }
          },
          "password": {
            "tokenUrl": "https://api.my.company.com/oauth/token",
            "scopes": {
              "write:api": "write your apis"
            }
          }
        }
      }
    }
  }
}
Postitive test num. 3 - yaml file
openapi: 3.0.0
info:
  title: Simple API overview
  version: 1.0.0
paths:
  "/":
    get:
      operationId: listVersionsv2
      summary: List API versions
      responses:
        '200':
          description: 200 response
          content:
            application/json:
security:
  oAuth2AuthCodeNeg2:
  - read:api
  - error:api
components:
  securitySchemes:
    oAuth2AuthCodeNeg2:
      type: oauth2
      description: For more information, see https://api.my.company.com/docs/oauth
      flows:
        authorizationCode:
          authorizationUrl: https://api.my.company.com/oauth/authorize
          tokenUrl: https://api.my.company.com/oauth/token
          scopes:
            read:api: read your apis
            admin:api: admin scope
        password:
          tokenUrl: https://api.my.company.com/oauth/token
          scopes:
            write:api: write your apis

Postitive test num. 4 - yaml file
openapi: 3.0.0
info:
  title: Simple API overview
  version: 1.0.0
paths:
  "/":
    get:
      operationId: listVersionsv2
      summary: List API versions
      responses:
        '200':
          description: 200 response
          content:
            application/json:
security:
- oAuth2AuthCodeNeg2:
  - error:api
  - write:api
components:
  securitySchemes:
    oAuth2AuthCodeNeg2:
      type: oauth2
      description: For more information, see https://api.my.company.com/docs/oauth
      flows:
        authorizationCode:
          authorizationUrl: https://api.my.company.com/oauth/authorize
          tokenUrl: https://api.my.company.com/oauth/token
          scopes:
            read:api: read your apis
            admin:api: admin scope
        password:
          tokenUrl: https://api.my.company.com/oauth/token
          scopes:
            write:api: write your apis

Code samples without security vulnerabilities

Negative test num. 1 - json file
{
  "openapi": "3.0.0",
  "info": {
    "title": "Simple API overview",
    "version": "1.0.0"
  },
  "paths": {
    "/": {
      "get": {
        "operationId": "listVersionsv2",
        "summary": "List API versions",
        "responses": {
          "200": {
            "description": "200 response",
            "content": {
              "application/json": null
            }
          }
        }
      }
    }
  },
  "security": [
    {
      "oAuth2AuthCodeNeg2": [
        "read:api",
        "write:api"
      ]
    }
  ],
  "components": {
    "securitySchemes": {
      "oAuth2AuthCodeNeg2": {
        "type": "oauth2",
        "description": "For more information, see https://api.my.company.com/docs/oauth",
        "flows": {
          "authorizationCode": {
            "authorizationUrl": "https://api.my.company.com/oauth/authorize",
            "tokenUrl": "https://api.my.company.com/oauth/token",
            "scopes": {
              "read:api": "read your apis",
              "admin:api": "admin scope"
            }
          },
          "password": {
            "tokenUrl": "https://api.my.company.com/oauth/token",
            "scopes": {
              "write:api": "write your apis"
            }
          }
        }
      }
    }
  }
}
Negative test num. 2 - json file
{
  "openapi": "3.0.0",
  "info": {
    "title": "Simple API overview",
    "version": "1.0.0"
  },
  "paths": {
    "/": {
      "get": {
        "operationId": "listVersionsv2",
        "summary": "List API versions",
        "responses": {
          "200": {
            "description": "200 response",
            "content": {
              "application/json": null
            }
          }
        }
      }
    }
  },
  "security": {
    "oAuth2AuthCodeNeg2": [
      "read:api",
      "write:api"
    ]
  },
  "components": {
    "securitySchemes": {
      "oAuth2AuthCodeNeg2": {
        "type": "oauth2",
        "description": "For more information, see https://api.my.company.com/docs/oauth",
        "flows": {
          "authorizationCode": {
            "authorizationUrl": "https://api.my.company.com/oauth/authorize",
            "tokenUrl": "https://api.my.company.com/oauth/token",
            "scopes": {
              "read:api": "read your apis",
              "admin:api": "admin scope"
            }
          },
          "password": {
            "tokenUrl": "https://api.my.company.com/oauth/token",
            "scopes": {
              "write:api": "write your apis"
            }
          }
        }
      }
    }
  }
}
Negative test num. 3 - yaml file
openapi: 3.0.0
info:
  title: Simple API overview
  version: 1.0.0
paths:
  "/":
    get:
      operationId: listVersionsv2
      summary: List API versions
      responses:
        '200':
          description: 200 response
          content:
            application/json:
security:
- oAuth2AuthCodeNeg2:
  - read:api
  - write:api
components:
  securitySchemes:
    oAuth2AuthCodeNeg2:
      type: oauth2
      description: For more information, see https://api.my.company.com/docs/oauth
      flows:
        authorizationCode:
          authorizationUrl: https://api.my.company.com/oauth/authorize
          tokenUrl: https://api.my.company.com/oauth/token
          scopes:
            read:api: read your apis
            admin:api: admin scope
        password:
          tokenUrl: https://api.my.company.com/oauth/token
          scopes:
            write:api: write your apis

Negative test num. 4 - yaml file
openapi: 3.0.0
info:
  title: Simple API overview
  version: 1.0.0
paths:
  "/":
    get:
      operationId: listVersionsv2
      summary: List API versions
      responses:
        '200':
          description: 200 response
          content:
            application/json:
security:
  oAuth2AuthCodeNeg2:
  - read:api
  - write:api
components:
  securitySchemes:
    oAuth2AuthCodeNeg2:
      type: oauth2
      description: For more information, see https://api.my.company.com/docs/oauth
      flows:
        authorizationCode:
          authorizationUrl: https://api.my.company.com/oauth/authorize
          tokenUrl: https://api.my.company.com/oauth/token
          scopes:
            read:api: read your apis
            admin:api: admin scope
        password:
          tokenUrl: https://api.my.company.com/oauth/token
          scopes:
            write:api: write your apis