Undefined Scope 'securityDefinition' On 'security' Field On Operations

  • Query id: 3847280c-9193-40bc-8009-76168e822ce2
  • Query name: Undefined Scope 'securityDefinition' On 'security' Field On Operations
  • Platform: OpenAPI
  • Severity: Low
  • Category: Access Control
  • CWE: 284
  • URL: Github

Description

Using an scope on security of operations that is undefined on 'securityDefinitions' can be defined by an attacker
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
swagger: "2.0"
info:
  title: Simple API Overview
  version: 1.0.0
paths:
  /:
    get:
      operationId: listVersionsv2
      summary: List API versions
      security:
        - oAuth2AuthCodeNeg2:
            - read:api
            - error:api
      responses:
        "200":
          description: Success
securityDefinitions:
  oAuth2AuthCodeNeg2:
    type: oauth2
    description: For more information, see https://api.my.company.com/docs/oauth
    flow: authorizationCode
    authorizationUrl: https://api.my.company.com/oauth/authorize
    tokenUrl: https://api.my.company.com/oauth/token
    scopes:
      read:api: read your apis
Positive test num. 2 - json file
{
  "swagger": "2.0",
  "info": {
    "title": "Simple API Overview",
    "version": "1.0.0"
  },
  "paths": {
    "/": {
      "get": {
        "operationId": "listVersionsv2",
        "summary": "List API versions",
        "security": [
          {
            "oAuth2AuthCodeNeg2": [
              "read:api",
              "error:api"
            ]
          }
        ],
        "responses": {
          "200": {
            "description": "Success"
          }
        }
      }
    }
  },
  "securityDefinitions": {
    "oAuth2AuthCodeNeg2": {
      "type": "oauth2",
      "description": "For more information, see https://api.my.company.com/docs/oauth",
      "flow": "authorizationCode",
      "authorizationUrl": "https://api.my.company.com/oauth/authorize",
      "tokenUrl": "https://api.my.company.com/oauth/token",
      "scopes": {
        "read:api": "read your apis"
      }
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
swagger: "2.0"
info:
  title: Simple API Overview
  version: 1.0.0
paths:
  /:
    get:
      operationId: listVersionsv2
      summary: List API versions
      security:
        - oAuth2AuthCodeNeg2:
            - read:api
      responses:
        "200":
          description: Success
securityDefinitions:
  oAuth2AuthCodeNeg2:
    type: oauth2
    description: For more information, see https://api.my.company.com/docs/oauth
    flow: authorizationCode
    authorizationUrl: https://api.my.company.com/oauth/authorize
    tokenUrl: https://api.my.company.com/oauth/token
    scopes:
      read:api: read your apis
Negative test num. 2 - json file
{
  "swagger": "2.0",
  "info": {
    "title": "Simple API Overview",
    "version": "1.0.0"
  },
  "paths": {
    "/": {
      "get": {
        "operationId": "listVersionsv2",
        "summary": "List API versions",
        "security": [
          {
            "oAuth2AuthCodeNeg2": [
              "read:api"
            ]
          }
        ],
        "responses": {
          "200": {
            "description": "Success"
          }
        }
      }
    }
  },
  "securityDefinitions": {
    "oAuth2AuthCodeNeg2": {
      "type": "oauth2",
      "description": "For more information, see https://api.my.company.com/docs/oauth",
      "flow": "authorizationCode",
      "authorizationUrl": "https://api.my.company.com/oauth/authorize",
      "tokenUrl": "https://api.my.company.com/oauth/token",
      "scopes": {
        "read:api": "read your apis"
      }
    }
  }
}