Global Security Field Is Undefined (v3)
- Query id: 8af270ce-298b-4405-9922-82a10aee7a4f
- Query name: Global Security Field Is Undefined (v3)
- Platform: OpenAPI
- Severity: High
- Category: Access Control
- CWE: 284
- URL: Github
Description¶
Global security field should be defined to prevent API to have insecure paths and have this rules defined on securitySchemes
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - json file
{
"openapi": "3.0.0",
"info": {
"title": "Simple API overview",
"version": "1.0.0"
},
"paths": {
"/": {
"get": {
"operationId": "listVersionsv2",
"summary": "List API versions",
"responses": {
"200": {
"description": "200 response",
"content": {
"application/json": {
"examples": {
"foo": {
"value": {
"versions": [
{
"status": "CURRENT",
"updated": "2011-01-21T11:33:21Z",
"id": "v2.0",
"links": [
{
"href": "http://127.0.0.1:8774/v2/",
"rel": "self"
}
]
}
]
}
}
}
}
}
}
}
}
}
}
}
Positive test num. 2 - yaml file
openapi: 3.0.0
info:
title: Simple API overview
version: 1.0.0
paths:
"/":
get:
operationId: listVersionsv2
summary: List API versions
responses:
'200':
description: 200 response
content:
application/json:
examples:
foo:
value:
versions:
- status: CURRENT
updated: '2011-01-21T11:33:21Z'
id: v2.0
links:
- href: http://127.0.0.1:8774/v2/
rel: self
Positive test num. 3 - json file
{
"swagger": "2.0",
"info": {
"title": "Simple API overview",
"version": "1.0.0"
},
"paths": {
"/": {
"get": {
"operationId": "listVersionsv2",
"summary": "List API versions",
"responses": {
"200": {
"description": "200 response"
}
}
}
}
}
}
Positive test num. 4 - yaml file
Code samples without security vulnerabilities¶
Negative test num. 1 - json file
{
"openapi": "3.0.0",
"info": {
"title": "Simple API Overview",
"version": "1.0.0"
},
"paths": {
"/": {
"get": {
"operationId": "listVersionsv2",
"summary": "List API versions",
"responses": {
"200": {
"description": "200 response",
"content": {
"application/json": {
"examples": {
"foo": {
"value": {
"versions": [
{
"status": "CURRENT",
"updated": "2011-01-21T11:33:21Z",
"id": "v2.0",
"links": [
{
"href": "http://127.0.0.1:8774/v2/",
"rel": "self"
}
]
}
]
}
}
}
}
}
}
}
}
}
},
"security": [
{
"petstore_auth": [
"write:pets",
"read:pets"
]
}
]
}
Negative test num. 2 - yaml file
openapi: 3.0.0
info:
title: Simple API Overview
version: 1.0.0
paths:
"/":
get:
operationId: listVersionsv2
summary: List API versions
responses:
"200":
description: 200 response
content:
application/json:
examples:
foo:
value:
versions:
- status: CURRENT
updated: "2011-01-21T11:33:21Z"
id: v2.0
links:
- href: http://127.0.0.1:8774/v2/
rel: self
security:
- petstore_auth:
- write:pets
- read:pets
Negative test num. 3 - json file
{
"swagger": "2.0",
"info": {
"title": "Simple API Overview",
"version": "1.0.0"
},
"paths": {
"/": {
"get": {
"operationId": "listVersionsv2",
"summary": "List API versions",
"responses": {
"200": {
"description": "200 response"
}
}
}
}
},
"security": [
{
"petstore_auth": [
"write:pets",
"read:pets"
]
}
]
}