Global Security Field Is Undefined (v3)

  • Query id: 8af270ce-298b-4405-9922-82a10aee7a4f
  • Query name: Global Security Field Is Undefined (v3)
  • Platform: OpenAPI
  • Severity: High
  • Category: Access Control
  • CWE: 284
  • URL: Github

Description

Global security field should be defined to prevent API to have insecure paths and have this rules defined on securitySchemes
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - json file
{
  "openapi": "3.0.0",
  "info": {
    "title": "Simple API overview",
    "version": "1.0.0"
  },
  "paths": {
    "/": {
      "get": {
        "operationId": "listVersionsv2",
        "summary": "List API versions",
        "responses": {
          "200": {
            "description": "200 response",
            "content": {
              "application/json": {
                "examples": {
                  "foo": {
                    "value": {
                      "versions": [
                        {
                          "status": "CURRENT",
                          "updated": "2011-01-21T11:33:21Z",
                          "id": "v2.0",
                          "links": [
                            {
                              "href": "http://127.0.0.1:8774/v2/",
                              "rel": "self"
                            }
                          ]
                        }
                      ]
                    }
                  }
                }
              }
            }
          }
        }
      }
    }
  }
}
Positive test num. 2 - yaml file
openapi: 3.0.0
info:
  title: Simple API overview
  version: 1.0.0
paths:
  "/":
    get:
      operationId: listVersionsv2
      summary: List API versions
      responses:
        '200':
          description: 200 response
          content:
            application/json:
              examples:
                foo:
                  value:
                    versions:
                    - status: CURRENT
                      updated: '2011-01-21T11:33:21Z'
                      id: v2.0
                      links:
                      - href: http://127.0.0.1:8774/v2/
                        rel: self
Positive test num. 3 - json file
{
  "swagger": "2.0",
  "info": {
    "title": "Simple API overview",
    "version": "1.0.0"
  },
  "paths": {
    "/": {
      "get": {
        "operationId": "listVersionsv2",
        "summary": "List API versions",
        "responses": {
          "200": {
            "description": "200 response"
          }
        }
      }
    }
  }
}

Positive test num. 4 - yaml file
swagger: "2.0"
info:
  title: Simple API overview
  version: 1.0.0
paths:
  "/":
    get:
      operationId: listVersionsv2
      summary: List API versions
      responses:
        "200":
          description: 200 response

Code samples without security vulnerabilities

Negative test num. 1 - json file
{
  "openapi": "3.0.0",
  "info": {
    "title": "Simple API Overview",
    "version": "1.0.0"
  },
  "paths": {
    "/": {
      "get": {
        "operationId": "listVersionsv2",
        "summary": "List API versions",
        "responses": {
          "200": {
            "description": "200 response",
            "content": {
              "application/json": {
                "examples": {
                  "foo": {
                    "value": {
                      "versions": [
                        {
                          "status": "CURRENT",
                          "updated": "2011-01-21T11:33:21Z",
                          "id": "v2.0",
                          "links": [
                            {
                              "href": "http://127.0.0.1:8774/v2/",
                              "rel": "self"
                            }
                          ]
                        }
                      ]
                    }
                  }
                }
              }
            }
          }
        }
      }
    }
  },
  "security": [
    {
      "petstore_auth": [
        "write:pets",
        "read:pets"
      ]
    }
  ]
}
Negative test num. 2 - yaml file
openapi: 3.0.0
info:
  title: Simple API Overview
  version: 1.0.0
paths:
  "/":
    get:
      operationId: listVersionsv2
      summary: List API versions
      responses:
        "200":
          description: 200 response
          content:
            application/json:
              examples:
                foo:
                  value:
                    versions:
                      - status: CURRENT
                        updated: "2011-01-21T11:33:21Z"
                        id: v2.0
                        links:
                          - href: http://127.0.0.1:8774/v2/
                            rel: self
security:
  - petstore_auth:
      - write:pets
      - read:pets
Negative test num. 3 - json file
{
  "swagger": "2.0",
  "info": {
    "title": "Simple API Overview",
    "version": "1.0.0"
  },
  "paths": {
    "/": {
      "get": {
        "operationId": "listVersionsv2",
        "summary": "List API versions",
        "responses": {
          "200": {
            "description": "200 response"
          }
        }
      }
    }
  },
  "security": [
    {
      "petstore_auth": [
        "write:pets",
        "read:pets"
      ]
    }
  ]
}

Negative test num. 4 - yaml file
swagger: "2.0"
info:
  title: Simple API Overview
  version: 1.0.0
paths:
  "/":
    get:
      operationId: listVersionsv2
      summary: List API versions
      responses:
        "200":
          description: 200 response
security:
  - petstore_auth:
      - write:pets
      - read:pets