Undefined Scope 'securityDefinition' On Global 'security' Field

Query id: 9aa6e95c-d964-4239-a3a8-9f37a3c5a31f
Query name: Undefined Scope 'securityDefinition' On Global 'security' Field
Platform: OpenAPI
Severity: Low
Category: Access Control
URL: Github

Description¶

Using an scope on global security field that is undefined on 'securityDefinitions' can be defined by an attacker
Documentation

Code samples¶

Code samples with security vulnerabilities¶

Positive test num. 1 - yaml file

swagger: "2.0"
info:
  title: Simple API Overview
  version: 1.0.0
paths:
  /:
    get:
      operationId: listVersionsv2
      summary: List API versions
      responses:
        "200":
          description: Success
securityDefinitions:
  oAuth2AuthCodeNeg2:
    type: oauth2
    description: For more information, see https://api.my.company.com/docs/oauth
    flow: authorizationCode
    authorizationUrl: https://api.my.company.com/oauth/authorize
    tokenUrl: https://api.my.company.com/oauth/token
    scopes:
      read:api: read your apis
security:
  oAuth2AuthCodeNeg2:
    - read:api
    - error:api

Positive test num. 2 - json file

{
  "swagger": "2.0",
  "info": {
    "title": "Simple API Overview",
    "version": "1.0.0"
  },
  "paths": {
    "/": {
      "get": {
        "operationId": "listVersionsv2",
        "summary": "List API versions",
        "responses": {
          "200": {
            "description": "Success"
          }
        }
      }
    }
  },
  "securityDefinitions": {
    "oAuth2AuthCodeNeg2": {
      "type": "oauth2",
      "description": "For more information, see https://api.my.company.com/docs/oauth",
      "flow": "authorizationCode",
      "authorizationUrl": "https://api.my.company.com/oauth/authorize",
      "tokenUrl": "https://api.my.company.com/oauth/token",
      "scopes": {
        "read:api": "read your apis"
      }
    }
  },
  "security": {
    "oAuth2AuthCodeNeg2": [
      "read:api",
      "error:api"
    ]
  }
}

Code samples without security vulnerabilities¶

Negative test num. 1 - yaml file

swagger: "2.0"
info:
  title: Simple API Overview
  version: 1.0.0
paths:
  /:
    get:
      operationId: listVersionsv2
      summary: List API versions
      responses:
        "200":
          description: Success
securityDefinitions:
  oAuth2AuthCodeNeg2:
    type: oauth2
    description: For more information, see https://api.my.company.com/docs/oauth
    flow: authorizationCode
    authorizationUrl: https://api.my.company.com/oauth/authorize
    tokenUrl: https://api.my.company.com/oauth/token
    scopes:
      read:api: read your apis
security:
  oAuth2AuthCodeNeg2:
    - read:api

Negative test num. 2 - json file

{
  "swagger": "2.0",
  "info": {
    "title": "Simple API Overview",
    "version": "1.0.0"
  },
  "paths": {
    "/": {
      "get": {
        "operationId": "listVersionsv2",
        "summary": "List API versions",
        "responses": {
          "200": {
            "description": "Success"
          }
        }
      }
    }
  },
  "securityDefinitions": {
    "oAuth2AuthCodeNeg2": {
      "type": "oauth2",
      "description": "For more information, see https://api.my.company.com/docs/oauth",
      "flow": "authorizationCode",
      "authorizationUrl": "https://api.my.company.com/oauth/authorize",
      "tokenUrl": "https://api.my.company.com/oauth/token",
      "scopes": {
        "read:api": "read your apis"
      }
    }
  },
  "security": {
    "oAuth2AuthCodeNeg2": [
      "read:api"
    ]
  }
}