Numeric array item has no maximum defined
One or more arrays containing numeric items do not specify the maximum value of the items.
For more details, see the OpenAPI Specification.
The following is an example of how this type of risk could look in your API definition. The array accepts items of the type
integer but does not specify the maximum value for them:
1parameters: 2 name: ids 3 in: query 4 description: IDs to filter by 5 required: true 6 type: array 7 items: 8 type: integer 9 minimum: 0 10
Possible exploit scenario
If you do not limit the range of accepted values for numeric parameters, attackers can try to send unexpected input to your backend server. This may cause the backend server to fail in an unexpected way and open the door to further attacks.
For example, the backend server could throw an exception and return a stack trace on the error. The trace could contain information on the exact software stack used in the implementation. This enables the attacker to launch an attack on specific vulnerabilities known in that stack.
Set both the
maximum parameter values for numeric array items to limit the accepted values to the range that works for your application:
1parameters: 2 name: ids 3 in: query 4 description: IDs to filter by 5 required: true 6 type: array 7 items: 8 type: integer 9 minimum: 0 10 maximum: 100 11
Copyright 42Crunch 2021