Numeric parameter has no maximum defined
Some numeric parameters in your API do not have the maximum value specified.
For more details, see the OpenAPI Specification.
The following is an example of how this type of risk could look in your API definition. The parameter
type is set to
integer but the maximum value is not specified:
1parameters: 2 type: integer 3 name: total 4 in: query 5 format: int32 6 minimum: 0 7 description: Number of the objects in the array. 8
Possible exploit scenario
If you do not limit the range of accepted values for numeric parameters, attackers can try to send unexpected input to your backend server. This may cause the backend server to fail in an unexpected way and open the door to further attacks.
For example, the backend server could throw an exception and return a stack trace on the error. The trace could contain information on the exact software stack used in the implementation. This enables the attacker to launch an attack on specific vulnerabilities known in that stack.
Set both the
maximum values for numeric parameters to limit the accepted values to the range that works for your application:
1parameters: 2 type: integer 3 name: total 4 in: query 5 format: int32 6 minimum: 0 7 maximum: 100 8 description: Number of the objects in the array. 9
Copyright 42Crunch 2021