String header has no maximum length defined
A string header does not specify the maximum length for the accepted strings.
For more details, see the OpenAPI Specification.
The following is an example of how this type of risk could look in your API definition:
1responses: 2 "200": 3 description: OK 4 headers: 5 x-ids: 6 schema: 7 type: string 8
Possible exploit scenario
Attackers strive to make your APIs behave in an unexpected way to learn more about your system or to cause a data breach. We highly recommend that you minimize any risks and clearly specify the data that your API produces in each method.
maxLength property for string headers. This provides an extra layer of safety ensuring that your API only returns data that you expect it to return.
1responses: 2 "200": 3 description: OK 4 headers: 5 x-ids: 6 schema: 7 type: string 8 maxLength: 8 9
We also recommend that you specify a regular expression to further lock down the expected string format.
For more information on regular expressions, see the following:
- Language-agnostic information on regular expressions at Base Definitions page on regular expressions
- OWASP Validation Regex Repository
- RegExr, an online tool for building and testing regular expressions
Copyright 42Crunch 2021