Schema of a JSON object has no properties defined
The schema for a JSON payload does not have any properties defined.
For more details, see the OpenAPI Specification.
The following is an example of how this type of risk could look in your API definition. The method defines the
schema as the JSON payload
NewPet. However, the actual content of that JSON object is not defined:
1post: 2 description: Creates a new pet in the store 3 operationId: addPet 4 parameters: 5 name: pet 6 in: body 7 description: pet to add to the system 8 required: true 9 schema: 10 $ref: "#/definitions/NewPet" 11# ... 12NewPet: 13 type: object 14 description: JSON defining a Pet object 15
Possible exploit scenario
If you do not clearly define the schema and you leave properties of a JSON payload empty, you effectively allow attackers to pass in any data. This means that you are opening your backend to various attacks, such as SQL injection.
This also lets attackers to try various unexpected inputs. Unexpected inputs may cause the backend server to crash or behave in an unexpected way. This in turn may cause the server to potentially leak stack trace that can be used for further attacks, or even data.
If no restrictions to the set of properties in the JSON payload are enforced, the API might also accept more fields than expected. The received payloads could be blindly transformed into an object and stored, overwriting sensitive internal data. For more details, see API6:2019 — Mass assignment in OWASP API Security Top 10.
Make sure you define all properties of the accepted JSON payload to enforce limitations to what the schema accepts.
1post: 2 description: Creates a new pet in the store 3 operationId: addPet 4 parameters: 5 name: pet 6 in: body 7 description: pet to add to the system 8 required: true 9 schema: 10 $ref: "#/definitions/NewPet" 11# ... 12NewPet: 13 type: object 14 required: 15 - name 16 properties: 17 name: 18 type: string 19 description: Pet name 20 tag: 21 type: string 22 description: Pet tag 23
Copyright 42Crunch 2021