Schema of a JSON object has no properties defined

Description

The schema for a JSON payload does not have any properties defined.

For more details, see the OpenAPI Specification.

Example

The following is an example of how this type of risk could look in your API definition. The method defines the schema as the JSON payload NewPet. However, the actual content of that JSON object is not defined:

"post": {
  "description": "Creates a new pet in the store",
  "operationId": "addPet",
  "parameters": [
    {
      "name": "pet",
      "in": "body",
      "description": "pet to add to the system",
      "required": true,
      "schema": {
        "$ref": "#/definitions/NewPet"
      }
    }
  ]
}
...
{
  "NewPet": {
    "type": "object",
    "description": "JSON defining a Pet object"
    }
  }
}

Possible exploit scenario

If do not clearly define the schema and properties of a JSON payload empty, you effectively allow attackers to pass in any data. This means that you are opening your backend to various attacks, such as SQL injection.

This also lets attackers to try various unexpected inputs. Unexpected inputs may cause the backend server to crash or behave in an unexpected way. This in turn may cause the server to potentially leak stack trace that can be used for further attacks, or even data.

Remediation

Make sure you define all properties of the accepted JSON payloads.

"post": {
  "description": "Creates a new pet in the store",
  "operationId": "addPet",
  "parameters": [
    {
      "name": "pet",
      "in": "body",
      "description": "pet to add to the system",
      "required": true,
      "schema": {
        "$ref": "#/definitions/NewPet"
      }
    }
  ]
}
...
{
  "NewPet": {
    "type": "object",
    "required": [
      "name"
    ],
    "properties": {
      "name": {
        "type": "string"
      },
      "tag": {
        "type": "string"
      }
    }
  }
}