Credentials transported over network

Description

The API accepts basic credentials transported over the network. The credentials are send over the network on each API call. This means that the password is sent over the network over and over again, and is exposed to any attack attempt to retrieved it.

For more details, see the OpenAPI Specification.

Example

The following is an example of how this type of risk could look in your API definition:

  "schemes": [
    "http"
  ],
  ...
  "securityDefinitions": {
    "regularSecurity": {
      "type": "basic"
    }
  },
  ...
  "security": [
    {
      "regularSecurity": []
    }
  ],
  ...
}

The scheme is set to http, meaning that the credentials are transported using an unencrypted HTTP connection between the API consumer and your API.

Possible exploit scenario

If your credentials are transported over the network, attackers can eavesdrop and try to intercept the traffic between the API consumer and your API to retrieve the login and the password. If they succeed, they can access all API operations protected with the same security requirement until the credentials are revoked or changed.

Remediation

Use a more secure security definition, like OAuth 2.0. Instead of just credentials, OAuth 2.0 uses access tokens with limited lifetime and authorizations (the scopes) granted that the Resource Owner grants from an authorization server.

An API operation can be consumed only if the request includes an access token and the scopes of the token match the scopes that the API operation requires. Even if attackers successfully retrieved access tokens, they can only use the token on a subset of the API operation and for a limited time.

{
  "schemes": [
    "https"
  ],
  ...
  "securityDefinitions": {
    "OAuth2": {
      "type": "oauth2",
      "flow": "accessCode",
      "scopes": {
        "readOnly": "read objects in your account"
      },
      "authorizationUrl": "https://example.com/oauth/authorize",
      "tokenUrl": "https://example.com/oauth/token"
    }
  },
  ...
  "security" : [
    "OAuth2": [ "readOnly" ]
  ]
}