Transporting credentials over the network allowed

Description

One or more global security schemes allows transporting basic credentials over the network. The credentials are send over the network on each API call. This means that the password is sent over the network over and over again, and is exposed to any attack attempt to retrieved it.

This is a potential risk, because the definition is done on the global level. However, it easily turns into an actual risk when the unsafe method is used in a security requirement or operation.

For more details, see the OpenAPI Specification.

Example

The following is an example of how this type of risk could look in your API definition. The authentication method is specified as basic:

  "schemes": [
    "https"
  ],
  ...
  "securityDefinitions": {
    "regularSecurity": {
      "type": "basic"
    }
  },
  ...
  "security": [
    {
      "regularSecurity": []
    }
  ],
  ...
}

Possible exploit scenario

If you allow transporting credentials over the network, attackers can eavesdrop and try to intercept the traffic between the API consumer and your API to retrieve the login and the password. If they succeed, they can access all API operations protected with the same security requirement until the credentials are revoked or changed.

Remediation

Use a more secure security definition, like OAuth 2.0. Instead of just credentials, OAuth 2.0 uses access tokens with limited lifetime and authorizations (the scopes) granted that the Resource Owner grants from an authorization server.

An API operation can be consumed only if the request includes an access token and the scopes of the token match the scopes that the API operation requires. Even if attackers successfully retrieved access tokens, they can only use the token on a subset of the API operation and for a limited time.

{
  "schemes": [
    "https"
  ],
  ...
  "securityDefinitions": {
    "OAuth2": {
      "type": "oauth2",
      "flow": "accessCode",
      "scopes": {
        "readOnly": "read objects in your account"
      },
      "authorizationUrl": "https://example.com/oauth/authorize",
      "tokenUrl": "https://example.com/oauth/token", 
    }
  },
  ...
  "security" : [
    "OAuth2": [ "readOnly" ]
  ]
}