Credentials transported over the network

Average severity: Medium

Description

The API or API operation accepts basic credentials transported over the network. The credentials are send over the network on each API call. This means that the password is sent over the network over and over again, and is exposed to any attack attempt to retrieved it.

Example

The following is an example of how this type of risk could look in your API definition. The scheme is set to http, meaning that the credentials are transported using an unencrypted HTTP connection between the API consumer and your API:

  "schemes": [
    "http"
  ],
  ...
  "securityDefinitions": {
    "regularSecurity": {
      "type": "basic"
    }
  },
  ...
  "security": [
    {
      "regularSecurity": []
    }
  ],
  ...
}

Possible exploit scenario

If your credentials are transported over the network, attackers can eavesdrop and try to intercept the traffic between the API consumer and your API to retrieve the login and the password. If they succeed, they can access all API operations protected with the same security requirement until the credentials are revoked or changed.

Remediation

Use a more secure security definition, like OAuth 2.0. Instead of just credentials, OAuth 2.0 uses access tokens with limited lifetime and authorizations (the scopes) granted that the Resource Owner  grants from an authorization server.

An API operation can be consumed only if the request includes an access token and the scopes of the token match the scopes that the API operation requires. Even if attackers successfully retrieved access tokens, they can only use the token on a subset of the API operation and for a limited time.

{
  "schemes": [
    "https"
  ],
  ...
  "securityDefinitions": {
    "OAuth2": {
      "type": "oauth2",
      "flow": "accessCode",
      "scopes": {
        "readOnly": "read objects in your account"
      },
      "authorizationUrl": "https://example.com/oauth/authorize",
      "tokenUrl": "https://example.com/oauth/token"
    }
  },
  ...
  "security" : [
    "OAuth2": [ "readOnly" ]
  ]
}

 


Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy