The ‘security’ section contains an empty security requirement

Average severity: High

Description

One or more of the objects defined in the security section contain an empty security requirement. This section specifies what kind of authentication your API requires, either on global level for the whole API or for individual API operations. An empty requirement in the security section disables the authentication completely.

Example

The following is how this issue could look in your API definition. The security field contains an empty array:

  "schemes": [
    "http"
  ],
  ...
  "securityDefinitions": {
    "regularSecurity": {
    }
  },
  ...
  "security": [
    {}
  ],
  ...
}

Possible exploit scenario

An empty requirement in the security section disables the authentication completely. Attackers could access any API operations without any authentication and identification, and try to retrieve or push some incorrect data, like SQL injection or JSON hijacking. Without the first level of access control, you have no possibility to revoke their access in case you spot incorrect behavior.

Remediation

Make sure you specify at least one security object to apply authentication to API operations:

  "schemes": [
    "http"
  ],
  ...
  "securityDefinitions": {
    "regularSecurity": {
    }
  },
  ...
  "security": [
    {
      "regularSecurity": [
      ]
    }
  ],
  ...
}

Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy