Transporting credentials over the network allowed

Average severity: Low

Description

The security scheme allows transporting basic credentials over the network. The credentials are send over the network on each API call. This means that the password is sent over the network over and over again, and is exposed to any attack attempt to retrieved it.

This is a potential risk, because the definition is in the security scheme of the API, not in the security requirements.However, it easily turns into an actual risk when the unsafe method is used in a security requirement.

For more details, see the OpenAPI Specification.

Example

The following is an example of how this type of risk could look in your API definition. The authentication method is specified as basic:

  "schemes": [
    "https"
  ],
  ...
  "securityDefinitions": {
    "regularSecurity": {
      "type": "basic"
    }
  },
  ...
  "security": [
    {
      "regularSecurity": []
    }
  ],
  ...
}

Possible exploit scenario

If you allow transporting credentials over the network, attackers can eavesdrop and try to intercept the traffic between the API consumer and your API to retrieve the login and the password. If they succeed, they can access all API operations protected with the same security requirement until the credentials are revoked or changed.

Remediation

Use a more secure security definition, like OAuth 2.0. Instead of just credentials, OAuth 2.0 uses access tokens with limited lifetime and authorizations (the scopes) granted that the Resource Owner  grants from an authorization server.

An API operation can be consumed only if an access token is sent with the request, and the scopes of the token match the scopes that the API operation requires. Even if attackers could successfully retrieve access tokens, they are able to use the token only on a subset of the API operation and  for a limited time.

{
  "schemes": [
    "https"
  ],
  ...
  "securityDefinitions": {
    "OAuth2": {
      "type": "oauth2",
      "flow": "accessCode",
      "scopes": {
        "readOnly": "read objects in your account"
      },
      "authorizationUrl": "https://example.com/oauth/authorize",
      "tokenUrl": "https://example.com/oauth/token", 
    }
  },
  ...
  "security" : [
    "OAuth2": [ "readOnly" ]
  ]
}

 


Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy