The token URL in the OAuth2 security scheme is not a proper URL

Average severity: Medium

Description

The URL you have entered in the  tokenUrl field of the OAuth2 security scheme is not a proper URL. OpenAPI Specification (OAS) requires that all URLs in the API contract must be proper URLs in a valid format.

Example

The following is an example of how this type of risk could look in your API definition:

{
  ...
  "securityDefinitions": {
    "OAuth2": {
...
      "tokenUrl": "http://bad_example.com#@evil.com/oauth/token", 
    }
  },
  ...
}

Possible exploit scenario

Depending on the underlying library used, your API consumer might be redirected to nefarious sites when parsing non-standard URLs.

In addition, TLS certificates use the URL’s host name to validate that the presented certificate matches the host that was contacted. An invalid host name could potentially scupper this validation. A badly encoded URL could be used as an attack vector when decoding the resource path.

Remediation

Make sure that all URLs in your API are proper URLs and have a valid format.

{
  ...
  "securityDefinitions": {
    "OAuth2": {
...
      "tokenUrl": "https://example.com/oauth/token", 
    }
  },
  ...
}

Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy