Numeric array item has no minimum defined

Average severity: Medium

Description

One or more arrays containing numeric items do not specify the minimum value of the items.

Example

The following is an example of how this type of risk could look in your API definition. The array accepts items of the type integer but does not specify the minimum value for them:

{
"parameters": [
  {
    "name": "ids",
    "in": "query",
    "description": "IDs to filter by",
    "required": true,
    "type": "array",
    "items": {
      "type": "integer"
     }
  }
}

Possible exploit scenario

If you do not limit the range of accepted values for numeric array items, attackers can try to send unexpected input to your backend server. This may cause the backend server to fail in an unexpected way and open the door to further attacks.

For example, the backend server could throw an exception and return a stack trace on the error. The trace could contain information on the exact software stack used in the implementation. This enables the attacker to launch an attack on specific vulnerabilities known in that stack.

Remediation

Set both the minimum and maximum parameter values for numeric array items to limit the accepted values to the range that works for your application:

{
  "parameters": [
  {
    "name": "ids",
    "in": "query",
    "description": "IDs to filter by",
    "required": true,
    "type": "array",
    "items": {
       "type": "integer",
       "minimum":0,
       "maximum":100
     }
  }
}

Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy