Numeric parameter has no format defined

Average severity: Medium

Description

Some numeric parameters in your API do not have the accepted format specified.

Example

The following is an example of how this type of risk could look in your API definition. The parameter type is set to integer but the format is not specified:

{
  "parameters": {
     "type": "integer",
     "name": "total",
     "in": "query",
     "description": "Number of the objects in the array."
   }
}

Possible Exploit Scenario

If you do not specify the format of numeric parameters in your API, attackers can try to send unexpected input to your backend server. This may cause the backend server to fail in an unexpected way and open the door to further attacks.

For example, the backend server could throw an exception and return a stack trace on the error. The trace could contain information on the software stack used in the implementation. This enables the attacker to launch an attack on specific vulnerabilities known in that stack.

Remediation

Define the format parameter for the numeric items. This ensures that only parameters of the expected format get passed to the backend.

Numeric parameters type integer can have the format int32 or int64. Numeric parameters type number can have the format float or double.

{
  "parameters": {
     "type": "integer",
     "name": "total",
     "in": "query",
     "format": "int32",
     "description": "Number of the objects in the array."
   }
}

Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy