Schema is empty

Average severity: Medium

Description

The schema is empty. This means that your API accepts any JSON values.

Example

The following is an example of how this type of risk could look in your API definition. The method POST accepts a JSON payload in the body but does not specify the schema of the payload:

"post": {
  "description": "Creates a new pet in the store",
  "operationId": "addPet",
  "parameters": [
    {
      "name": "pet",
      "in": "body",
      "description": "pet to add to the system",
      "required": true,
      "schema": {    }
    }
  ]
}

Possible exploit scenario

If you leave the schema of a JSON payload empty, any JSON payloads are accepted as input. This means that you are opening your backend to various attacks, such as SQL injection.

This also lets attackers to try various unexpected inputs. Unexpected inputs may cause the backend server to crash or behave in an unexpected way. This in turn may cause the server to potentially leak stack trace that can be used for further attacks, or even data.

Remediation

Make sure you define schemas for all JSON payloads. Here, a specific JSON object NewPet is defined in the definitions section and referenced as the schema for the API method:

"post": {
  "description": "Creates a new pet in the store",
  "operationId": "addPet",
  "parameters": [
    {
      "name": "pet",
      "in": "body",
      "description": "pet to add to the system",
      "required": true,
      "schema": {
        "$ref": "#/definitions/NewPet"
      }
    }
  ]
}
...
"definitions": {
  "NewPet": {
    "type": "object",
    "required": [
      "name"
    ],
    "properties": {
      "name": {
        "type": "string"
      },
      "tag": {
        "type": "string"
      }
    }
  }
}

 

 


Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy