FireTail’s Findings

FireTail’s Findings feature enables the detection of OWASP's top 10 API security issues and general API security best practices. The OWASP API Security Top 10 is a comprehensive document detailing the ten most critical security risks facing APIs. 

Findings can be generated in the following ways:

  1. When a specification is uploaded to the FireTail platform. 
  2. A GitHub repository is scanned. 
  3. Through detections from logs.
  4. Through observations from active scanning.

The file or repository is scanned to uncover any vulnerabilities and subsequently, a finding is generated. 

Below is a list of all findings that can be generated. Click on each finding to view remediation information and examples.

Info

Circular references

Circular references occur when two or more schema definitions reference each other in a way that creates a loop.
Info

Index creation failed

The findings engine could not build a document index for this specification file.
Not Applicable

Vulnerabilities detected

A vulnerability has been detected in the underlying software and or packages of this API.
Not Applicable

Undocumented HTTP status code

Response has a status code that is not defined in the schema.
Not Applicable

Undocumented content-type

Response has Content-Type that is not documented in the schema.
Not Applicable

SSL vulnerabilities detected

SSL vulnerabilities have been detected.
Not Applicable

Server error

The server has encountered an error.
Not Applicable

Response time limit exceeded

Response took longer than expected.
Not Applicable

Response timeout

Request took longer than timeout.
Critical

Plaintext unknown authentication

An endpoint is using an authentication mechanism that is not in the IANA Authentication Scheme Registry over HTTP.
Critical

Plaintext negotiated authentication

An endpoint is negotiating authentication over HTTP.
Critical

Plaintext digest authentication

An endpoint is using the Digest Authentication security mechanism over HTTP.
Critical

Plaintext bearer token

An endpoint is using the Bearer Token security mechanism over HTTP.
Critical

Plaintext basic authentication

An endpoint is using the Basic Authentication security mechanism over HTTP.
Critical

Plaintext API key

An endpoint is using an API key based security mechanism over HTTP.
Critical

Plaintext alternative authentication

An endpoint is using an alternative authentication method from the IANA Authentication Scheme Registry over HTTP.
Not Applicable

Missing required headers

Some required headers are missing.
Not Applicable

Missing content-type header

Content type header is missing.
Not Applicable

Malformed media type

Media type name is malformed.
Info

Majority response status codes 5XX

Over half of an API's response status codes over a given time period were in the 5XX range.

This site uses cookies

By using this website, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Got it!