FireTail’s Findings

FireTail’s Findings feature enables the detection of OWASP's 2019 top 10 API security issues. The OWASP API Security Top 10 is a comprehensive document detailing the ten most critical security risks facing APIs. 

A finding is generated when an issue aligning with the OWASP top 10 is detected. 

Findings can be generated in two ways:

  1. When a collection is uploaded to the FireTail platform. 
  2. A GitHub repository is scanned. 

The file or repository is scanned to uncover any vulnerabilities and subsequently, a finding is generated. 

Below is a list of all findings that can be generated. Click on each finding to view remediation information and view examples.

Insecure host (OAS2)

owasp:api7:2019-security-hosts-https-oas2
Ensure APIs use HTTPS

Insecure host (OAS3)

owasp:api7:2019-security-hosts-https-oas3
Ensure APIs use HTTPS

Unrestricted string

owasp:api4:2019-string-restricted
Ensure APIs that process strings have a format, RegEx pattern, enum, or `const defined in their scheme.

Undefined string limit

owasp:api4:2019-string-limit
Ensure Query String properties or parameters have an explicitly defined maximum length. This can be done using maxLength, enum or const.

Missing rate limit headers

owasp:api4:2019-rate-limit
Endpoints should use proper rate limiting to ensure service availability to all users.

Missing 429 response

owasp:api4:2019-rate-limit-response-429
Ensure API specifications include definitions for 429 responses.

Missing retry header

owasp:api4:2019-rate-limit-retry-after
Ensure that APIs returning 429 responses contain a Retry-After header.

Legacy integer limit

owasp:api4:2019-integer-limit-legacy
Ensure that endpoints using integers specify limits for them. Use 'minimum' and 'maximum' to set the allowed range.

Undefined integer limit

owasp:api4:2019-integer-limit
Ensure that endpoints using integers specify limits for them. Use 'minimum' and 'maximum' or 'exclusiveMinimum' and 'exclusiveMaximum' to set the allowed range.

Credentials in URL

owasp:api2:2019-no-credentials-in-url
Ensure that security credentials are excluded from paths and query parameters.

Missing authentication

owasp:api2:2019-protection-global-unsafe-strict
Ensure that all API operations using HTTP methods such as POST, PUT, PATCH, and DELETE are safeguarded with at least one security rule.

Non-standard JSON Web Token

owasp:api2:2019-jwt-best-practices
Ensure endpoints using JWT explicitly declare support for RFC8725 in the description

Missing 4xx response

owasp:api2:2019-define-error-validation
Ensure API specifications include definitions for 400, 422, and 4XX responses.

Missing 500 response

owasp:api2:2019-define-error-responses-500
Ensure API specifications include definitions for 500 responses.

Missing array limit

owasp:api4:2019-array-limit
Endpoints ingesting arrays should specify a limit to the number of objects in the array to ensure availability of the service to all users.

Undefined integer format

owasp:api4:2019-integer-format
APIs should specify an integer format type to ensure availability of the service to all users.

Basic HTTP auth

owasp:api2:2019-no-http-basic
Ensure endpoints do not use http basic authentication scheme

Missing global security

owasp:api2:2019-protection-global-safe
Ensure that all API operations using HTTP methods such as POST, PUT, PATCH, and DELETE are safeguarded with at least one security rule.

Missing additional properties

owasp:api6:2019-no-additionalProperties
Ensure request bodies sent to endpoints do not allow objects containing unexpected additional properties. This will ensure no read-only object property can be altered by non-privileged users.

Insecure auth scheme

owasp:api2:2019-auth-insecure-schemes
Ensure endpoints specify a strong authentication scheme.

This site uses cookies

By using this website, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Got it!