Missing 401 response

owasp:api2:2019-define-error-responses-401

Rule Severity:

High

Ensure API specifications include definitions for 401 responses.
This rule applies at the API Specification level (OAS/Swagger).
APIs endpoints that do not return HTTP status codes descriptions are more difficult to use for developers. Adding standard responses to API specifications ensures use of those APIs is predictable and safe.
Consistent and well-documented HTTP status codes in API specifications play a vital role in the usability and understanding of an API. When developers consume an API, clear status code definitions save them time and reduce the risk of misinterpreting a response. HTTP 401, in particular, signifies that the requester has not provided the credentials necessary to view the resource. This is a common response in APIs, especially those that require authentication.

Example Attack Scenario

Security Misconfiguration Exploitation: The absence of a 401 response may indicate a broader security misconfiguration in the API or its authentication mechanisms, which attackers can exploit to gain unauthorized access or compromise the system.

1. How to Identify with Example Scenario

responses:  
 '200':     
  # missing '401' response definition    
  description: OK    
  content:      
   text/plain:        
    schema:          
     type: string

1. How to Resolve with Example Scenario

responses:  
 '401':    
  description: Unauthorized     
  # a description is required    
  content:      
   text/plain:        
    schema:          
     type: string

2. How to Identify with Example Scenario

Find the text in bold to identify issues such as these in API specifications

2. How to Resolve with Example Scenario

Modify the text in bold to resolve issues such as these in API specifications
References:

More findings

All Findings