Missing 4xx response

owasp:api2:2019-define-error-validation

Rule Severity:

High

Ensure API specifications include definitions for 400, 422, and 4XX responses.
This rule applies at the API Specification level (OAS/Swagger).
APIs endpoints that do not return HTTP status codes descriptions are more difficult to use for developers. Adding standard responses to API specifications ensures use of those APIs is predictable and safe.
When an API consumer sends an invalid request, a 400 Bad Request response indicates that the server couldn't understand the request due to invalid syntax. A 422 Unprocessable Entity response signifies that the server understands the request, but it can't process it due to semantic errors. By specifying these responses, developers offer guidance to API consumers on the nature of their mistakes, allowing them to diagnose and rectify issues more efficiently. By defining a range of 4XX responses, developers can cater to various error scenarios, ensuring that the API provides meaningful feedback for a wide array of potential client-side issues. This not only enhances the user experience but also reduces the support burden on the API provider, as consumers are better equipped to troubleshoot problems on their own.

Example Attack Scenario

Input Validation Bypass: Without receiving a proper 400 response for invalid input, attackers can potentially submit malformed or unexpected data to the API endpoint. This could lead to the API processing the input incorrectly, possibly resulting in unexpected behavior or security vulnerabilities.

1. How to Identify with Example Scenario

responses:  
 '200':
  # missing '400' response definition    
  description: OK    
  content:      
   text/plain:        
    schema:          
    type: string

1. How to Resolve with Example Scenario

responses:  
 '400':    
  description: Unauthorized     
  # a description is required    
  content:      
   text/plain:        
    schema:          
     type: string

2. How to Identify with Example Scenario

Find the text in bold to identify issues such as these in API specifications
responses:  
 '200':
  # missing '422' response definition    
  description: OK    
  content:
   text/plain:
    schema:
     type: string

2. How to Resolve with Example Scenario

Modify the text in bold to resolve issues such as these in API specifications
responses:  
 '422':    
  description: Unauthorized     
  # a description is required    
  content:      
   text/plain:        
    schema:          
     type: string
References:

More findings

All Findings