FireTail.io

Type:

Finding

Rule Severity:

High

An endpoint is using URL parameters to pass in API keys.

An API key is a unique series of characters that are included in a request to verify that the requesting system is allowed to communicate with the receiving system. If an API requires a key, the key is assigned by the API provider to an authorized API user. The user includes this key in every request made. The API key verifies the application making the call to the API and ensures that the calling application has the correct access to call the API. If the API key is not valid the API sends back an error response.

This rule applies at the API Specification level (OAS/Swagger).

‍

Remediation

Ensure endpoints requiring API keys do so in the header of a request, not in the path (URL) or query string parameters. API Keys should be passed in the header of a request to limit exposure to man in the middle attacks.

Example Attack Scenario

Data Exposure: Attackers may exploit the lack of API keys to access sensitive data or resources exposed by the API. This could include personal information, financial data, or other confidential information that could be leveraged for malicious purposes, such as identity theft or fraud.

How to Identify with Example Scenario

securitySchemes:
 apiKey:
  # arbitrary name for the security scheme
  type: apiKey
  in: query
  name: X-API-KEY
  # name of the query parameter

How to Resolve with Example Scenario

securitySchemes:
 apiKey:
  # arbitrary name for the security scheme
  type: apiKey
  in: header
  name: X-API-KEY
  # name of the header, query parameter or cookie