Undefined integer format

owasp-integer-format

Type:

Finding

Rule Severity:

Low

An endpoint is missing format information for an integer parameter.

The difference between 16-bit, 32-bit, and 64-bit integers lies in the amount of memory they occupy and the range of values they can represent. As the bit-width increases, the integer can represent a wider range of values, allowing for greater precision and larger numbers to be stored. Some APIs might default to a 16-bit integer, while others might use a 32-bit or 64-bit integer. By specifying int32 or int64, developers can ensure that the data is handled correctly regardless of the underlying system. By adhering to these formats, developers can avoid potential overflow or underflow issues that might arise when dealing with large or negative numbers.

This rule applies at the API Specification level (OAS/Swagger).

Remediation

APIs should specify an integer format type to ensure the availability of the service to all users. URL parameters should not include sensitive information such as API keys, passwords, or secrets. Harcoding secrets or passwords in the API spec can lead to their exposure. Passwords, keys, tokens, or any other secret should be stored securely. Appropriate handling of secrets requires, amongst other best practices, implementation of encryption of secrets at rest and in transit, regular secret expiry & rotation, and short availability in application memory.

Example Attack Scenario

Integer Overflow/Underflow: If the API does not specify the size or range of integers it expects, attackers could send extremely large or small integers that overflow or underflow, leading to unexpected behavior such as data corruption, crashes, or potentially even arbitrary code execution.

How to Identify with Example Scenario

type: 
 objectproperties:
  myObj:
   # arbitrary name for the object
   type: integer
   # missing "format:

How to Resolve with Example Scenario

type: 
 objectproperties:  
  myObj:  
   # arbitrary name for the object    
   type: integer    
   format: int32

How to Identify with Example Scenario

Find the text in bold to identify issues such as these in API specifications

How to Resolve with Example Scenario

Modify the text in bold to resolve issues such as these in API specifications
References:
https://swagger.io/docs/specification/data-models/data-types/

More findings

All Findings
Index creation failed
Authentication removed
Unrestricted string
Non-standard JSON Web Token
Missing 429 response
Plaintext unknown authentication