Undefined integer limit

owasp:api4:2019-integer-limit

Rule Severity:

High

Ensure that endpoints using integers specify limits for them. Use 'minimum' and 'maximum' or 'exclusiveMinimum' and 'exclusiveMaximum' to set the allowed range.
This rule applies at the API Specification level (OAS/Swagger).
Explicitly expecting integers within a specified range in the API spec will help mitigate resource exhaustion attacks (a sub-type of denial of service). APIs may suffer performance and availability issues when faced with an integer format they were not designed to process.
Specifying limits can help prevent potential attacks, such as buffer overflow attacks. An attacker might attempt to input very large or very small values in an effort to crash a server or to exploit vulnerabilities. By defining clear boundaries, developers can safeguard their infrastructure against these kinds of threats. Furthermore, in scenarios where an API’s logic or data storage mechanisms expect values within a particular range, any value outside that range might cause unintended behavior or data corruption. By setting clear and predefined limits, developers ensure that only valid and acceptable values are processed or stored, reducing the chances of unexpected errors. Providing specific integer limits also enhances the clarity and predictability of an API’s behavior. This can reduce potential misunderstandings and streamline integration processes for other developers or systems trying to interact with these endpoints. Having set limits on integer inputs can improve overall system performance. When a system is designed to handle only values within a defined range, optimization strategies can be more effectively applied, ensuring smooth and efficient operation.

Example Attack Scenario

Data Corruption: If integer values are used to represent data sizes, offsets, or pointers within the API, an undefined limit could potentially lead to data corruption or buffer overflow vulnerabilities. Attackers could provide maliciously crafted integer values to manipulate data structures or overwrite memory regions beyond the intended boundaries.

1. How to Identify with Example Scenario

type: 
 objectproperties:  
  myObj:  
   # arbitrary name for the object    
   type: integer    
   # missing "minimum" & "maximum"

1. How to Resolve with Example Scenario

type: 
 objectproperties:  
  myObj:  
   # arbitrary name for the object    
   type: integer    
   maximum: 99    
   minimum: 1

2. How to Identify with Example Scenario

Find the text in bold to identify issues such as these in API specifications

2. How to Resolve with Example Scenario

Modify the text in bold to resolve issues such as these in API specifications

type: objectproperties: myObj: # arbitrary name for the object type: integer exclusiveMaximum: 99 exclusiveMinimum: 1

References:

More findings

All Findings