Undefined string limit

owasp-string-limit

Type:

Finding

Rule Severity:

Low

An endpoint is missing limit information for a string parameter.

A string limit is the maximum allowed length of a string that can be sent as a parameter or received as a response when making API requests. The string limit is set by the API provider to ensure that data exchanged through the API does not exceed a certain size. Very long strings can increase the time it takes to process requests or responses and cause performance issues. Limiting string length can also help prevent certain types of attacks that can occur if an API does not properly handle large input data.

This rule applies at the API Specification level (OAS/Swagger).

Remediation

Determine the possible range of lengths for the parameter and specify the appropriate limits. String size should be limited to mitigate resource exhaustion attacks. This can be done using `maxLength`, `enum` or `const`.

Example Attack Scenario

Buffer Overflow: If the API does not enforce a limit on the length of strings accepted as input, it may be susceptible to buffer overflow attacks. Attackers can provide excessively long strings, causing the API to write data beyond the bounds of allocated buffers, potentially leading to memory corruption or arbitrary code execution.

How to Identify with Example Scenario

schemas:
 Myobj:
  type: string

How to Resolve with Example Scenario

schemas:
 Myobj:
  type: string
  maxLength: 99

How to Identify with Example Scenario

Find the text in bold to identify issues such as these in API specifications

How to Resolve with Example Scenario

Modify the text in bold to resolve issues such as these in API specifications
References:

More findings

All Findings
Missing authentication
Fuzzing successful
Non-standard JSON Web Token
Legacy integer limit
Missing 500 response
Plaintext alternative authentication