Undefined string limit

owasp:api4:2019-string-limit

Rule Severity:

High

Ensure Query String properties or parameters have an explicitly defined maximum length. This can be done using maxLength, enum or const.
This rule applies at the API Specification level (OAS/Swagger).
Endpoints that accept query string properties or parameters with an unlimited length are at risk of service interruption.
A string limit is the maximum allowed length of a string that can be sent as a parameter or received as a response when making API requests. The string limit is set by the API provider to ensure that data exchanged through the API does not exceed a certain size. Very long strings can increase the time it takes to process requests or responses and cause performance issues. Limiting string length can also help prevent certain types of attacks that can occur if an API does not properly handle large input data.

Example Attack Scenario

Buffer Overflow: If the API does not enforce a limit on the length of strings accepted as input, it may be susceptible to buffer overflow attacks. Attackers can provide excessively long strings, causing the API to write data beyond the bounds of allocated buffers, potentially leading to memory corruption or arbitrary code execution.

1. How to Identify with Example Scenario

schemas:
 Myobj:
  type: string

1. How to Resolve with Example Scenario

schemas:
 Myobj:
  type: string
  maxLength: 99

2. How to Identify with Example Scenario

Find the text in bold to identify issues such as these in API specifications

2. How to Resolve with Example Scenario

Modify the text in bold to resolve issues such as these in API specifications
References:

More findings

All Findings