Insecure host (OAS3)

owasp-security-hosts-https-oas3

Type:

Finding

Rule Severity:

Medium

Ensure APIs use HTTPS

HTTPS is the secure version of HTTP, which stands for "HyperText Transfer Protocol." HTTP is the foundation for any data exchange on the web, and HTTPS adds a layer of security to this exchange. The security in HTTPS is achieved through SSL (Secure Sockets Layer) or its successor TLS (Transport Layer Security). These are cryptographic protocols designed to provide communications security over a computer network. They encrypt the data that is transferred between a device and the server, making it difficult for eavesdroppers to understand the information even if they can intercept it. When connecting to an API endpoint via HTTPS, the connection is encrypted from the client side (like a browser or application) to the server. This ensures that malicious actors cannot easily read or tamper with the data being transferred.

This rule applies at the API Specification level (OAS/Swagger).

Remediation

All server interactions should use the HTTPS protocol, the OpenAPI scheme being used should be `https`. Endpoints with weak security mechanisms are at risk of being breached.

Example Attack Scenario

Man-in-the-Middle (MitM) Attacks: This kind of attack is where attackers intercept communication between the client and the server. Hosting an API on an insecure host can allow an attacker to eavesdrop or impersonate one of the parties, this can result in the attacker gaining access to sensitive data, manipulating requests or responses, and potentially stealing credentials or other confidential information.

How to Identify with Example Scenario

paths: "/"
servers: 
 - url: http://firetail.io

How to Resolve with Example Scenario

paths: "/"
servers: 
 - url: https://firetail.io

How to Identify with Example Scenario

Find the text in bold to identify issues such as these in API specifications

How to Resolve with Example Scenario

Modify the text in bold to resolve issues such as these in API specifications
References:

More findings

All Findings