Platform Update: Q2 2024 - Check out all of the recent product improvements
WatchThe table below details the findings codes.
Finding name | Finding code | Description |
---|---|---|
Unauthenticated endpoints | firetail:authenticated-endpoint-removed | An endpoint that previously required authentication has been changed to no longer require authentication. |
Numeric IDs | owasp-no-numeric-ids | An endpoint is using a numeric parameter for identifying resources. |
Insecure auth scheme | owasp-auth-insecure-schemes | An endpoint has an insecure authentication scheme set. |
Non-standard JSON Web Token | owasp-jwt-best-practices | An endpoint is using JSON Web Tokens (JWT) that do not adhere to best current practices detailed in RFC8725. |
API key in URL | owasp-no-api-keys-in-url | An endpoint is using URL parameters to pass in API keys. |
Credentials in URL | owasp-no-credentials-in-url | An endpoint is using URL parameters to pass in credentials. |
Basic HTTP auth | owasp-no-http-basic | An endpoint is using Basic HTTP authentication. |
Missing global security | owasp-protection-global-safe | An endpoint was found that is not protected by any security scheme. |
Missing authentication | owasp-protection-global-unsafe-strict | An operation is missing authentication. |
Missing global security | owasp-protection-global-unsafe | An endpoint was found that is not protected by any security scheme. |
Missing 401 response | owasp-define-error-responses-401 | An endpoint is missing the definition for a 401 response. |
Missing 500 response | owasp-define-error-responses-500 | An endpoint is missing the definition for a 500 response. |
Missing 4xx response | owasp-define-error-validation | An endpoint is missing the definition for a 4xx response. |
Missing array limit | owasp-array-limit> | An endpoint is returning an array of items without having a specified limit on the maximum number of items that can be returned. |
Undefined integer format | owasp-integer-format | An endpoint is missing format information for an integer parameter. |
Legacy integer limit | owasp-integer-limit-legacy | An endpoint is using legacy limits for an integer parameter. |
Undefined integer limit | owasp-integer-limit | An endpoint is missing limit information for an integer parameter. |
Missing 429 response | owasp-define-error-responses-429 | An endpoint is missing a rate limit response. |
Missing retry header | owasp-rate-limit-retry-after | An endpoint is missing the Retry-After header for 429 responses. |
Missing rate limit headers | owasp-rate-limit | An endpoint is missing rate limit headers in 2xx and 4xx responses. |
Undefined string limit | owasp-string-limit | An endpoint is missing limit information for a string parameter. |
Unrestricted string | owasp-string-restricted | An endpoint is missing restrictions for a string parameter. |
Unconstrained additional properties | owasp-constrained-additionalProperties | An endpoint allows for unconstrained additional properties. |
Missing additional properties | owasp-no-additionalProperties | An endpoint is missing the setting for additional properties. |
Insecure host (OAS2) | owasp-security-hosts-https-oas2 | The host is specified with an insecure protocol (HTTP). |
Insecure host (OAS3) | owasp-security-hosts-https-oas3 | The host is specified with an insecure protocol (HTTP). |
To learn how to view findings and understand the information they contain, go to Findings overview.