Missing 401 response

owasp-define-error-responses-401

Type:

Finding

Rule Severity:

Low

An endpoint is missing the definition for a 401 response.

Consistent and well-documented HTTP status codes in API specifications play a vital role in the usability and understanding of an API. When developers consume an API, clear status code definitions save them time and reduce the risk of misinterpreting a response. HTTP 401, in particular, signifies that the requester has not provided the credentials necessary to view the resource. This is a common response in APIs, especially those that require authentication.

This rule applies at the API Specification level (OAS/Swagger).

Remediation

Ensure API specifications include definitions for 401 responses. API endpoints that do not return HTTP status code descriptions are more difficult to use for developers. Adding standard responses to API specifications ensures use of those APIs is predictable and safe.

Example Attack Scenario

Security Misconfiguration Exploitation: The absence of a 401 response may indicate a broader security misconfiguration in the API or its authentication mechanisms, which attackers can exploit to gain unauthorized access or compromise the system.

How to Identify with Example Scenario

responses:  
 '200':     
  # missing '401' response definition    
  description: OK    
  content:      
   text/plain:        
    schema:          
     type: string

How to Resolve with Example Scenario

responses:  
 '401':    
  description: Unauthorized     
  # a description is required    
  content:      
   text/plain:        
    schema:          
     type: string

How to Identify with Example Scenario

Find the text in bold to identify issues such as these in API specifications

How to Resolve with Example Scenario

Modify the text in bold to resolve issues such as these in API specifications
References:

More findings

All Findings
Malicious activity found in logs
AWS ALB listeners should be configured with a strong security policy
AWS Load Balancer missing deletion protection
Plaintext unknown authentication
Basic HTTP auth
SQL Injection found in logs