Unrestricted string

owasp-string-restricted

Type:

Finding

Rule Severity:

Low

Ensure APIs that process strings have a format, RegEx pattern, enum, or `const defined in their scheme.

A string is a data type. Format relates to the structure and rules of the string. A regex pattern is a sequence of characters that define a search pattern.
An Enum is a data type that consists of a fixed set of named values.
Const is used to define values that should remain fixed.

This rule applies at the API Specification level (OAS/Swagger).

Remediation

Determine the possible values/patterns for the parameter and specify an appropriate format or RegEx pattern. To avoid unexpected values being sent or leaked, ensure that strings have either a `format`, RegEx `pattern`, `enum`, or `const`. Expecting a specific structure for incoming or outgoing strings is a form of input and output validation. The more stringent the validation, the less likely unintended values can be injected or leaked.

Example Attack Scenario

Injection Attacks: Attackers can potentially exploit unrestricted string inputs to perform various injection attacks, such as SQL injection, NoSQL injection, or command injection. As a result of inserting malicious code or commands into the string input, attackers can manipulate the behavior of the system and even potentially gain unauthorized access, extract sensitive data, or run commands on the underlying system.

How to Identify with Example Scenario

schemas:
 Myobj:
  type: string

How to Resolve with Example Scenario

schemas:
 Myobj:
  type: string
  format: email

How to Identify with Example Scenario

Find the text in bold to identify issues such as these in API specifications

How to Resolve with Example Scenario

Modify the text in bold to resolve issues such as these in API specifications
References:

More findings

All Findings
Insecure host (OAS2)
AWS ALB listeners should be configured with a strong security policy
Average response payload size elevated
Basic Authentication found in logs
Mailgun secrets found in logs
Data exposure detected