Missing additional properties

owasp-no-additionalProperties

Type:

Finding

Rule Severity:

Low

An endpoint is missing the setting for additional properties.

The additionalProperties keyword specifies the behavior of properties in an object that are not explicitly defined in the schema. It's often used for defining request or response payloads. By default, the JSON Schema allows additional properties. Setting additionalProperties to true or false indicates if the schema can contain properties other than those defined by the properties map. Setting additionalProperties to true allows any additional properties in the JSON object, even those not defined in the schema. Any additional properties are not validated against the schema. Setting additionalProperties to false prevents any additional properties in the JSON object that are not explicitly defined in the schema. Any additional properties will lead to a validation error.

This rule applies at the API Specification level (OAS/Swagger).

Remediation

Ensure request bodies sent to endpoints do not allow objects containing unexpected additional properties. This will ensure no read-only object property can be altered by non-privileged users. .The additionalProperties option should be used in the OpenAPI spec. This option prevents Broken Object Property Level Authorization exploits. Endpoints receiving objects with the additionalProperties option set to true can receive unexpected parameters. This can allow for unintended application behavior or privilege escalation.

Example Attack Scenario

Privilege Escalation: If the API relies on the absence of additional properties for authorization or privilege checks, attackers might exploit this vulnerability to escalate their privileges and gain unauthorized access to restricted resources or perform actions they shouldn't be allowed to.

How to Identify with Example Scenario

schemas:
 Object:
  # arbitrary name for the object
  type: object
  title: Object
  # arbitrary name for the object
  additionalProperties: true

How to Resolve with Example Scenario

schemas:
 Object:
  # arbitrary name for the object
  type: object
  title: Object
  # arbitrary name for the object
  additionalProperties: false

How to Identify with Example Scenario

Find the text in bold to identify issues such as these in API specifications

How to Resolve with Example Scenario

Modify the text in bold to resolve issues such as these in API specifications
References:
https://swagger.io/docs/specification/data-models/data-types/#additionalProperties

More findings

All Findings
AppSync GraphQL API missing WAF
Mailgun secrets found in logs
Insecure host (OAS2)
Basic Authentication found in logs
Missing retry header
Average request header size reduced