Skip to main content

Swagger rules

Description

Swagger rules are a set of rules that are used to validate the schema of a REST OpenAPI. They can be at the root of security issues due to their unstructured nature.

Remediation

Comply with the Swagger rules.

REST Specific

Asp_net

Ensure that all user inputs are validated using strong type checking and regular expressions, and encode outputs to prevent XSS attacks. Implement proper exception handling to avoid revealing sensitive information in error messages. Regularly update the ASP.NET framework to patch known vulnerabilities.

Ruby_on_rails

Ensure that you use strong parameters in Ruby on Rails to prevent mass assignment vulnerabilities. Always whitelist controller parameters to control which attributes should be allowed for mass updating.

Next_js

Ensure server-side rendering processes user input securely to prevent XSS attacks, and validate all API requests to avoid injection vulnerabilities. Keep Next.js and its dependencies up to date to mitigate known vulnerabilities.

Laravel

Ensure that all user inputs are properly sanitized and validated before processing. Utilize Laravel's built-in security features such as prepared statements, CSRF protection, and input validation rules to mitigate the risk of injection attacks and other vulnerabilities.

Express_js

Ensure that all routes in the Express.js application are validated against a strict schema to prevent unstructured input, and implement middleware such as 'express-validator' for input validation to mitigate potential security vulnerabilities.

Django

Ensure that Django's built-in protections against XSS, CSRF, and SQL injection are enabled and properly configured. Use Django's template system to automatically escape variables, and never mark safe any user-provided strings unless absolutely necessary. Regularly update the Django framework to incorporate security patches.

Symfony

Ensure that all user inputs are properly sanitized and validated within your Symfony application. Use Symfony's built-in functions like 'filter_var' for input validation and 'htmlspecialchars' for output escaping to prevent XSS attacks. Additionally, leverage the 'ParamConverter' for automatic parameter conversion and validation, and consistently apply 'Security' annotations to enforce access controls on your controllers.

Spring_boot

Ensure that your Spring Boot application is using the latest version of the Spring Framework, which includes security enhancements and bug fixes. Regularly update dependencies to mitigate known vulnerabilities. Additionally, implement proper input validation and output encoding to protect against injection attacks. Use Spring Security for comprehensive security configuration and enable CSRF protection. Always run your application as a user with the least necessary privileges.

Flask

Ensure that all Flask routes and view functions properly validate and sanitize user input to prevent common vulnerabilities such as SQL injection, Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF). Utilize Flask extensions like Flask-WTF for form validation and Flask-Talisman for setting security-related HTTP headers.

Nuxt

Ensure that all dynamic data is properly sanitized and validated on both the client and server sides to prevent XSS attacks. Use Nuxt.js's built-in escaping mechanisms to handle user-generated content safely, and regularly update dependencies to mitigate known vulnerabilities.

Fastapi

Ensure that FastAPI endpoints validate and sanitize all input data rigorously to prevent injection attacks. Use Pydantic models to define strict schemas and leverage automatic request validation. Regularly update FastAPI and its dependencies to incorporate security patches.

Configuration

Identifier: schema/swagger_rules

Examples

Ignore this check

checks:
  schema/swagger_rules:
    skip: true

Score

  • Escape Severity: INFO

Compliance

  • OWASP: API9:2023

  • pci: 6.5.1

  • gdpr: Article-32

  • soc2: CC1

  • psd2: Article-95

  • iso27001: A.14.2

  • nist: SP800-53

  • fedramp: SA-11

Classification

  • CWE: 758

Score

  • CVSS_VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N