Review of checks for the OWASP API Security Top 10 2023 for CAMARA

[rartych]

Problem description
Spectral ruleset rules from the Stoplight API Stylebook implements checks for the OWASP API Security Top 10 2023. These rules can be used with Spectral to automatically lint OpenAPI documents for security issues.

Source: https://github.com/stoplightio/spectral-owasp-ruleset
Documentation: https://apistylebook.stoplight.io/docs/owasp-top-10-2023

Possible evolution
Review the rules and what needs to be changed in CAMARA API guide documents to make API definitions pass the checks.

Alternative solution
Use the ruleset but deactivate rules raising errors for CAMARA APIs supporting current guidelines.

Additional context

Coverage by OWASP Category

• API1:2023 - Broken Object Level Authorization: 1 rule
• API2:2023 - Broken Authentication: 7 rules
• API3:2023 - Broken Object Property Level Authorization: 4 rules
• API4:2023 - Unrestricted Resource Consumption: 8 rules
• API5:2023 - Broken Function Level Authorization: 1 rule
• API6:2023 - Unrestricted Access to Sensitive Business Flows: No automated rules (requires business logic analysis)
• API7:2023 - Server Side Request Forgery: 1 rule
• API8:2023 - Security Misconfiguration: 7 rules
• API9:2023 - Improper Inventory Management: 2 rules
• API10:2023 - Unsafe Consumption of APIs: No automated rules (requires runtime analysis)

Notes

• Not all OWASP recommendations can be checked through static analysis of OpenAPI documents
• Some categories (API6, API10) require runtime behavior analysis and cannot be fully automated
• The ruleset focuses on what can be detected from the API surface definition in OpenAPI

[rartych]

Please find the initial review - the last column CAMARA APIs includes questions/issues for specific rules in relation to CAMARA API guidelines - we can discuss them in dedicated sub-issues.

Rules Review

Rule Name	Severity	Description	Comment	CAMARA APIs
owasp:api1:2023-no-numeric-ids	❗ error	Use random IDs that cannot be guessed. UUIDs are preferred but any other random string will do.	Prevents broken object level authorization by ensuring ID parameters are not numeric/enumerable integers. Numeric IDs make it easy for attackers to iterate through resources.	no impact ✅ enable rule
owasp:api2:2023-auth-insecure-schemes	❗ error	Authentication scheme is considered outdated or insecure.	Some HTTP authorization schemes are now considered insecure, such as NTLM or OAuth v1. Use modern alternatives.	no impact - OpenID used ❔ enable rule?
owasp:api2:2023-jwt-best-practices	❗ error	Security schemes using JWTs must explicitly declare support for RFC8725 in the description.	RFC8725 describes common JWT pitfalls like ignoring algorithms or using insecure algorithms. Implementation should conform to these best practices.	no impact - OpenID used ❔ enable rule?
owasp:api2:2023-no-api-keys-in-url	❗ error	API Key passed in URL.	API Keys passed in headers, cookies or query parameters can be eavesdropped, especially in URLs as logging/history tools will track them.	no impact - OpenID used ❔ enable rule?
owasp:api2:2023-no-credentials-in-url	❗ error	Security credentials detected in path parameter.	URL parameters MUST NOT contain credentials such as API key, password, or secret as they appear in logs and browser history.	no impact - OpenID used ❔ enable rule?
owasp:api2:2023-no-http-basic	❗ error	Security scheme uses HTTP Basic. Use a more secure authentication method, like OAuth 2, or OpenID.	Basic authentication credentials transported over network are more susceptible to interception. Passwords and tokens are not encrypted.	no impact - OpenID used ❔ enable rule?
owasp:api2:2023-short-lived-access-tokens	❗ error	Authentication scheme does not appear to support refresh tokens, meaning access tokens likely do not expire.	Using short-lived access tokens with refresh tokens is a good practice. Reduces the window for malicious use of compromised tokens.	no impact - OpenID used ❔ enable rule?
owasp:api2:2023-write-restricted	❗ error	This write operation is not protected by any security scheme.	All write operations (POST, PUT, PATCH, DELETE) must be secured by at least one security scheme to prevent unauthorized modifications.	no impact - OpenID used ❔ enable rule?
owasp:api4:2023-array-limit	❗ error	Schema of type array must specify maxItems.	Array size should be limited to mitigate resource exhaustion attacks. Prevents unbounded arrays from consuming excessive resources.	❗ new requirement needed ❓ enable rule?
owasp:api4:2023-integer-limit	❗ error	Schema of type integer must specify minimum and maximum.	Integers should be limited to avoid negative numbers when positive expected, or reduce unreasonable iterations (e.g., 1000 times vs 10).	for OAS 3.1 (no impact now) ❔ enable rule?
owasp:api4:2023-integer-limit-legacy	❗ error	Schema of type integer must specify minimum and maximum.	Same as integer-limit but for OAS 2.0 and OAS 3.0.x which handle number constraints differently than OAS 3.1.x.	❗ new requirement needed ❓ enable rule?
owasp:api4:2023-integer-format	❗ error	Schema of type integer must specify format (int32 or int64).	Specifying integer format helps prevent resource exhaustion by making size constraints explicit.	❗ new requirement needed ❓ enable rule?
owasp:api4:2023-rate-limit	❗ error	All 2XX and 4XX responses should define rate limiting headers.	Proper rate limiting prevents attackers from overloading the API. Use IETF RateLimit headers or custom headers like X-RateLimit-Limit.	no RFC yet - implementation specific? ❓ disable rule?
owasp:api4:2023-rate-limit-retry-after	❗ error	A 429 response should define a Retry-After header.	Setting Retry-After helps well-meaning consumers back off gracefully without exacerbating problems.	implementation specific? ❓ disable rule?
owasp:api4:2023-string-limit	❗ error	Schema of type string must specify maxLength, enum, or const.	String size should be limited to mitigate resource exhaustion attacks. Use maxLength, enum, or const to constrain values.	❗ new requirement needed ❓ enable rule?
owasp:api5:2023-admin-security-unique	❗ error	Admin endpoint has the same security requirement as a non-admin endpoint.	Administrative functions should use different security schemes than regular functions to prevent privilege escalation attacks.	no impact ❔ enable rule?
owasp:api8:2023-define-cors-origin	❗ error	CORS header should be defined on all responses.	Setting up CORS headers controls which websites can make browser-based HTTP requests to your API. Use wildcard, null, or specific origins.	implementation specific? ❓ disable rule?
owasp:api8:2023-no-scheme-http	❗ error	Server schemes must not use http. Use https or wss instead.	HTTP is inherently insecure and can lead to PII leakage through traffic sniffing or man-in-the-middle attacks. Use HTTPS/WSS.	no impact ✅ enable rule
owasp:api8:2023-no-server-http	❗ error	Server URLs must not use http://. Use https:// or wss:// instead.	Server URLs must use secure protocols. HTTP can expose sensitive information through unencrypted traffic.	no impact ✅ enable rule
owasp:api9:2023-inventory-access	❗ error	Declare intended audience of every server by defining servers[0].x-internal as true/false.	Use x-internal vendor extension (true/false) to explicitly declare if a server is internal or public-facing for documentation.	implementation specific ❓ disable rule?
owasp:api9:2023-inventory-environment	❗ error	Declare intended environment in server descriptions using terms like local, staging, production.	Make it clear which servers run in which environment to avoid exposing test data publicly or bypassing security measures.	implementation specific ❓ disable rule?
owasp:api2:2023-read-restricted	⚠️ warn	This read operation is not protected by any security scheme.	Read operations (GET, HEAD) should be secured by at least one security scheme to prevent unauthorized data access.	no impact - OpenID used ❔ enable rule?
owasp:api3:2023-constrained-additionalProperties	⚠️ warn	Objects should not allow unconstrained additionalProperties.	When additionalProperties are not disabled, constrain them with maxProperties to prevent mass assignment vulnerabilities.	HTTPSettings in subscription template ❓ enable rule and change template?
owasp:api3:2023-constrained-unevaluatedProperties	⚠️ warn	Objects should not allow unconstrained unevaluatedProperties.	When unevaluatedProperties are not disabled, constrain them with maxProperties to prevent mass assignment.	for OAS 3.1 (no impact now) ❔ enable rule?
owasp:api3:2023-no-additionalProperties	⚠️ warn	If the additionalProperties keyword is used it must be set to false.	By default JSON Schema allows additional properties, potentially leading to mass assignment issues. Disable with additionalProperties: false or add maxProperties.	HTTPSettings in subscription template ❓ enable rule and change template?
owasp:api3:2023-no-unevaluatedProperties	⚠️ warn	If the unevaluatedProperties keyword is used it must be set to false.	Similar to additionalProperties but for JSON Schema 2020-12 (OAS 3.1). Prevents unvalidated fields from being accepted.	for OAS 3.1 (no impact now) ❔ enable rule?
owasp:api4:2023-rate-limit-responses-429	⚠️ warn	Operation is missing rate limiting response (code 429)}.	Defining a 429 response ensures rate limiting is properly implemented and documented, preventing resource exhaustion attacks.	⚠️ Error 429 is not mandatory - new requirement needed? ❓ enable rule?
owasp:api4:2023-string-restricted	⚠️ warn	Schema of type string should specify a format, pattern, enum, or const.	To avoid unexpected values being sent or leaked, strings should have a format, RegEx pattern, enum, or const defined.	⚠️ format/pattern recommended new requirement needed? ❓ enable rule?
owasp:api8:2023-define-error-validation	⚠️ warn	Missing error response of either 400, 422 or 4XX.	Carefully define schemas for all API responses, including error responses for invalid requests to avoid leaking implementation details.	401/403 mandatory 400/422 optional ❓ enable rule?
owasp:api8:2023-define-error-responses-401	⚠️ warn	Operation is missing 401 response.	Define 401 response schemas to ensure proper handling of unauthorized requests without leaking implementation details in backtraces.	401 mandatory ❓ enable rule?
owasp:api8:2023-define-error-responses-500	⚠️ warn	Operation is missing 500 response.	Define 500 response schemas to ensure internal server errors return proper JSON structure instead of exposing backtraces.	500 not recommended ❓ disable rule?
owasp:api7:2023-concerning-url-parameter	ℹ️ info	Make sure to review the way this URL is handled to protect against Server Side Request Forgery.	Parameters containing URLs (callback, redirect, *_url) can lead to SSRF if not properly validated. Review handling carefully.	no impact ✅ enable rule

Rule Severity Levels

• ❗Error: Critical security issues that should be fixed immediately
• ⚠️Warning: Important security concerns that should be addressed
• ℹ️Information: Informational messages about potential security considerations

[rartych]

Sub-issues created for api2, api3, api4 and api8 rule groups, other rules:

• owasp:api1:2023-no-numeric-ids - keep ✅
• owasp:api5:2023-admin-security-unique - keep ✅
• owasp:api9:2023-inventory-access - disable ❌
• owasp:api9:2023-inventory-environment - disable ❌
• ℹ️ owasp:api7:2023-concerning-url-parameter ✅