API Security 2023 #51
Conversation
philsturgeon
force-pushed
the
feat/2023
branch
from
9b1a0cb
to
f5eed66
Compare
|
@frankkilcommins fixed all feedback, and upgraded npm dependencies too whilst I'm here. |
|
@philsturgeon We should probably get these rules as part of this done too: What do you think? |
|
For API7:2023 Server Side Request Forgery I was thinking we could enforce that a parameter is named as something like URL i.e e.g., callbackUrl, redirectUri we should |
|
For API9:2023 Improper Inventory Management |
| description: | ||
| "OWASP API Security recommends defining schemas for all responses, even errors. The 401 describes what happens when a request is unauthorized, so its important to define this not just for documentation, but to empower contract testing to make sure the proper JSON structure is being returned instead of leaking implementation details in backtraces.", | ||
| severity: DiagnosticSeverity.Warning, | ||
| given: "$.paths..responses", |
There was a problem hiding this comment.
I think we can make these JSON paths a bit more specific i.e. target various places that have responses property rather than doing ..responses. This can lead to erroneous messages and be relatively slow.
Don't need to do this in this PR but probably good to create an issue for this 🤔
There was a problem hiding this comment.
We need to be a little bit specific because there have been several issues popping up where JSON in examples, where the example JSON might be { responses: { ... } } so I've always tried to point it somewhat in the right direction. I would love somebody better versed with nimma performance to help me understand the right balance of specific and fast but I don't know it insde and out.
I don't believe anything in OWASP API Security Top 10 has any opinion on this. IT definitely doens't care about contact info or description, and the OpenAPI version number might be a bit of a stretch because that doesn't necessarily mean it's the API version number, and even if it does the problem its describing is having too many API versions hosted seperately and this one API document doesn't have any way to know what other APIs are hosted. I would be happier leaving those sort of "make good docs" rules to the Documentation ruleset, so we can let people mix and match things in a modular way, and it means people wont be annoyed by the ruleset telling them irrelevant stuff. |
Good reminder. I've made this #55 with a bit more context, as I really wanted to add this but have been a bit stuck with the direction, and if it's useful to even attempt. |
Happy to give #5 a quick go because you're absolutely right, that needs doing. #12 do we think people are going to have actual back traces in their examples? Perhaps this would happen in some sort of automated OpenAPI learning scenario? I cannot imagine this happening any other way, so I do not know if this is helpful. #3 This one would be lovely to do, and it's something I got working with LintGPT as it's using AI to figure out if any of the field names seem like PII, but I am pretty concerned about adding checks for every single schema to see if it has any fields from a massive list that might be PII. If I have to check every response for id, email, password, address, credit card, gender, etc then that'll be slow. Secondly, is that leaking PII, or is that PII right where its meant to be? If I have a user directory and its VPNed off from the rest of the world, that is not leaking PII it's just a system that has PII. What am I actually looking for here, and how can I implement that in a way which isn't horrendously slow. |
I think it would indeed be strange to intentionally put such traces etc. into an example. What's the thinking around trying to give some use feedback on an API design description? Perhaps:
|
|
@mnaumanali94 I've added #5 and #55. I do not believe #3 can be done in a way that is both useful and vaguely performant. As @frankkilcommins suggests I don't think #12 can be done in a way which is meaningful and sticks to the instructions in the OWASP edition. Yes, we could say "you have to use error format X or Y" and then hopefully they have contract testing, but thats no different to This is more likely to be a check for Prism, where it's noticing a mismatch between OpenAPI and the response from the API implementation, but seeing as Spectral can only look at the design (and people arent going to design unexpected broken backtrace errors into their specs) then I just really don't think there's anything to do here. |
There was a problem hiding this comment.
Changes now look good to me. @mnaumanali94 will need to do the formal approval
|
@philsturgeon When you get a chance can you please resolve the conflicts and then I think we can go ahead and merge. |
philsturgeon
force-pushed
the
feat/2023
branch
from
637ce18
to
f567f33
Compare
philsturgeon
force-pushed
the
feat/2023
branch
from
f567f33
to
ce37483
Compare
|
🎉 This PR is included in version 2.0.0 🎉 The release is available on: Your semantic-release bot 📦🚀 |
Updating the Spectral OWASP ruleset to contain as much of the OWASP API Security Top 10 (2023) as possible with a tool that focuses on scanning the interface.
Motivation and Context
Times change, the world gets more complicated, and OWASP like to move things around. 😋
Description
Updating the Spectral ruleset to match the changes, add new rules where possible, and delete things which no longer seem as relevant.
https://owasp.org/API-Security/editions/2023/en/0x00-header/
How Has This Been Tested?
Testing has been done through unit tests for all new rules.