diff --git a/scala/play/security/webservice-ssrf.yaml b/scala/play/security/webservice-ssrf.yaml index 1d9c19aa9a..93423165d7 100644 --- a/scala/play/security/webservice-ssrf.yaml +++ b/scala/play/security/webservice-ssrf.yaml @@ -27,7 +27,7 @@ rules: A parameter being passed directly into `WSClient` most likely lead to SSRF. This could allow an attacker to send data to their own server, potentially exposing sensitive data sent with this request. - They could also probe internal servers or other resources that the server runnig this code can access. + They could also probe internal servers or other resources that the server running this code can access. Do not allow arbitrary hosts. Instead, create an allowlist for approved hosts hardcode the correct host. metadata: diff --git a/yaml/openapi/security/api-key-in-query-parameter.test.yaml b/yaml/openapi/security/api-key-in-query-parameter.test.yaml new file mode 100644 index 0000000000..22c2df921e --- /dev/null +++ b/yaml/openapi/security/api-key-in-query-parameter.test.yaml @@ -0,0 +1,37 @@ +openapi: 3.1.0 +info: + title: Example API + description: Example API + version: 1.0.0 + +servers: + - url: https://api.example.com/ + +paths: + /test/{param}: + get: + operationId: test + parameters: + - name: param + in: path + required: true + description: test + schema: + type: string + +security: + - apiKeyAuthQuery: [] + - apiKeyAuthHeader: [] + +components: + securitySchemes: + # ruleid: api-key-in-query-parameter + apiKeyAuthQuery: + type: apiKey + in: query + name: api_key + # ok: api-key-in-query-parameter + apiKeyAuthHeader: + type: apiKey + in: header + name: X-API-Key diff --git a/yaml/openapi/security/api-key-in-query-parameter.yaml b/yaml/openapi/security/api-key-in-query-parameter.yaml new file mode 100644 index 0000000000..673c01b8bb --- /dev/null +++ b/yaml/openapi/security/api-key-in-query-parameter.yaml @@ -0,0 +1,45 @@ +rules: + - id: api-key-in-query-parameter + languages: [yaml] + message: >- + The $SECURITY_SCHEME security scheme passes an API key in a query parameter. + API keys should not be passed as query parameters in security schemes. + Pass the API key in the header or body. + If using a query parameter is necessary, ensure that the API key is tightly scoped and short lived. + severity: ERROR + patterns: + - pattern-inside: | + openapi: $VERSION + ... + components: + ... + securitySchemes: + ... + - metavariable-regex: + metavariable: $VERSION + regex: 3.* + - pattern: | + $SECURITY_SCHEME: + ... + type: apiKey + ... + in: query + + metadata: + category: security + subcategory: + - vuln + technology: + - openapi + likelihood: MEDIUM + impact: HIGH + confidence: HIGH + cwe: 'CWE-598: Use of GET Request Method With Sensitive Query Strings' + owasp: + - 'A04:2021 Insecure Design' + - 'A07:2021 Identification and Authentication Failures' + references: + - https://datatracker.ietf.org/doc/html/rfc6749 + - https://cwe.mitre.org/data/definitions/598.html + - https://owasp.org/Top10/A04_2021-Insecure_Design/ + - https://owasp.org/Top10/A07_2021-Identification_and_Authentication_Failures/ diff --git a/yaml/openapi/security/use-of-basic-authentication.yaml b/yaml/openapi/security/use-of-basic-authentication.yaml index befbd9eb23..eb95190a77 100644 --- a/yaml/openapi/security/use-of-basic-authentication.yaml +++ b/yaml/openapi/security/use-of-basic-authentication.yaml @@ -24,7 +24,8 @@ rules: scheme: basic metadata: category: security - subcategory: vuln + subcategory: + - vuln technology: - openapi likelihood: MEDIUM