Findings
Accepted negative data
Updated: June 19, 2025
Description
The API accepted data that is not in accordance with the specification.
This may include incorrect data types, missing required fields, or values outside of the expected range. Accepting such invalid data can lead to unexpected behavior, security vulnerabilities, or data corruption. It also makes the API more prone to attacks, as malicious users may try to exploit the endpoint by sending unexpected or malformed data.
Example Attack
An attacker might attempt to send a specially crafted payload to the API that contains malformed or invalid data, hoping that the system will process it without validation. For example, an attacker could submit an out-of-bound value for a numerical field, causing the system to crash or behave unexpectedly. If the API accepts this negative or invalid data, it could result in service downtime, unexpected behavior, or even the exploitation of system vulnerabilities, such as buffer overflows or injection attacks. Ensuring the API only accepts valid data prevents such malicious attempts.
Remediation
Ensure that the endpoint in question only processes data that is conforming to the specification.
Security Frameworks
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.