Findings
Missing array limit
Updated: June 19, 2025
Description
An endpoint is returning an array of items without having a specified limit on the maximum number of items that can be returned.
Array size should be limited to mitigate resource exhaustion attacks. Resource limiting is a standard practice to ensure that services remain available and that they're not easily susceptible to attacks or overuse. One type of attack vector is sending extremely large payloads to an API endpoint, which can cause outages, slow down processing, or even potentially crash systems. OpenAPI Specification allows for the use of the maxItems keyword to define and limit the data structures that an API endpoint expecting arrays accepts. Enforcing limits in such a way will prevent an API consumer from sending more items than a service allows. The limits can act as a barrier to protect your service: If someone is trying to flood your service with unusually large payloads. Schema limits are useful for API documentation and client-side validation, but they should not be the only line of defense. Always ensure that backend implementation also enforces the specified limits.
This rule applies at the API Specification level (OAS/Swagger).
Example Attack
Authentication Bypass: If the API relies on arrays for authentication or authorization checks, attackers might exploit a missing array limit to bypass these controls, gaining unauthorized access to restricted resources or performing actions they shouldn't be allowed to.
Remediation
Endpoints ingesting arrays should specify a limit to the number of objects in the array to ensure the availability of the service to all users. Using OpenAPI Spec to limit the number of items an endpoint can receive in an array is a form of rate limiting. Using the 'maxItems' keyword in array schemes will help prevent denial of service (DoS) attacks.
Security Frameworks
Satisfying API requests requires resources such as network bandwidth, CPU, memory, and storage. Other resources such as emails/SMS/phone calls or biometrics validation are made available by service providers via API integrations, and paid for per request. Successful attacks can lead to Denial of Service or an increase of operational costs.
Quite often, APIs do not impose any restrictions on the size or number of resources that can be requested by the client/user. Not only can this impact the API server performance, leading to Denial of Service (DoS), but also leaves the door open to authentication flaws such as brute force.
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.