Findings
Undefined integer limit
Updated: June 19, 2025
Description
An endpoint is missing limit information for an integer parameter.
Specifying limits can help prevent potential attacks, such as buffer overflow attacks. An attacker might attempt to input very large or very small values in an effort to crash a server or to exploit vulnerabilities. By defining clear boundaries, developers can safeguard their infrastructure against these kinds of threats. Furthermore, in scenarios where an API's logic or data storage mechanisms expect values within a particular range, any value outside that range might cause unintended behavior or data corruption. By setting clear and predefined limits, developers ensure that only valid and acceptable values are processed or stored, reducing the chances of unexpected errors. Providing specific integer limits also enhances the clarity and predictability of an API's behavior. This can reduce potential misunderstandings and streamline integration processes for other developers or systems trying to interact with these endpoints. Having set limits on integer inputs can improve overall system performance. When a system is designed to handle only values within a defined range, optimization strategies can be more effectively applied, ensuring smooth and efficient operation.
This rule applies at the API Specification level (OAS/Swagger).
Example Attack
Data Corruption: If integer values are used to represent data sizes, offsets, or pointers within the API, an undefined limit could potentially lead to data corruption or buffer overflow vulnerabilities. Attackers could provide maliciously crafted integer values to manipulate data structures or overwrite memory regions beyond the intended boundaries.
Remediation
Ensure that endpoints using integers specify limits for them. Use 'minimum' and 'maximum' or 'exclusiveMinimum' and 'exclusiveMaximum' to set the allowed range. Explicitly expecting integers within a specified range in the API spec will help mitigate resource exhaustion attacks (a sub-type of denial of service). APIs may suffer performance and availability issues when faced with an integer format they were not designed to process.
Security Frameworks
Satisfying API requests requires resources such as network bandwidth, CPU, memory, and storage. Other resources such as emails/SMS/phone calls or biometrics validation are made available by service providers via API integrations, and paid for per request. Successful attacks can lead to Denial of Service or an increase of operational costs.
Quite often, APIs do not impose any restrictions on the size or number of resources that can be requested by the client/user. Not only can this impact the API server performance, leading to Denial of Service (DoS), but also leaves the door open to authentication flaws such as brute force.
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.