Findings
Legacy integer limit
Updated: June 19, 2025
Description
An endpoint is using legacy limits for an integer parameter.
Setting limits helps in protecting a system against potential abuses or unforeseen edge cases, such as large numbers causing resource consumption issues or leading to overflows. Defining a clear range for integer values improves the predictability of the system, reducing the likelihood of unexpected errors or behaviors when out-of-range values are provided. Additionally, when the allowed range of values is clearly specified, it aids in clearer documentation, ensuring that anyone consuming the API has a better understanding of the expected inputs. Constraining the range of allowable values can improve the system's overall data integrity and consistency by preventing the storage of irrelevant or erroneous data.
This rule applies at the API Specification level (OAS/Swagger).
Example Attack
Denial of Service (DoS): Attackers can create requests that exploit the integer limit to consume excessive resources or trigger errors, leading to a denial of service condition. For example, sending a request with a large number that exceeds the integer limit might cause the system to crash or become unresponsive.
Remediation
Ensure that endpoints using integers specify limits for them. Use 'minimum' and 'maximum' to set the allowed range. Explicitly expecting integers within a specified range in the API spec will help mitigate resource exhaustion attacks (a sub-type of denial of service). APIs may suffer performance and availability issues when faced with an integer format they were not designed to process.
Security Frameworks
Satisfying API requests requires resources such as network bandwidth, CPU, memory, and storage. Other resources such as emails/SMS/phone calls or biometrics validation are made available by service providers via API integrations, and paid for per request. Successful attacks can lead to Denial of Service or an increase of operational costs.
Quite often, APIs do not impose any restrictions on the size or number of resources that can be requested by the client/user. Not only can this impact the API server performance, leading to Denial of Service (DoS), but also leaves the door open to authentication flaws such as brute force.
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.