Findings
Missing additional properties
Updated: June 19, 2025
Description
An endpoint is missing the setting for additional properties.
The additionalProperties keyword specifies the behavior of properties in an object that are not explicitly defined in the schema. It's often used for defining request or response payloads. By default, the JSON Schema allows additional properties. Setting additionalProperties to true or false indicates if the schema can contain properties other than those defined by the properties map. Setting additionalProperties to true allows any additional properties in the JSON object, even those not defined in the schema. Any additional properties are not validated against the schema. Setting additionalProperties to false prevents any additional properties in the JSON object that are not explicitly defined in the schema. Any additional properties will lead to a validation error.
This rule applies at the API Specification level (OAS/Swagger).
Example Attack
Privilege Escalation: If the API relies on the absence of additional properties for authorization or privilege checks, attackers might exploit this vulnerability to escalate their privileges and gain unauthorized access to restricted resources or perform actions they shouldn't be allowed to.
Remediation
Ensure request bodies sent to endpoints do not allow objects containing unexpected additional properties. This will ensure no read-only object property can be altered by non-privileged users. .The additionalProperties option should be used in the OpenAPI spec. This option prevents Broken Object Property Level Authorization exploits. Endpoints receiving objects with the additionalProperties option set to true can receive unexpected parameters. This can allow for unintended application behavior or privilege escalation.
Security Frameworks
This category combines API3:2019 Excessive Data Exposure and API6:2019 - Mass Assignment, focusing on the root cause: the lack of or improper authorization validation at the object property level. This leads to information exposure or manipulation by unauthorized parties.
APIs vulnerable to this risk expose a business flow - such as buying a ticket, or posting a comment - without compensating for how the functionality could harm the business if used excessively in an automated manner. This doesn't necessarily come from implementation bugs.
Binding client provided data (e.g., JSON) to data models, without proper properties filtering based on a whitelist, usually lead to Mass Assignment. Either guessing objects properties, exploring other API endpoints, reading the documentation, or providing additional object properties in request payloads, allows attackers to modify object properties they are not supposed to.
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.