Findings
Insecure host (OAS2)
Updated: June 19, 2025
Description
Ensure APIs use HTTPS
HTTPS is the secure version of HTTP, which stands for "HyperText Transfer Protocol." HTTP is the foundation for any data exchange on the web, and HTTPS adds a layer of security to this exchange. The security in HTTPS is achieved through SSL (Secure Sockets Layer) or its successor TLS (Transport Layer Security). These are cryptographic protocols designed to provide communications security over a computer network. They encrypt the data that is transferred between a device and the server, making it difficult for eavesdroppers to understand the information even if they can intercept it. When connecting to an API endpoint via HTTPS, the connection is encrypted from the client side (like a browser or application) to the server. This ensures that malicious actors can't easily read or tamper with the data being transferred.
This rule applies at the API Specification level (OAS/Swagger).
Example Attack
Man-in-the-Middle (MitM) Attacks: This kind of attack is where attackers intercept communication between the client and the server. Hosting an API on an insecure host can allow an attacker to eavesdrop or impersonate one of the parties, this can result in the attacker gaining access to sensitive data, manipulating requests or responses, and potentially stealing credentials or other confidential information.
Remediation
All server interactions should use the HTTPS protocol, meaning server URLs should begin with `https://`. Endpoints with weak security mechanisms are at risk of being breached.
Security Frameworks
Security misconfiguration is commonly a result of unsecure default configurations, incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, unnecessary HTTP methods, permissive Cross-Origin resource sharing (CORS), and verbose error messages containing sensitive information.
Security misconfiguration is commonly a result of unsecure default configurations, incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, unnecessary HTTP methods, permissive Cross-Origin resource sharing (CORS), and verbose error messages containing sensitive information.
CIS-ASG-2.1.6: CIS 2.1.6: Implement Cryptographic Techniques to Secure User Credentials and Authentication Tokens
Specify protocols to secure user data transmission and storage with cryptographic protocols.
Rationale
Implementing cryptographic techniques to secure user credentials and authentication tokens helps mitigate risks and prevent unauthorized access. Encrypting passwords and tokens helps keep sensitive data secure and complies with regulations such as GDPR. This renders data unreadable to unauthorized parties, protecting user credentials and authentication tokens from potential breaches and ensuring compliance with data protection laws and industry standards.
Remediation
- Select password hashing methods.
- Chose encrypted token storage and secure method of generation.
- Use TLS/SSL.
- Enhance key management practices and policies.
- Apply monitoring practices.
- Document all changes made.
Audit
- Review existing relevant policies.
- Assess if existing procedures are compliant with regulations.
- Assess password hashing methods.
- Assess token storage and method of generation.
- Assess TLS/SSL versions.
- Assess key management practices and policies.
- Assess monitoring practices.
CIS-ASG-2.2.2: CIS 2.2.2: Enforce TLS/SSL protocols
Enforce TLS and SSL protocols.
Rationale
Enforcing TLS/SSL protocols ensures data transfer encryption, safeguarding against interception and eavesdropping by malicious actors. By preventing Man-in-the-Middle (MITM) attacks, TLS/SSL maintains data confidentiality and integrity during transmission. It also protects the authentication procedure from unauthorized access, meeting compliance requirements and ensuring secure communication channels between clients and servers.
Remediation
- Update the configuration settings.
- Renew all certificates.
- Implement HTTPS redirection from port 80 (HTTP) to port 443 (HTTPS) and implement HSTS to enforce HTTPS.
- Address any vulnerabilities introduced by old and current HTTPS versions.
- Enforce monitoring and alerting.
- Update the documentation.
Audit
- Review the current configuration settings.
- Review certificates to ensure they are current, properly configured, and secure, preventing potential vulnerabilities.
- Review HTTPS implementation and versions.
- Review any non-compliant connections.
- Review policies and compliance requirements.
CIS-ASG-3.1.3: CIS 3.1.3: Ensure the use of SSL/TLS
Verify the use of SSL/TLS for all API endpoints and versions.
Rationale
Ensuring the use of SSL/TLS is important because it keeps data transfer and communication encrypted, protecting sensitive information from being intercepted. It also mitigates Man-in-the-Middle (MiTM) vulnerabilities, enhancing security. Additionally, using SSL/TLS helps comply with regulations that mandate secure data transmission.
Remediation
- Enforce SSL/TLS encryption for all API communications.
- Regularly review configurations and certificates for expiration dates and assess if they are compromised.
- Update versions when necessary.
- Monitor configurations.
Audit
- Review SSL/TLS enforcement for all endpoints.
- Evaluate SSL/TLS versions.
- Review certification expiration dates and assess if they are compromised.