Findings
Undefined string limit
Updated: June 19, 2025
Description
An endpoint is missing limit information for a string parameter.
A string limit is the maximum allowed length of a string that can be sent as a parameter or received as a response when making API requests. The string limit is set by the API provider to ensure that data exchanged through the API does not exceed a certain size. Very long strings can increase the time it takes to process requests or responses and cause performance issues. Limiting string length can also help prevent certain types of attacks that can occur if an API does not properly handle large input data.
This rule applies at the API Specification level (OAS/Swagger).
Example Attack
Buffer Overflow: If the API does not enforce a limit on the length of strings accepted as input, it may be susceptible to buffer overflow attacks. Attackers can provide excessively long strings, causing the API to write data beyond the bounds of allocated buffers, potentially leading to memory corruption or arbitrary code execution.
Remediation
Determine the possible range of lengths for the parameter and specify the appropriate limits. String size should be limited to mitigate resource exhaustion attacks. This can be done using `maxLength`, `enum` or `const`.
Security Frameworks
Satisfying API requests requires resources such as network bandwidth, CPU, memory, and storage. Other resources such as emails/SMS/phone calls or biometrics validation are made available by service providers via API integrations, and paid for per request. Successful attacks can lead to Denial of Service or an increase of operational costs.
Server-Side Request Forgery (SSRF) flaws can occur when an API is fetching a remote resource without validating the user-supplied URI. This enables an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall or a VPN.
Quite often, APIs do not impose any restrictions on the size or number of resources that can be requested by the client/user. Not only can this impact the API server performance, leading to Denial of Service (DoS), but also leaves the door open to authentication flaws such as brute force.
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.