Findings
Unrestricted string
Updated: June 19, 2025
Description
Ensure APIs that process strings have a format, RegEx pattern, enum, or `const defined in their scheme.
A string is a data type. Format relates to the structure and rules of the string. A regex pattern is a sequence of characters that define a search pattern.
An Enum is a data type that consists of a fixed set of named values.
Const is used to define values that should remain fixed.
This rule applies at the API Specification level (OAS/Swagger).
Example Attack
Injection Attacks: Attackers can potentially exploit unrestricted string inputs to perform various injection attacks, such as SQL injection, NoSQL injection, or command injection. As a result of inserting malicious code or commands into the string input, attackers can manipulate the behavior of the system and even potentially gain unauthorized access, extract sensitive data, or run commands on the underlying system.
Remediation
Determine the possible values/patterns for the parameter and specify an appropriate format or RegEx pattern. To avoid unexpected values being sent or leaked, ensure that strings have either a `format`, RegEx `pattern`, `enum`, or `const`. Expecting a specific structure for incoming or outgoing strings is a form of input and output validation. The more stringent the validation, the less likely unintended values can be injected or leaked.
Security Frameworks
Satisfying API requests requires resources such as network bandwidth, CPU, memory, and storage. Other resources such as emails/SMS/phone calls or biometrics validation are made available by service providers via API integrations, and paid for per request. Successful attacks can lead to Denial of Service or an increase of operational costs.
Server-Side Request Forgery (SSRF) flaws can occur when an API is fetching a remote resource without validating the user-supplied URI. This enables an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall or a VPN.
Quite often, APIs do not impose any restrictions on the size or number of resources that can be requested by the client/user. Not only can this impact the API server performance, leading to Denial of Service (DoS), but also leaves the door open to authentication flaws such as brute force.
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.