Numeric parameter has no maximum defined

Issue ID: parameter-numerical-max

Average severity: Medium

Description

Some numeric parameters in your API do not have the maximum value specified.

For more details, see the OpenAPI Specification.

Example

The following is an example of how this type of risk could look in your API definition. The parameter type is set to integer but the maximum value is not specified:

{
    "parameters": {
        "type": "integer",
        "name": "total",
        "in": "query",
        "format": "int32",
        "minimum": 0,
        "description": "Number of the objects in the array."
    }
}

Possible exploit scenario

If you do not limit the range of accepted values for numeric parameters, attackers can try to send unexpected input to your backend server. This may cause the backend server to fail in an unexpected way and open the door to further attacks.

For example, the backend server could throw an exception and return a stack trace on the error. The trace could contain information on the exact software stack used in the implementation. This enables the attacker to launch an attack on specific vulnerabilities known in that stack.

Remediation

Set both the minimum and maximum values for numeric parameters to limit the accepted values to the range that works for your application:

{
    "parameters": {
        "type": "integer",
        "name": "total",
        "in": "query",
        "format": "int32",
        "minimum": 0,
        "maximum": 100,
        "description": "Number of the objects in the array."
    }
}