Array header has no maximum number of items defined
Issue ID: response-header-array-maxitems
Average severity: High
Description
An array header does not specify the maximum number of items it can contain.
For more details, see the OpenAPI Specification.
Example
The following is an example of how this type of risk could look in your API definition:
{
"name": "someArray",
"in": "header",
"type": "array",
"items": {
"type": "string",
"pattern": "^((4\\d{3})|(5[1-5]\\d{2})|(6011))-?\\d{4}-?\\d{4}-?\\d{4}|3[4,7]\\d{13}$"
}
}
Possible exploit scenario
APIs are typically designed to return a limited amount of data. For example, you may have an API that returns a particular user profile information, a specific record, or a page of items to display in a web or mobile application.
Attackers may try to exploit your backend implementation to instead force it to return a larger set of data, like records of all users.
If you have not enforced limits on the amount of data your API can return, this exploit can succeed and lead to a massive data breach.
Remediation
Set the maxItems
property for returned arrays as a safety check against data breaches:
{
"name": "someArray",
"in": "header",
"type": "array",
"maxItems": 3,
"items": {
"type": "string",
"pattern": "^((4\\d{3})|(5[1-5]\\d{2})|(6011))-?\\d{4}-?\\d{4}-?\\d{4}|3[4,7]\\d{13}$"
}
}