Token URL of the OAuth2 security scheme is not a proper URL

Issue ID: global-securityscheme-oauth2-tokenurl

Average severity: Medium

Description

The URL you have entered in the tokenUrl field of the OAuth2 security scheme is not a proper URL. The OpenAPI Specification (OAS) requires that all URLs in the API contract must be proper URLs in a valid format.

For more details, see the OpenAPI Specification.

Example

The following is an example of how this type of risk could look in your API definition:

{
    "securityDefinitions": {
        "OAuth2": {
            // ...
            "tokenUrl": "http://bad_example.com#@evil.com/oauth/token"
            //...
        }
    }
}

Possible exploit scenario

Depending on the underlying library used, your API consumer might be redirected to nefarious sites when parsing non-standard URLs.

In addition, TLS certificates use the URL's host name to validate that the presented certificate matches the host that was contacted. An invalid host name could potentially scupper this validation. A badly encoded URL could be used as an attack vector when decoding the resource path.

Remediation

Make sure that all URLs in your API are proper URLs and have a valid format.

{
    "securityDefinitions": {
        "OAuth2": {
            // ...
            "tokenUrl": "https://example.com/oauth/token"
            //...
        }
    }
}