API uses both mTLS and clear communication

Issue ID: global-mtls-over-http

Average severity: Critical

Description

The API definition uses the extension x-42c-mtls to indicate that the API is protected by mutual TLS (mTLS), but it also defines that HTTP communications in the clear are accepted. These two are not compatible.

For more details, see x-42c-mtls and the OpenAPI Specification.

Example

The following is an example of how this type of risk could look in your API definition:

{
    "swagger": "2.0",
    "info": {
        "version": "1.0.0",
        "title": "Swagger Petstore"
        //...
    },
    "x-42c-mtls": true,
    //...
    "host": "petstore.swagger.io",
    "basePath": "/api",
    "schemes": [
        "http"
    ]
}

Having both HTTP and HTTPS enabled does not help, you are still accepting unencrypted connections:

{
    "swagger": "2.0",
    "info": {
        "version": "1.0.0",
        "title": "Swagger Petstore"
        //...
    },
    "x-42c-mtls": true,
    //...
    "host": "petstore.swagger.io",
    "basePath": "/api",
    "schemes": [
        "http",
        "https"
    ]
}

Possible exploit scenario

Mutual TLS (mTLS) is based on both communicating parties authenticating and verifying each other's identity and establishing a secure, encrypted HTTPS connection. This conflicts with the API accepting HTTP connections.

If your API allows unencrypted HTTP connections, client authentication provided by mTLS disappears and unauthenticated API consumers can now access your API.

Remediation

Remove http from the schemes list, and only include https:

{
    "swagger": "2.0",
    "info": {
        "version": "1.0.0",
        "title": "Swagger Petstore"
        //...
    },
    "x-42c-mtls": true,
    //...
    "host": "petstore.swagger.io",
    "basePath": "/api",
    "schemes": [
        "https"
    ]
}