Operation uses both mTLS and clear communication
Issue ID: operation-mtls-over-http
Average severity: Critical
Description
The API definition uses the extension x-42c-mtls
to indicate that the API operation is protected by mutual TLS (mTLS), but it also defines that HTTP communications in the clear are accepted. These two are not compatible.
For more details, see x-42c-mtls and the OpenAPI Specification.
Example
The following is an example of how this type of risk could look in your API definition:
{
"schemes": [
"http"
],
//...
"paths": {
"/pets": {
"post": {
"description": "Creates a new pet in the store",
"operationId": "addPet",
"x-42c-mtls": true
//...
}
}
}
}
Having both HTTP and HTTPS enabled does not help, you are still accepting unencrypted connections:
{
"schemes": [
"http",
"https"
],
//...
"paths": {
"/pets": {
"post": {
"description": "Creates a new pet in the store",
"operationId": "addPet",
"x-42c-mtls": true
//...
}
}
}
}
Possible exploit scenario
Mutual TLS (mTLS) is based on both communicating parties authenticating and verifying each other's identity and establishing a secure, encrypted HTTPS connection. This conflicts with the API accepting HTTP connections.
If your API allows unencrypted HTTP connections, client authentication provided by mTLS disappears and unauthenticated API consumers can now access your API.
Remediation
Remove http
from the schemes
list, and only include https
:
{
"schemes": [
"https"
],
//...
"paths": {
"/pets": {
"post": {
"description": "Creates a new pet in the store",
"operationId": "addPet",
"x-42c-mtls": true
//...
}
}
}
}