'Security' field contains an empty security requirement

Issue ID: v3-global-securityrequirement-emptyscheme

Average severity: High

Description

One or more of the objects defined in the global security field contain an empty security requirement. The security field specifies what kind of authentication your API requires. An empty requirement in the security field disables the authentication completely.

For more details, see the OpenAPI Specification.

Example

The following is an example of how this type of risk could look in your API definition. The security field contains an empty object:

{
    "security": [
        {}
    ],
    // ...
    "servers": [
        {
            "url": "http://my.api.server.com/",
            "description": "API server"
        }
    ],
    // ...  
    "components": {
        "securitySchemes": {
            "regularSecurity": {
                "type": "http",
                "scheme": "basic"
            }
        }
    }
}

Possible exploit scenario

An empty requirement in the security field disables the authentication completely. Attackers could access any API operations without any authentication and identification, and try to retrieve or push some incorrect data, like SQL injection or JSON hijacking. Without the first level of access control, you have no possibility to revoke their access in case you spot incorrect behavior.

Remediation

Make sure you specify at least one security requirement in your security scheme to apply authentication to API operations.

{
    "security": [
        {
            "regularSecurity": []
        }
    ],
    // ...
    "servers": [
        {
            "url": "http://my.api.server.com/",
            "description": "API server"
        }
    ],
    // ...  
    "components": {
        "securitySchemes": {
            "regularSecurity": {
                "type": "http",
                "scheme": "basic"
            }
        }
    }
}