'Security' field of the operation contains an empty security requirement

Issue ID: v3-operation-securityrequirement-emptyscheme

Average severity: High

Description

One or more of the objects defined in the security field of the operation contain an empty security requirement. The security field specifies what kind of authentication your API operation requires. An empty requirement in the security field disables the authentication completely.

For more details, see the OpenAPI Specification.

Example

The following is an example of how this type of risk could look in your API definition. The security field of the operation contains an empty object:

{
    "components": {
        "securitySchemes": {
            "OAuth2": {
                "type": "oauth2",
                "flows": {
                    "authorizationCode": {
                        "scopes": {
                            "write": "modify objects in your account",
                            "read": "read objects in your account"
                        },
                        "authorizationUrl": "https://example.com/oauth/authorize",
                        "tokenUrl": "https://example.com/oauth/token" 
                    }
                }
            }
        }
    },
    // ...
    "paths": {
        "/pets": {
            "post": {
                "description": "Creates a new pet in the store",
                "operationId": "addPet",
                "security": {
                }
                // ...
            }
        }
    }
}

Possible exploit scenario

An empty requirement in the security field disables the authentication completely. Attackers could access any API operations without any authentication and identification, and try to retrieve or push some incorrect data, like SQL injection or JSON hijacking. Without the first level of access control, you have no possibility to revoke their access in case you spot incorrect behavior.

Remediation

Make sure you specify at least one security requirement in your security scheme to apply authentication to API operations.

{
    "components": {
        "securitySchemes": {
            "OAuth2": {
                "type": "oauth2",
                "flows": {
                    "authorizationCode": {
                        "scopes": {
                            "write": "modify objects in your account",
                            "read": "read objects in your account"
                        },
                        "authorizationUrl": "https://example.com/oauth/authorize",
                        "tokenUrl": "https://example.com/oauth/token" 
                    }
                }
            }
        }
    },
    // ...
    "paths": {
        "/pets": {
            "post": {
                "description": "Creates a new pet in the store",
                "operationId": "addPet",
                "security": [
                    {
                        "OAuth2": [
                            "write"
                        ]
                    }
                ]
                // ...
            }
        }
    }
}