Authorization URL of the OAuth2 security scheme is not a proper URL

Issue ID: v3-global-securityscheme-oauth2-authorizationurl

Average severity: Medium

Description

The API accepts basic credentials transported over the network. The OpenAPI Specification (OAS) requires that all URLs in the API contract must be proper URLs in a valid format.

For more details, see the OpenAPI Specification.

Possible exploit scenario

Depending on the underlying library used, your API consumer might be redirected to nefarious sites when parsing non-standard URLs.

In addition, TLS certificates use the URL's host name to validate that the presented certificate matches the host that was contacted. An invalid host name could potentially scupper this validation. A badly encoded URL could be used as an attack vector when decoding the resource path.

Remediation

Make sure that all URLs in your API are proper URLs and have a valid format.