API uses both mTLS and clear communication
Issue ID: v3-global-mtls-over-http
Average severity: Critical
Description
The API definition uses the extension x-42c-mtls to indicate that the API is protected by mutual TLS (mTLS), but it also defines that HTTP communications in the clear are accepted. These two are not compatible.
For more details, see x-42c-mtls and the OpenAPI Specification.
Example
The following is an example of how this type of risk could look in your API definition:
{
"openapi": "3.0.0",
"info": {
"version": "1.0.0",
"title": "Swagger Petstore"
//...
},
"x-42c-mtls": true,
//...
"servers": [
{
"url": "http://my.api.server.com/",
"description": "API server"
}
]
}Having both HTTP and HTTPS enabled does not help, you are still accepting unencrypted connections:
{
"openapi": "3.0.0",
"info": {
"version": "1.0.0",
"title": "Swagger Petstore"
//...
},
"x-42c-mtls": true,
//...
"servers": [
{
"url": "http://my.api.server.com/",
"description": "API server"
},
{
"url": "https://my.api.server.com/",
"description": "API server"
}
]
}Possible exploit scenario
Mutual TLS (mTLS) is based on both communicating parties authenticating and verifying each other's identity and establishing a secure, encrypted HTTPS connection. This conflicts with the API accepting HTTP connections.
If your API allows unencrypted HTTP connections, client authentication provided by mTLS disappears and unauthenticated API consumers can now access your API.
Remediation
Use only secure connections for the servers:
{
"openapi": "3.0.0",
"info": {
"version": "1.0.0",
"title": "Swagger Petstore"
//...
},
"x-42c-mtls": true,
//...
"servers": [
{
"url": "https://my.api.server.com/",
"description": "API server"
}
]
}