Operation uses both mTLS and clear communication
Issue ID: v3-operation-mtls-over-http
Average severity: Critical
Description
The API definition uses the extension x-42c-mtls to indicate that the API operation is protected by mutual TLS (mTLS), but it also defines that HTTP communications in the clear are accepted. These two are not compatible.
For more details, see x-42c-mtls and the OpenAPI Specification.
Example
The following is an example of how this type of risk could look in your API definition:
{
"paths": {
"/pets": {
"post": {
"description": "Creates a new pet in the store",
"operationId": "addPet",
"x-42c-mtls": true,
"servers": [
{
"url": "http://my.api.server.com/",
"description": "API server"
}
]
//...
}
}
}
}Having both HTTP and HTTPS enabled does not help, you are still accepting unencrypted connections:
{
"paths": {
"/pets": {
"post": {
"description": "Creates a new pet in the store",
"operationId": "addPet",
"x-42c-mtls": true,
"servers": [
{
"url": "http://my.api.server.com/",
"description": "API server"
},
{
"url": "https://my.api.server.com/",
"description": "API server"
}
]
//...
}
}
}
}Possible exploit scenario
Mutual TLS (mTLS) is based on both communicating parties authenticating and verifying each other's identity and establishing a secure, encrypted HTTPS connection. This conflicts with the API accepting HTTP connections.
If your API allows unencrypted HTTP connections, client authentication provided by mTLS disappears and unauthenticated API consumers can now access your API.
Remediation
Use only secure connections for the servers:
{
"paths": {
"/pets": {
"post": {
"description": "Creates a new pet in the store",
"operationId": "addPet",
"x-42c-mtls": true,
"servers": [
{
"url": "https://my.api.server.com/",
"description": "API server"
}
]
//...
}
}
}
}