Invalid Request Spec¶
Overview¶
The server accepted a payload which wasn't valid according to the provided spec.
This is commonly caused by drift between the API implementation and a manually maintained specification. Most often, such drift is harmless.
It can be an indicator (although not a proof) of much more serious validation problems, such as accidental "mass assignment" vulnerabilities, which allow an attacker to write data into fields they shouldn't be able to.
For what it's worth, Mayhem for API itself doesn't require a perfect, comprehensive spec to test a given API. We're able to do spec validation as a side-effect of our primary testing, so we produce these warnings in case you find them useful. You don't need to fix them just to keep using the tool!
Recommendation¶
Make extra sure that unexpectedly successful payloads don't represent more serious defects, security or otherwise. Once you're satisfied, adjust the affected endoint's "requestBody" field to be in sync with what the code actually allows.
Examples¶
The classic example of a mass assignment vulnerability is the ruby on rails code:
@user = User.new(params[:user])
The above would raise "Invalid Request Spec" warnings if the spec enumerated the expected fields, but the code failed to check them:
openapi: "3.0.0"
info:
title: "user"
version: "0"
paths:
/user:
post:
requestBody:
content:
application/json:
schema:
type: object
additionalProperties: false
properties:
name:
type: string
email:
type: string