Skip to content

Schema: Permissive JSON Input

Identifier: permissive_json_input

Scanner(s) Support

GraphQL Scanner REST Scanner WebApp Scanner

Description

The issue arises when a system allows JSON inputs without strictly defining the type, letting users include any type of dataeven entire JSON objectsin places where a simple value was expected. This weak type control can lead to unintentional data exposure, as the system might process and return more information than intended. Developers often fall into the trap of assuming certain inputs based on schema design, but if that validation is too lax, it opens the door for attackers to inject complex data that can leak sensitive information or disrupt normal application behavior. It's a reminder to enforce strong typing and strict validation in your input handling to avoid such risks.

Configuration

Example

Example configuration:

---
security_tests:
  permissive_json_input:
    assets_allowed:
    - REST
    - GRAPHQL
    - WEBAPP
    skip: false

Reference

assets_allowed

Type : List[AssetType]*

List of assets that this check will cover.

skip

Type : boolean

Skip the test if true.