Security Test: Permissive JSON Input¶
Description¶
Default Severity:
The issue arises when a system allows JSON inputs without strictly defining the type, letting users include any type of data—even entire JSON objects—in places where a simple value was expected. This weak type control can lead to unintentional data exposure, as the system might process and return more information than intended. Developers often fall into the trap of assuming certain inputs based on schema design, but if that validation is too lax, it opens the door for attackers to inject complex data that can leak sensitive information or disrupt normal application behavior. It's a reminder to enforce strong typing and strict validation in your input handling to avoid such risks.
Configuration¶
Identifier:
schema/permissive_json_input
Examples¶
All configuration available:
Compliance and Standards¶
| Standard | Value |
|---|---|
| OWASP API Top 10 | API10:2023 |
| OWASP LLM Top 10 | LLM06:2023 |
| PCI DSS | 6.5.9 |
| GDPR | Article-32 |
| SOC2 | CC1 |
| PSD2 | Article-95 |
| ISO 27001 | A.18.1 |
| NIST | SP800-53 |
| FedRAMP | SI-10 |
| CWE | 20 |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N/E:H/RL:O/RC:C |