Skip to content

Schema: Swagger rules

Identifier: swagger_rules

Scanner(s) Support

GraphQL Scanner REST Scanner WebApp Scanner

Description

Swagger rules are used to validate the schema for a REST API, but because they aren't strictly structured, they can introduce security weaknesses. The main issue is that their flexibility sometimes allows unexpected or malicious data to slip through validation, which can then be exploited by attackers to bypass security controls or trigger unintended behaviors. Developers using these rules might assume they're automatically enforcing strict validations, but attackers can take advantage of less rigorous checksleading to risks like data breaches or unauthorized access. Essentially, the danger lies in relying too heavily on these rules without adding robust, manual security checks.

Configuration

Example

Example configuration:

---
security_tests:
  swagger_rules:
    assets_allowed:
    - REST
    - GRAPHQL
    - WEBAPP
    skip: false

Reference

assets_allowed

Type : List[AssetType]*

List of assets that this check will cover.

skip

Type : boolean

Skip the test if true.