Open API Spec Evaluation

API spec assessment for risks and compliance

{{ created_time }}

Prepared for: Name of the company

Prepared by: Imperva API Security Team

Uploaded file name: {{ file_name }}

Creation Time: Jan 22, 2022, 14:56

Table of Contents

Input File Details Overall Design Issues Issue categories details Violation Details

Input File Details

Information about data found inside the zip file

What did we find inside the uploaded zip file?

Files

{{ num_of_files }}

APIs

{{ num_of_apis }}

Parameters

{{ num_of_params }}

Data Types

{{ num_of_data_types }}

How is content distributed inside your files?

By API Method

By Parameter Type

By API Response Code

Overall Design Issues

Information about design issues found in the uploaded file

What did we find inside the uploaded zip file?

Total checkups performed

{{ num_of_evaluations }}

Issues found

{% set critical_issue_count = violations.get('risk_siv_counts', {}).get('critical', 0) + violations.get('risk_siv_counts', {}).get('high', 0)%} {% set major_issue_count = violations.get('risk_siv_counts', {}).get('medium', 0) %} {% set minor_issue_count = violations.get('risk_siv_counts', {}).get('low', 0) %} {% set total_issue_count = critical_issue_count + major_issue_count + minor_issue_count %}

{{ total_issue_count }} ({{ '%0.2f' % (total_issue_count / num_of_evaluations * 100) | float }}%)

Issues distribution by severity

Critical

{{ critical_issue_count }}

Major

{{ major_issue_count }}

Minor

{{ minor_issue_count }}

Most frequently occuring violation

{{violations.get('description')}}

{{violations.get('most_occ_cat_count', 0)}} Violations

20%

What are the issue categories?

API Design Scorecard

{% set sev_mapping = {"Critical": "critical", "High": "critical", "Medium": "major", "Low": "minor"} %} {% set highest_sev = violations.get('API Transport', {}).get('highest_sev', '') %} {% if highest_sev|length %} {% set pri = sev_mapping.get(highest_sev, '') %} {% else %} {% set pri = '' %} {% endif %} {% set highest_sev = violations.get('AuthN/AuthZ', {}).get('highest_sev', '') %} {% if highest_sev | length %} {% set pri = sev_mapping.get(highest_sev, '') %} {% else %} {% set pri = '' %} {% endif %} {% set highest_sev = violations.get('Data Type Definitions', {}).get('highest_sev', '') %} {% if highest_sev | length %} {% set pri = sev_mapping.get(highest_sev, '') %} {% else %} {% set pri = '' %} {% endif %} {% set highest_sev = violations.get('API Lifecycle & Management', {}).get('highest_sev', '') %} {% if highest_sev|length %} {% set pri=sev_mapping.get(highest_sev, '') %} {% else %} {% set pri='' %} {% endif %} {% set highest_sev = violations.get('API Spec-file Management', {}).get('highest_sev', '') %} {% if highest_sev|length %} {% set pri=sev_mapping.get(highest_sev, '') %} {% else %} {% set pri='' %} {% endif %}
Issue Category APIs Impacted Highest Severity
API Transport {{ issue_insights.get('API Transport', {}).get('api_list', '') | length }} {% if 'highest_sev_api_count' in violations.get('API Transport', {}) %}

{{ violations.get('API Transport', {}).get('highest_sev_api_count', '-') }} {{ pri }}

{% else %}

{% endif %}
Authentication/Authorization {{ issue_insights.get('AuthN/AuthZ', {}).get('api_list', '') | length }} {% if 'highest_sev_api_count' in violations.get('AuthN/AuthZ', {}) %}

{{ violations.get('AuthN/AuthZ', {}).get('highest_sev_api_count', '-') }} {{ pri }}

{% else %}

{% endif %}
Data Type Definition {{ issue_insights.get('Data Type Definitions', {}).get('param_list', '') | length }} {% if 'highest_sev_param_count' in violations.get('Data Type Definitions', {}) %}

{{violations.get('Data Type Definitions', {}).get('highest_sev_param_count', 0)}} {{ pri }}

{% else %}

{% endif %}
API Life-cycle Management {{ issue_insights.get('API Lifecycle & Management', {}).get('api_list', '') | length }} {% if 'highest_sev_api_count' in violations.get('API Lifecycle & Management', {}) %}

{{violations.get('API Lifecycle & Management', {}).get('highest_sev_api_count', '-')}} {{ pri }}

{% else %}

{% endif %}
API Spec-file Management {{issue_insights.get('API Spec-file Management', {}).get('file_list', '')|length}} {% if 'file_list' in issue_insights.get('API Spec-file Management', {}) %}

{{issue_insights.get('API Spec-file Management', {}).get('file_list', '') | length}} {{ pri }}

{% else %}

{% endif %}

Critical

Major

Minor

Issue Categories Details

Information about issue categories found inside the zip file

What are the issue categories?

API Transport Design Issues

{% set tran_not_defined = issue_insights.get('API Transport', {}).get('Undefined Transport Mechanism', {}).get('apis', {}) | length %} {% if tran_not_defined == 0 %} {% else %} {% set critical = issue_insights.get('API Transport', {}).get('Undefined Transport Mechanism', {}).get('critical_apis', '') | length %} {% set high = issue_insights.get('API Transport', {}).get('Undefined Transport Mechanism', {}).get('high_apis', '') | length%} {% set medium = issue_insights.get('API Transport', {}).get('Undefined Transport Mechanism', {}).get('medium_apis', '') | length %} {% set low = issue_insights.get('API Transport', {}).get('Undefined Transport Mechanism', {}).get('low_apis', '') | length %} {% set files = issue_insights.get('API Transport', {}).get('Undefined Transport Mechanism', {}).get('files', {}) %} {% set tags = issue_insights.get('API Transport', {}).get('Undefined Transport Mechanism', {}).get('tags', {}) %} {% endif %} {% set insecure_not_defined = issue_insights.get('API Transport', {}).get('Insecure Transport Mechanism', {}).get('apis', {}) | length %} {% if insecure_not_defined == 0 %} {% else %} {% set critical = issue_insights.get('API Transport', {}).get('Insecure Transport Mechanism', {}).get('critical_apis', '')|length %} {% set high = issue_insights.get('API Transport', {}).get('Insecure Transport Mechanism', {}).get('high_apis', '')|length%} {% set medium = issue_insights.get('API Transport', {}).get('Insecure Transport Mechanism', {}).get('medium_apis', '')|length %} {% set low = issue_insights.get('API Transport', {}).get('Insecure Transport Mechanism', {}).get('low_apis', '')|length %} {% set files = issue_insights.get('API Transport', {}).get('Insecure Transport Mechanism', {}).get('files', {}) %} {% set tags = issue_insights.get('API Transport', {}).get('Insecure Transport Mechanism', {}).get('tags', {}) %} {% endif %}
Issue Category APIs with Issue Severity Distribution Files Data Tags

Transport Method Not Defined

The APIs that did not define the transport method at local or global level

{{tran_not_defined}}

No Issues found! Kudos to you and your team!

{{ critical + high }} Critical

{{ medium }} Major

{{ low }} Minor

{% for file in files %}

{{ file }}

{% endfor %}
{% if tags %} {% for tag in tags %}

{{ tag }}

{% endfor %} {% else %}

{% endif %}

Clear Text HTTP

The APIs that are defined to be using clear text HTTP

{{ insecure_not_defined }}

No Issues found! Kudos to you and your team!

{{ critical + high }} Critical

{{ medium }} Major

{{ low }} Minor

{% for file in files %}

{{ file }}

{% endfor %}
{% if tags %} {% for tag in tags %}

{{ tag }}

{% endfor %} {% else %}

{% endif %}

Data Type Issues

{% set undefined_bounds = issue_insights.get('Data Type Definitions', {}).get('Undefined Bounds', {}).get('apis', {}) | length %} {% if undefined_bounds == 0 %} {% else %} {% set critical = issue_insights.get('Data Type Definitions', {}).get('Undefined Bounds', {}).get('critical_params', '')|length %} {% set high = issue_insights.get('Data Type Definitions', {}).get('Undefined Bounds', {}).get('high_params', '')|length%} {% set medium = issue_insights.get('Data Type Definitions', {}).get('Undefined Bounds', {}).get('medium_params', '')|length %} {% set low = issue_insights.get('Data Type Definitions', {}).get('Undefined Bounds', {}).get('low_params', '')|length %} {% set files = issue_insights.get('Data Type Definitions', {}).get('Undefined Bounds', {}).get('files',{}) %} {% set tags = issue_insights.get('Data Type Definitions', {}).get('Undefined Bounds', {}).get('tags',{}) %} {% endif %} {% set unrestricted_bounds = issue_insights.get('Data Type Definitions', {}).get('Unrestricted Bounds', {}).get('apis', {}) | length %} {% if unrestricted_bounds == 0 %} {% else %} {% set critical = issue_insights.get('Data Type Definitions', {}).get('Unrestricted Bounds', {}).get('critical_params', '')|length %} {% set high = issue_insights.get('Data Type Definitions', {}).get('Unrestricted Bounds', {}).get('high_params', '')|length %} {% set medium = issue_insights.get('Data Type Definitions', {}).get('Unrestricted Bounds', {}).get('medium_params', '')|length %} {% set low = issue_insights.get('Data Type Definitions', {}).get('Unrestricted Bounds', {}).get('low_params', '')|length %} {% set files = issue_insights.get('Data Type Definitions', {}).get('Unrestricted Bounds', {}).get('files',{}) %} {% set tags = issue_insights.get('Data Type Definitions', {}).get('Unrestricted Bounds', {}).get('tags',{}) %} {% endif %} {% set type_mismatch = issue_insights.get('Data Type Definitions', {}).get('Type and Attribute mismatch', {}).get('apis', {}) | length %} {% if type_mismatch == 0 %} {% else %} {% set critical = issue_insights.get('Data Type Definitions', {}).get('Type and Attribute mismatch', {}).get('critical_params', '')|length %} {% set high = issue_insights.get('Data Type Definitions', {}).get('Type and Attribute mismatch', {}).get('high_params', '')|length%} {% set medium = issue_insights.get('Data Type Definitions', {}).get('Type and Attribute mismatch', {}).get('medium_params', '')|length %} {% set low = issue_insights.get('Data Type Definitions', {}).get('Type and Attribute mismatch', {}).get('low_params', '')|length %} {% set files = issue_insights.get('Data Type Definitions', {}).get('Type and Attribute mismatch', {}).get('files', {}) %} {% set tags = issue_insights.get('Data Type Definitions', {}).get('Type and Attribute mismatch', {}).get('tags', {}) %} {% endif %}
Issue Category APIs with Issue Severity Distribution Files Data Tags

Data Bounds Not Defined

The bounds for the data are not defined for various entities. E.g. Maximum string length or Maximum number of elements in an Array may not be defined

{{undefined_bounds}}

No Issues found! Kudos to you and your team!

{{ critical + high}} Critical

{{ medium }} Major

{{ low }} Minor

{% for file in files %}

{{ file }}

{% endfor %}
{% if tags %} {% for tag in tags %}

{{ tag }}

{% endfor %} {% else %}

{% endif %}

Non-restrictive Data Bounds

The bounds for data are not restrictive for various entities. E.g. a string might have been defined to be any pattern (*) rather than being restricted to alpha-numeric

{{unrestricted_bounds}}

No Issues found! Kudos to you and your team!

{{ critical + high }} Critical

{{ medium }} Major

{{ low }} Minor

{% for file in files %}

{{ file }}

{% endfor %}
{% if tags %} {% for tag in tags %}

{{ tag }}

{% endfor %} {% else %}

{% endif %}

Type & Attribute Mismatch

Certain entities are of a particular type but mandarory attributes are missing. E.g. an entity of type Array does not have items defined

{{type_mismatch}}

No Issues found! Kudos to you and your team!

{{ critical + high }} Critical

{{ medium }} Major

{{ low }} Minor

{% for file in files %}

{{ file }}

{% endfor %}
{% if tags %} {% for tag in tags %}

{{ tag }}

{% endfor %} {% else %}

{% endif %}

API Authentication & Authorization Issues

{% set undefined_auth = issue_insights.get('AuthN/AuthZ', {}).get('Undefined Auth Information', {}).get('apis', {}) | length %} {% if undefined_auth == 0 %} {% else %} {% set critical = issue_insights.get('AuthN/AuthZ', {}).get('Undefined Auth Information', {}).get('critical_apis', '')|length %} {% set high = issue_insights.get('AuthN/AuthZ', {}).get('Undefined Auth Information', {}).get('high_apis', '')|length%} {% set medium = issue_insights.get('AuthN/AuthZ', {}).get('Undefined Auth Information', {}).get('medium_apis', '')|length %} {% set low = issue_insights.get('AuthN/AuthZ', {}).get('Undefined Auth Information', {}).get('low_apis', '')|length %} {% set files = issue_insights.get('AuthN/AuthZ', {}).get('Undefined Auth Information', {}).get('files',{}) %} {% set tags = issue_insights.get('AuthN/AuthZ', {}).get('Undefined Auth Information', {}).get('tags',{}) %} {% endif %} {% set invalid_url = issue_insights.get('AuthN/AuthZ', {}).get('Invalid or Insecure URL', {}).get('apis', {}) | length %} {% if invalid_url == 0 %} {% else %} {% set critical = issue_insights.get('AuthN/AuthZ', {}).get('Invalid or Insecure URL', {}).get('critical_apis', '')|length %} {% set high = issue_insights.get('AuthN/AuthZ', {}).get('Invalid or Insecure URL', {}).get('high_apis', '')|length%} {% set medium = issue_insights.get('AuthN/AuthZ', {}).get('Invalid or Insecure URL', {}).get('medium_apis', '')|length %} {% set low = issue_insights.get('AuthN/AuthZ', {}).get('Invalid or Insecure URL', {}).get('low_apis', '')|length %} {% set files = issue_insights.get('AuthN/AuthZ', {}).get('Invalid or Insecure URL', {}).get('files',{}) %} {% set tags = issue_insights.get('AuthN/AuthZ', {}).get('Invalid or Insecure URL', {}).get('tags',{}) %} {% endif %}
Issue Category APIs with Issue Severity Distribution Files Data Tags

No Auth Information Defined

The APIs that did not define any authorization information

{{undefined_auth}}

No Issues found! Kudos to you and your team!

{{ critical + high }} Critical

{{ medium }} Major

{{ low }} Minor

{% for file in files %}

{{ file }}

{% endfor %}
{% if tags %} {% for tag in tags %}

{{ tag }}

{% endfor %} {% else %}

{% endif %}

Invalid or Insecure Auth URL

The APIs that are defined to be using an invalid or insecure auth URL

{{invalid_url}}

No Issues found! Kudos to you and your team!

{{ critical + high }} Critical

{{ medium }} Major

{{ low }} Minor

{% for file in files %}

{{ file }}

{% endfor %}
{% if tags %} {% for tag in tags %}

{{ tag }}

{% endfor %} {% else %}

{% endif %}

API Lifecycle and Management Issues

{% set no_version = issue_insights.get('API Lifecycle & Management', {}).get('No API Versioning', {}).get('apis', {}) | length %} {% if no_version == 0 %} {% else %} {% set critical = issue_insights.get('API Lifecycle & Management', {}).get('No API Versioning', {}).get('critical_apis', '')|length %} {% set high = issue_insights.get('API Lifecycle & Management', {}).get('No API Versioning', {}).get('high_apis', '')|length%} {% set medium = issue_insights.get('API Lifecycle & Management', {}).get('No API Versioning', {}).get('medium_apis', '')|length %} {% set low = issue_insights.get('API Lifecycle & Management', {}).get('No API Versioning', {}).get('low_apis', '')|length %} {% set files = issue_insights.get('API Lifecycle & Management', {}).get('No API Versioning', {}).get('files',{}) %} {% set tags = issue_insights.get('API Lifecycle & Management', {}).get('No API Versioning', {}).get('tags',{}) %} {% endif %} {% set response_errors = issue_insights.get('API Lifecycle & Management', {}).get('Response-specific Errors', {}).get('apis', {}) | length %} {% if response_errors == 0 %} {% else %} {% set critical = issue_insights.get('API Lifecycle & Management', {}).get('Response-specific Errors', {}).get('critical_apis', '')|length %} {% set high = issue_insights.get('API Lifecycle & Management', {}).get('Response-specific Errors', {}).get('high_apis', '')|length%} {% set medium = issue_insights.get('API Lifecycle & Management', {}).get('Response-specific Errors', {}).get('medium_apis', '')|length %} {% set low = issue_insights.get('API Lifecycle & Management', {}).get('Response-specific Errors', {}).get('low_apis', '')|length %} {% set files = issue_insights.get('API Lifecycle & Management', {}).get('Response-specific Errors', {}).get('files',{}) %} {% set tags = issue_insights.get('API Lifecycle & Management', {}).get('Response-specific Errors', {}).get('tags',{}) %} {% endif %}
Issue Category APIs with Issue Severity Distribution Files Data Tags

No API Versioning

The APIs defined do not accomodate versioning. E.g. an API defined as /api/v1/employeeInfo allows for versioning. Absence of such API is not ideal for API lifecycle management

{{no_version}}

No Issues found! Kudos to you and your team!

{{ critical + high }} Critical

{{ medium }} Major

{{ low }} Minor

{% for file in files %}

{{file}}

{% endfor %}
{% if tags %} {% for tag in tags %}

{{ tag }}

{% endfor %} {% else %}

{% endif %}

API Error Responses Not Defined

Certain entities are of a particular type but mandatory attributes are missing. E.g. an entity of type array does not have items defined

{{response_errors}}

No Issues found! Kudos to you and your team!

{{ critical + high }} Critical

{{ medium }} Major

{{ low }} Minor

{% for file in files %}

{{file}}

{% endfor %}
{% if tags %} {% for tag in tags %}

{{ tag }}

{% endfor %} {% else %}

{% endif %}

API Spec-file Management Issues

{% set missing_info = issue_insights.get('API Spec-file Management', {}).get('Missing information', {}).get('files', {}) | length %} {% if missing_info == 0 %} {% else %} {% set critical = issue_insights.get('API Spec-file Management', {}).get('Missing information', {}).get('critical_files', '')|length %} {% set high = issue_insights.get('API Spec-file Management', {}).get('Missing information', {}).get('high_files', '')|length%} {% set medium = issue_insights.get('API Spec-file Management', {}).get('Missing information', {}).get('medium_files', '')|length %} {% set low = issue_insights.get('API Spec-file Management', {}).get('Missing information', {}).get('low_files', '')|length %} {% set files = issue_insights.get('API Spec-file Management', {}).get('Missing information', {}).get('files', {}) %} {% set tags = issue_insights.get('API Spec-file Management', {}).get('Missing information', {}).get('tags', {}) %} {% endif %}
Issue Category APIs with Issue Severity Distribution Files Data Tags

Contact Information Missing

The contact information is missing from the API Specification files

{{missing_info}}

No Issues found! Kudos to you and your team!

{{ critical + high }} Critical

{{ medium }} Major

{{ low }} Minor

{% for file in files %}

{{file}}

{% endfor %}
{% if tags %} {% for tag in tags %}

{{ tag }}

{% endfor %} {% else %}

{% endif %}

Violation Details

Information about violations and locations in the spec.

{% for sev, sev_val in violation_details.items() %}

{{ sev }} Issues

{% for key, val in sev_val.items() %}

Type

{{ key }}

{% set req_key = namespace(value='') %} {% for k,v in val.items() %} {% set req_key.value = k | replace("Impact", " ") %} {% endfor %}

Issues

{{ val.get(req_key.value, []) | length }}

Impact

{{val.get('Impact', '')}}

    {% for api in val.get(req_key.value, [])%} {% set split_list = api.split('\n\n') %}
  1. {{split_list[0]}}
    {{split_list[1]}}
  2. {% endfor %}
{% if not loop.last %}
{% endif %} {% endfor %}
{% endfor %}