Findings
Undefined integer format
Updated: July 4, 2025
Description
An endpoint is missing format information for an integer parameter.
The difference between 16-bit, 32-bit, and 64-bit integers lies in the amount of memory they occupy and the range of values they can represent. As the bit-width increases, the integer can represent a wider range of values, allowing for greater precision and larger numbers to be stored. Some APIs might default to a 16-bit integer, while others might use a 32-bit or 64-bit integer. By specifying int32 or int64, developers can ensure that the data is handled correctly regardless of the underlying system. By adhering to these formats, developers can avoid potential overflow or underflow issues that might arise when dealing with large or negative numbers.
This rule applies at the API Specification level (OAS/Swagger).
Example Attack
Integer Overflow/Underflow: If the API does not specify the size or range of integers it expects, attackers could send extremely large or small integers that overflow or underflow, leading to unexpected behavior such as data corruption, crashes, or potentially even arbitrary code execution.
Remediation
APIs should specify an integer format type to ensure the availability of the service to all users. URL parameters should not include sensitive information such as API keys, passwords, or secrets. Harcoding secrets or passwords in the API spec can lead to their exposure. Passwords, keys, tokens, or any other secret should be stored securely. Appropriate handling of secrets requires, amongst other best practices, implementation of encryption of secrets at rest and in transit, regular secret expiry & rotation, and short availability in application memory.
Security Frameworks
Satisfying API requests requires resources such as network bandwidth, CPU, memory, and storage. Other resources such as emails/SMS/phone calls or biometrics validation are made available by service providers via API integrations, and paid for per request. Successful attacks can lead to Denial of Service or an increase of operational costs.
Quite often, APIs do not impose any restrictions on the size or number of resources that can be requested by the client/user. Not only can this impact the API server performance, leading to Denial of Service (DoS), but also leaves the door open to authentication flaws such as brute force.
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.