Findings

Unconstrained additional properties

Updated: June 19, 2025

findings design based findings api finding

Description

An endpoint allows for unconstrained additional properties. By default, the JSON Schema allows additional properties, which can potentially lead to mass assignment issues, where unspecified fields are passed to the API without validation.

Remediation

Set additionalProperties to false in the definition of the endpoint or add `maxProperties`.

Security Frameworks

OWASP API 2023

API6:2023 Unrestricted Access to Sensitive Business Flows

APIs vulnerable to this risk expose a business flow - such as buying a ticket, or posting a comment - without compensating for how the functionality could harm the business if used excessively in an automated manner. This doesn't necessarily come from implementation bugs.

OWASP API 2019

API6:2019 Mass Assignment

Binding client provided data (e.g., JSON) to data models, without proper properties filtering based on a whitelist, usually lead to Mass Assignment. Either guessing objects properties, exploring other API endpoints, reading the documentation, or providing additional object properties in request payloads, allows attackers to modify object properties they are not supposed to.

MITRE CWE Top 25

CWE-20: Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Need help?

Contact FireTail support

Previous (Findings - Design based findings)
Schema build failure
Next (Findings - Design based findings)
Undefined integer format