Findings

Undefined string limit

Updated: June 19, 2025

findings design based findings api finding

Description

An endpoint is missing limit information for a string parameter.

Remediation

Determine the possible range of lengths for the parameter and specify the appropriate limits. String size should be limited to mitigate resource exhaustion attacks. This can be done using `maxLength`, `enum` or `const`.

Security Frameworks

OWASP API 2023

API4:2023 Unrestricted Resource Consumption

Satisfying API requests requires resources such as network bandwidth, CPU, memory, and storage. Other resources such as emails/SMS/phone calls or biometrics validation are made available by service providers via API integrations, and paid for per request. Successful attacks can lead to Denial of Service or an increase of operational costs.

API7:2023 Server Side Request Forgery

Server-Side Request Forgery (SSRF) flaws can occur when an API is fetching a remote resource without validating the user-supplied URI. This enables an attacker to coerce the application to send a crafted request to an unexpected destination, even when protected by a firewall or a VPN.

OWASP API 2019

API4:2019 Lack of Resources and Rate Limiting

Quite often, APIs do not impose any restrictions on the size or number of resources that can be requested by the client/user. Not only can this impact the API server performance, leading to Denial of Service (DoS), but also leaves the door open to authentication flaws such as brute force.

MITRE CWE Top 25

CWE-20: Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Need help?

Contact FireTail support

Previous (Findings - Design based findings)
Undefined integer limit
Next (Findings - Design based findings)
Unresolvable references