Skip to content

Invalid Input Type Analyzer

Configuration Name: InvalidInputType

Description

The InvalidInputType analyzer tests whether an application properly validates input values based on the field types specified in the API definition.

This analyzer modifies request input fields to use invalid data types, such as: - String instead of Boolean - Number instead of String - Object instead of Array

It runs only for requests that were previously successful to avoid false positives and generates one request per input field in an operation. It applies to: - Fields in a JSON request body - Query parameters with a type other than String - Path parameters with a type other than String

Faults Reported

The InvalidInputType analyzer reports findings when an application does not correctly handle invalid input types.

Fault Identifier Title Summary Solution Severity
SCF-401 Successful request with invalid type of value A request succeeded (2xx) despite containing an input field with a type that does not match the API definition. Modify the service implementation to properly validate input values, or update the API definition to correctly specify the request schema. Medium
SCF-402 Server error for request with invalid type of value A request with an invalid input type resulted in a server error (5xx) instead of a proper validation failure response. Modify the service implementation to properly validate input values, or update the API definition to correctly specify the request schema. Medium
SCF-403 Invalid boolean value accepted A field expecting a Boolean was successfully processed with a non-Boolean value. Enforce strict input validation to reject incorrect data types. Medium
SCF-404 Invalid numeric value accepted A field expecting a number was successfully processed with a non-numeric value. Enforce strict input validation to reject incorrect data types. Medium
SCF-405 Invalid string value accepted A field expecting a string was successfully processed with a non-string value. Enforce strict input validation to reject incorrect data types. Medium
SCF-406 Invalid array or object value accepted A field expecting an array or object was successfully processed with an incompatible type. Enforce strict input validation to reject incorrect data types. Medium

Rule Evaluation

Based on the API definition, the InvalidInputType analyzer modifies input values to use an incorrect type. A finding is reported when:

  • The request succeeds with a 2xx response, indicating that the application incorrectly accepts invalid input types.
  • The request fails with a 5xx response, indicating improper input handling that leads to a service exception.

The analyzer runs only for requests that previously succeeded, ensuring findings are not caused by unrelated issues.

Example Scenario

Example API Definition (Expected Input Types)

{
  "type": "object",
  "properties": {
    "isActive": { "type": "boolean" },
    "age": { "type": "integer" },
    "tags": { "type": "array", "items": { "type": "string" } }
  }
}

Example Invalid Requets Generated

Invalid Boolean Input

{
  “isActive”: “yes”
}

{
  “age”: “twenty-five”
}

{
  “tags”: “tag1, tag2, tag3”
}

If the application accepts any of these requests or fails with a server error, it indicates a vulnerability.

Remediation Steps

To ensure proper input validation and prevent vulnerabilities related to incorrect data types, follow these remediation steps:

  1. Implement Strict Input Validation

    • Validate all input values against the API schema before processing.
    • Reject requests with incorrect data types using 400 Bad Request responses.
    • Use strong data validation libraries to enforce type correctness.

  2. Update API Definitions

    • Ensure API specifications correctly define expected input types.
    • If the service allows flexible input types, update the API schema to reflect this behavior explicitly.
    • Clearly document any type conversions or expected variations.

  3. Enhance Error Handling

    • Handle invalid input types gracefully with structured error messages instead of service exceptions.
    • Avoid 5xx errors by validating and rejecting malformed requests before processing.
    • Provide meaningful error messages that help developers correct input formatting.

  4. Test for Type Mismatches

    • Regularly test API endpoints with invalid data types to ensure proper validation.
    • Use automated security testing tools to identify incorrect type handling.
    • Implement fuzz testing to simulate unexpected inputs.

  5. Monitor and Log Invalid Requests

    • Log all rejected requests with type mismatches for security analysis.
    • Implement alerts for unexpected 2xx responses to invalid input types.
    • Continuously review logs to detect patterns of improper input handling.