vacuum OWASP

OWASP API security ruleset for vacuum, implementing Open Worldwide Application Security Project (OWASP) API security rules to identify and prevent common API security vulnerabilities in OpenAPI specifications.

Website Visit Website GitHub View Repository

More Details

Badges & Achievements

🚀
OAS v3.2 Early Adopter
One of the first tools to support OpenAPI 3.2
🌈
Full Spectrum Support
Supports all OpenAPI versions (v2.0, v3.0, v3.1, v3.2)

Categories

Security

OpenAPI Versions Supported

v2.0 v3.0 v3.1 v3.2

Languages

Languages supported

The vacuum OWASP ruleset brings enterprise-grade API security validation to OpenAPI descriptions by implementing OWASP API Security rules. These comprehensive security rules were originally crafted by Phil Sturgeon and written by Ricardo Graça, and are now built directly into vacuum for out-of-the-box API security validation.

Key Security Rules

The OWASP ruleset includes critical security validations across multiple areas:

Authentication & Authorization Security

  • Secure authentication schemes: Only allow secure authorization methods
  • No HTTP Basic auth: Enforce modern authentication methods
  • JWT best practices: Ensure RFC8725 compliance for JWT implementations
  • Global security enforcement: Verify security is applied globally or at operation level
  • No credentials in URLs: Prevent API keys and credentials in URL parameters

Data Protection & Validation

  • Constrained properties: Objects should not allow unconstrained additionalProperties
  • Integer format enforcement: Integer types must specify int32 or int64 format
  • Integer limits: All integers must define minimum and maximum values
  • String restrictions: String types must specify format, pattern, enum, or const
  • String limits: String fields must define maxLength
  • Array limits: Array types must specify maxItems

Transport Security

  • HTTPS enforcement: All servers must use HTTPS protocol only
  • Secure hosts: No insecure protocols permitted in server definitions

Rate Limiting & Error Handling

  • Rate limit headers: Ensure rate limiting headers are properly configured
  • Retry-After headers: 429 responses must include Retry-After header
  • Comprehensive error responses: Verify 401, 429, 4XX, and 500 error responses are defined
  • Error validation: Ensure proper 4XX validation error responses

Resource Security

  • No numeric IDs: Use random IDs that cannot be guessed to prevent enumeration attacks

Using the OWASP Ruleset

To apply OWASP rules to your OpenAPI specification, create a ruleset file (e.g., owasp-rules.yaml) that extends the vacuum OWASP ruleset:

extends: [[vacuum:oas, recommended], [vacuum:owasp, all]]

Then run vacuum with your ruleset:

vacuum command -r owasp-rules.yaml my-openapi-spec.yaml
***