Parameters within a Swagger document are insecurely loaded into a browser based documentation. Persistent XSS occurs when this documentation is then hosted together on a public site. This issue was resolved in Swagger-UI 2.2.1.

Summary

One of the components used to build the interactive documentation portion of the swagger ecosystem is the Swagger-UI. This interface generates dynamic documentation based on a referenced Swagger document that can interact with the referenced API.  If the swagger document itself contains XSS payloads, the swagger-ui component can be tricked into injecting unescaped content into the DOM.

Product Description

From the README at https://github.com/swagger-api/swagger-ui

"Swagger UI is part of the Swagger project. The Swagger project allows you to produce, visualize and consume your own RESTful services. No proxy or 3rd party services required. Do it your own way.

Swagger UI is a dependency-free collection of HTML, Javascript, and CSS assets that dynamically generate beautiful documentation and sandbox from a Swagger-compliant API. Because Swagger UI has no dependencies, you can host it in any server environment, or on your local machine."

The swagger UI will parse a chosen swagger file, and generate dynamic colorful documentation that enables users to interact with a RESTful API.

Credit

Scott Lee Davis, scott_davis@rapid7.com, Application Security Researcher, Rapid7

Exploitation

If a swagger file contained in the definitions section, a default value with an XSS payload can be loaded unescaped into the DOM.

Definitions   
    Type: string   
    Description: prints xss   
    Default: <script>console.log(‘000000000000000000dad0000000000000000000');</script>

Mitigations

Sanitation of HTML content should be done by an engine built for the job.  The swagger-ui team chose to solve this issue with the npm module santize-html.

Disclosure Timeline

This vulnerability advisory was prepared in accordance with Rapid7's disclosure policy.

  • Thu, Jun 09, 2016: Discovery by Scott Lee Davis of Rapid7, Inc.
  • Fri, Jun 17, 2016: Attempted to contact the vendor
  • Mon, Jul 11, 2016: Disclosed details to the vendor at security@swagger.io
  • Wed, Jul 27, 2016: Disclosed details to CERT as VR-316
  • Tue, Aug 09, 2016: CVE-2016-5682 assigned by CERT
  • Tue, Aug 23, 2016: Fixed in Swagger-UI 2.2.1
  • Fri, Sep 02, 2016: Public disclosure