A serious cross-site scripting (XSS) vulnerability existed in the Swagger UI library that could allow account takeovers. The vulnerability potentially risked the security of numerous popular services like PayPal, Yahoo, and Shopify. Since disclosure the vendors have fixed the flaw.
XSS Vulnerability Caught In Swagger UI Library
According to the researcher Dawid Moczadło, a serious DOM-based cross-site scripting (XSS) vulnerability affected Swagger UI library. As elaborated, he spotted over 60 instances of this bug with various popular services.
Swagger UI is an open-source tool helping users interact with APIs resources via an HTML-based user interface. It’s popular among numerous important services, including PayPal, Shopify, Microsoft, Yahoo, GitHub, Atlassian, and more.
Describing the vulnerability, the researcher stated,
An outdated library
DomPurify(it’s used for input sanitization) combined with features of the library allowed me to get DOM XSS that was controlled from query parameters.
Though, he explained that exploiting the vulnerability wasn’t as simple. Yet, it was not difficult or improbable either.
The exploitation was not that straightforward, and some restrictions forced me to find a custom variation of the bypasses for versions of DomPurify used by the Swagger UI.
Nonetheless, he successfully created a custom DomPurify bypass, which allowed him to exploit the bug across various instances. It shows that an adversary could also do the same and target multiple services with a single exploit simply by searching vulnerable instances.
The researcher has shared the technical details of the vulnerability in his post.
The researcher explained that the vulnerability typically affected the Swagger UI versions from 3.14.1 until 3.38.0. The researcher detected the vulnerability in Swagger UI version 3.37.2 that used DomPurify version 2.2.2, but the bypass also existed in DomPurify version 2.2.3.
Thus, the researcher advises the organizations with vulnerable instances to upgrade to Swagger UI version 4.13.0. In case upgrading the whole Swagger UI package isn’t possible, users can choose to upgrade the DomPurify package to the version used in Swagger UI.
Let us know your thoughts in the comments.