📩 Read for Free CLICK HERE.

Hi, I'm Rivek Raj Tamang (RivuDon), a Security Researcher, Bug Hunter, and Ethical Hacker with a Master's in Cybersecurity, a Certified Ethical Hacker from Sikkim, India. I have secured numerous companies, received bounties, swags, Hall of Fames mentions, Letter of Appreciation / Recognition, CVEs and more.

Feel free to connect with me! You can find out more about me on my LinkedIn, I am active there.

Hi readers, this write-up is a guide on how to find bugs in Swagger UI on your target, find out tricks and tips to find bugs like Information Disclosure / Broken Access Control / IDOR / Resource Injection and XSS and earn rewards!

So, without further ado, let's get started!

⚠️ Disclaimer: This content is for educational purposes only. Always get proper permission before testing systems and hack responsibly!

Swagger UI

None
Swagger UI Webpage

Swagger UI is a web-based interface used to document, visualize, and interact with APIs defined using the OpenAPI Specification (OAS).

It is basically an open book that reveals the backedn logic and API functionality through detailed documentation.

So, during your hunt, what should you actually focus on? Many people only check for XSS in Swagger UI and move on, but there are several important things that can easily be missed.

Some of the most useful features you should focus on are: -

  • View all available API endpoints
  • See request and response format
  • Test APIs directly from the web application via the browser
  • A visual roadmap of the application's backend
  • API Flow and Documentation
  • Check for existing vulnerabilities

How to identify Swagger UI

So, let's first find and identify Swagger UI on any target

Some of the common endpoints that exposes Swagger UI are:

/swagger/index.html
/swagger-ui.html
/api/docs
/swagger-resources
/swagger/v1/swagger.json
/openap.json
/api/swagger.json
/v2/api-docs
/v3/api-docs

You can discover Swagger UI during your hunt, by running wordlists specific to Swagger UI endpoints, or by using search engine dorks.

Google Dork

intitle:"Swagger UI"

Shodan Dork


http.title:"Swagger UI"

FOFA Dork

title="Swagger UI"
None
Example of target Swagger UI

Now that you have identified a Swagger UI on your target, let's move on to the core part of our hack!

Bugs

1. Information Disclosure

Since Swagger UI focuses heavily on documentation, exposure of public or misconfigured Swagger UI can reveal internal APIs, credentials, Sensitive functionality of the backend and Sensitive Data Exposure.

Since every target has different API workflows, requests and responses you need to manually click on every tab/slider and view its responses, examples and try to execute the request. That is where the secret lies.

Example POC of a Non-sensitive exposure.

None
Non-Sensitive

Example POC of a Sensitive exposure.

None
Sensitive Exposure
None
Sensitive Exposure
None
Database, Hardcoded Credentials and Internal Services

Look out for password hashes like weak password, md5 hashes, hardcoded secrets in responses, secrets visible in example values, API Keys, Tokens, Database Credentials, Internal IPs/Hostname, hidden or sensitive endpoints.

Keywords to note

admin, internal, users, roles, config, debug, log, secret, api-keys, etc.

2. Broken Access Control / IDOR

In the API documentation, check if sensitive endpoints are accessible without authentication and authorization.

The "Try it out" feature can also be used to test for object-level authorization issues in some case.

None
Try it out feature Example
None
Execute Try it out Feature Example

Check whether responses are leaking more data than necessary or try changing user id values from user_id1 to user_id2 etc.

Tip: To maximize findings, manually review each API response, analyze the data it exposes, and use that information effectively.

None

3. Resource Injection / DOM XSS / HTML / iFrame Injection

Many of the Swagger UI is also vulnerable to Resource injection which leads to DOM XSS, HTML injection, Iframe Injection and other attack vectors.

I have already written a detailed, in-depth writeup on this topic, which you can check out below.

Hacking Swagger UI - 101

A Hands-on practical guide to earning rewards.

infosecwriteups.com

Happy Hacking✨

The End

If you find this article helpful, please do follow, claps and leave a comment to read more from me and encourage me to write more. ♥️

🎯Read my other Bug Bounty Writeups here ⬇️

List: Rivek's Blog List | Curated by RivuDon | Medium

Rivek's Blog List · 27 stories on Medium

medium.com

Feel Free to connect with me on LinkedIn: (P.S. Do drop a message when sending a connection request.) https://www.linkedin.com/in/rivektamang/

🧑🏻‍💻Interested to start Bug Bounty / Ethical Hacking and Cybersecurity

Book a 1:1 mentor session with me: ➡️ RivuDon — Rivek Raj Tamang