Get in touch

Swagger Editor v2.9.9 "description" Key DOM-based Cross-Site Scripting

May 3, 2016 · By Julien Ahrens

ADVISORY INFORMATION

  • Product: Swagger Editor
  • Vendor URL: https://github.com/swagger-api/swagger-editor
  • CWE: Cross-Site Scripting [CWE-79]
  • Date found: 2015-04-07
  • Date published: 2016-05-03
  • CVSS Score: 6.3 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
  • CVE: -

CREDITS

This vulnerability was discovered and researched by Julien Ahrens from RCE Security.

VERSIONS AFFECTED

Swagger Editor v2.9.9 (latest) older versions may be affected too.

INTRODUCTION

Swagger Editor lets you edit Swagger API specifications in YAML inside your browser and to preview documentations in real time. Valid Swagger JSON descriptions can then be generated and used with the full Swagger tooling (code generation, documentation, etc).

(from the vendor’s homepage)

VULNERABILITY DETAILS

The application “Swagger Editor” offers the functionality to import Swagger API specifications via a remote YAML/JSON file, but does not properly validate the “description” key within the imported specification file, which could lead to an unauthenticated DOM-based Cross-Site Scripting vulnerability.

The following Proof-of-Concept YAML file triggers this vulnerability:

swagger: '2.0'
info:
  version: 1.0.0
  title: Echo
  description: '<script>alert(document.domain)</script>'
paths:
  /:
    get:
      responses:
        '200':
          description: Echo GET

RISK

To successfully exploit this vulnerability, the user must be tricked into importing an arbitrary JSON or YAML file either via the file system or via a remote URL.

The vulnerability can be used to temporarily embed arbitrary script code into the context of the Swagger Editor interface, which offers a wide range of possible attacks such as client-side context manipulation or attacking the browser and its components.

SOLUTION

None.

REPORT TIMELINE

  • 2015-04-07: Discovery of the vulnerability
  • 2015-04-07: Notified vendor via contact addresses on GitHub
  • 2015-04-14: Notified vendor via contact addresses on GitHub
  • 2015-04-23: Notified vendor via contact addresses on GitHub
  • 2015-05-02: Notified vendor via contact addresses on GitHub
  • 2015-05-02: Vendor states that creating a public GitHub issue is the proper way according to their policy
  • 2016-05-03: Created https://github.com/swagger-api/swagger-editor/issues/908
  • 2016-05-03: Advisory released

REFERENCES