Parameters within a Swagger document are insecurely loaded into a browser based documentation. Persistent XSS occurs when this documentation is then hosted together on a public site. This issue was resolved in Swagger-UI 2.2.1.
One of the components used to build the interactive documentation portion of the swagger ecosystem is the Swagger-UI. This interface generates dynamic documentation based on a referenced Swagger document that can interact with the referenced API. If the swagger document itself contains XSS payloads, the swagger-ui component can be tricked into injecting unescaped content into the DOM.
From the README at https://github.com/swagger-api/swagger-ui
"Swagger UI is part of the Swagger project. The Swagger project allows you to produce, visualize and consume your own RESTful services. No proxy or 3rd party services required. Do it your own way.
The swagger UI will parse a chosen swagger file, and generate dynamic colorful documentation that enables users to interact with a RESTful API.
Scott Lee Davis, firstname.lastname@example.org, Application Security Researcher, Rapid7
If a swagger file contained in the definitions section, a default value with an XSS payload can be loaded unescaped into the DOM.
Definitions Type: string Description: prints xss Default: <script>console.log(‘000000000000000000dad0000000000000000000’);</script>
This vulnerability advisory was prepared in accordance with Rapid7's disclosure policy.
- Thu, Jun 09, 2016: Discovery by Scott Lee Davis of Rapid7, Inc.
- Fri, Jun 17, 2016: Attempted to contact the vendor
- Mon, Jul 11, 2016: Disclosed details to the vendor at email@example.com
- Wed, Jul 27, 2016: Disclosed details to CERT as VR-316
- Tue, Aug 09, 2016: CVE-2016-5682 assigned by CERT
- Tue, Aug 23, 2016: Fixed in Swagger-UI 2.2.1
- Fri, Sep 02, 2016: Public disclosure