More than 60 instances of a web security flaw in the Swagger-UI library that potentially leads to account takeover have been reported to impacted organizations.
Bug bounty programs operated by PayPal, Shopify, Atlassian, Microsoft, GitLab, and Yahoo were notified, among others.
SmartBear Software’s Swagger-UI is an open source suite of API and development tools for visualizing and interacting with APIs and their resources. The UI is dependency-free, works in all major browsers, and is generated automatically with support for Swagger 2.0 and OAS 3.0.
Dawid Moczadło, co-founder of Vidoc Security Lab, published a security advisory on May 16 documenting a DOM cross-site scripting (XSS) vulnerability in the library, which the researcher says has led to a “lot of vulnerable instances”.
Root cause
The root cause of the flaw is Swagger-UI’s use of an outdated version of DomPurify, an XML sanitizer library for HTML, MathML, and SVG.
Swagger-UI allows users to provide a URL for an API specification, such as a YAML or JSON file. To view and render them, you add a query parameter. It would be possible to trigger an XSS attack by loading a malicious specification file and accessing the React function at this point, but an attacker would have to bypass the sanitizer.
The researcher was able to visit DOMPurify release pages and search for a suitable bypass. However, the payload he found required <style> tags – and Swagger UI’s functionality expressly forbids their deployment.
“We need a payload that will bypass DomPurify sanitization but can’t contain <style> tag,” Moczadło commented. “The easiest way to do that is to find another HTML tag that will act the same as <style> in the bypass.”
Moczadło was able to do this rapidly and create a working exploit.
The researcher told The Daily Swig that the vulnerability allows the execution of JS code in the context of the victim’s browser, and in many cases the team was able to escalate the flaw to account takeover.
Moczadło tested Swagger UI version 3.37.2, using DomPurify version 2.2.2. Versions from 3.14.1 up until 3.38 are impacted by the XSS.
If a vulnerable Swagger UI version is used, the researcher recommends that users update their builds. Version 4.11.1 is the latest release. If the whole package cannot be updated, then updating the DomPurify package alone will suffice.
The security researcher says the vulnerability was fixed at the start of 2021 but it is still widely exploitable.
Tricky triage
It is more common for vulnerabilities to be reported quietly before public disclosure, but Moczadło says there are still “another 200 bugs in the backlog to report”.
As a result, the team says it has not generally escalated the vulnerability further, as “we have too many bugs to report and too little time to do it”.
Moczadło added: “Companies responded well, all of them accepted the issue and fixed it sooner or later. The bug was so popular across companies, that we weren’t able to report all of the cases we found […] We only reported the most severe cases where the bug was found on the main domains or subdomains used for authentication.”
GitLab told The Daily Swig that the vulnerability was fixed in GitLab 13.9.2 and the organization recommends that all users upgrade to the latest version as soon as possible.
A Microsoft spokesperson said: “We are aware of this report and are investigating.”
The Daily Swig has also reached out to the researcher and other organizations mentioned in the report. We will update this story if and when we hear back.