Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Widespread Swagger-UI library vulnerability leads to DOM XSS attacks

More than 60 instances of a web security flaw in the Swagger-UI library that potentially leads to account takeover have been reported to impacted organizations.

Bug bounty programs operated by PayPalShopify, Atlassian, Microsoft, GitLab, and Yahoo were notified, among others.

SmartBear Software’s Swagger-UI is an open source suite of API and development tools for visualizing and interacting with APIs and their resources. The UI is dependency-free, works in all major browsers, and is generated automatically with support for Swagger 2.0 and OAS 3.0.

Dawid Moczadło, co-founder of Vidoc Security Lab, published a security advisory on May 16 documenting a DOM cross-site scripting (XSS) vulnerability in the library, which the researcher says has led to a “lot of vulnerable instances”.

Root cause

The root cause of the flaw is Swagger-UI’s use of an outdated version of DomPurify, an XML sanitizer library for HTML, MathML, and SVG.

Swagger-UI allows users to provide a URL for an API specification, such as a YAML or JSON file. To view and render them, you add a query parameter. It would be possible to trigger an XSS attack by loading a malicious specification file and accessing the React function at this point, but an attacker would have to bypass the sanitizer.

The researcher was able to visit DOMPurify release pages and search for a suitable bypass. However, the payload he found required <style> tags – and Swagger UI’s functionality expressly forbids their deployment.

“We need a payload that will bypass DomPurify sanitization but can’t contain <style> tag,” Moczadło commented. “The easiest way to do that is to find another HTML tag that will act the same as <style> in the bypass.”

Moczadło was able to do this rapidly and create a working exploit.

The researcher told The Daily Swig that the vulnerability allows the execution of JS code in the context of the victim’s browser, and in many cases the team was able to escalate the flaw to account takeover.

Moczadło tested Swagger UI version 3.37.2, using DomPurify version 2.2.2. Versions from 3.14.1 up until 3.38 are impacted by the XSS.

If a vulnerable Swagger UI version is used, the researcher recommends that users update their builds. Version 4.11.1 is the latest release. If the whole package cannot be updated, then updating the DomPurify package alone will suffice.

The security researcher says the vulnerability was fixed at the start of 2021 but it is still widely exploitable.

Tricky triage

It is more common for vulnerabilities to be reported quietly before public disclosure, but Moczadło says there are still “another 200 bugs in the backlog to report”.

As a result, the team says it has not generally escalated the vulnerability further, as “we have too many bugs to report and too little time to do it”.

Advertisement. Scroll to continue reading.

Moczadło added: “Companies responded well, all of them accepted the issue and fixed it sooner or later. The bug was so popular across companies, that we weren’t able to report all of the cases we found […] We only reported the most severe cases where the bug was found on the main domains or subdomains used for authentication.”

GitLab told The Daily Swig that the vulnerability was fixed in GitLab 13.9.2 and the organization recommends that all users upgrade to the latest version as soon as possible.

A Microsoft spokesperson said: “We are aware of this report and are investigating.”

The Daily Swig has also reached out to the researcher and other organizations mentioned in the report. We will update this story if and when we hear back.

Source: https://portswigger.net/daily-swig/widespread-swagger-ui-library-vulnerability-leads-to-dom-xss-attacks

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

The cybercrime group evaded remediation efforts by installing persistent backdoors and deploying “new and novel malware.” A Chinese-linked hacking group that security researchers say...

Cyber Security

The administration and its private sector partners announced a slate of new initiatives on Monday aimed at protecting the nation’s school systems and their...

Cyber Security

The plan includes measures for improving cybersecurity knowledge at all levels of education and improving how the federal government attracts, hires and pays cybersecurity...

Cyber Security

Using a vulnerability in MOVEit Transfer, hackers gained access to 8 to 11 million individuals’ ‘Users Data’ protected health information. Maximus, a US government contracting...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO