More than 60 instances of a web security flaw in the Swagger-UI library that potentially leads to account takeover have been reported to impacted organizations.
Bug bounty programs operated by PayPal, Shopify, Atlassian, Microsoft, GitLab, and Yahoo were notified, among others.
SmartBear Software’s Swagger-UI is an open source suite of API and development tools for visualizing and interacting with APIs and their resources. The UI is dependency-free, works in all major browsers, and is generated automatically with support for Swagger 2.0 and OAS 3.0.
Dawid Moczadło, co-founder of Vidoc Security Lab, published a security advisory on May 16 documenting a DOM cross-site scripting (XSS) vulnerability in the library, which the researcher says has led to a “lot of vulnerable instances”.
Root cause
The root cause of the flaw is Swagger-UI’s use of an outdated version of DomPurify, an XML sanitizer library for HTML, MathML, and SVG.
Swagger-UI allows users to provide a URL for an API specification, such as a YAML or JSON file. To view and render them, you add a query parameter. It would be possible to trigger an XSS attack by loading a malicious specification file and accessing the React function at this point, but an attacker would have to bypass the sanitizer.
The researcher was able to visit DOMPurify release pages and search for a suitable bypass. However, the payload he found required