Information Leakage / Publicly Available Swagger API Documentation

Description

Publicly available Swagger API documentation is a vulnerability that occurs when swagger API documentation is made available to the public on a web page, allowing anyone to browse and access the web page's data. This type of vulnerability is classified as an Information Leakage vulnerability according to the Common Weakness Enumeration (CWE) directory and is also addressed in the OWASP Testing Guide. Information Leakage vulnerabilities can occur when an application unintentionally discloses sensitive data or assets, such as authentication tokens, passwords, or encryption keys.

Risk

The risk of this vulnerability is that an attacker can access the web page's data without authentication, allowing them to view, extract and manipulate the data, potentially causing serious damage to the application and its users. A risk assessment should be conducted to determine the level of risk posed by this vulnerability and take appropriate measures to reduce it.

Solution

The best way to address this vulnerability is to ensure that the Swagger API documentation is not publicly available. This can be done by restricting access to the web page or by using authentication or authorization mechanisms to limit access to the web page.