Information Leakage / Publicly Available Swagger API Documentation

Web and API

Description

Publicly available Swagger API documentation is a vulnerability that occurs when swagger API documentation is made available to the public on a web page, allowing anyone to browse and access the web page's data. This type of vulnerability is classified as an Information Leakage vulnerability according to the Common Weakness Enumeration (CWE) directory and is also addressed in the OWASP Testing Guide. Information Leakage vulnerabilities can occur when an application unintentionally discloses sensitive data or assets, such as authentication tokens, passwords, or encryption keys.

Risk

The risk of this vulnerability is that an attacker can access the web page's data without authentication, allowing them to view, extract and manipulate the data, potentially causing serious damage to the application and its users. A risk assessment should be conducted to determine the level of risk posed by this vulnerability and take appropriate measures to reduce it.

Solution

The best way to address this vulnerability is to ensure that the Swagger API documentation is not publicly available. This can be done by restricting access to the web page or by using authentication or authorization mechanisms to limit access to the web page.

Example

The following code is an example from the CVE directory. It shows how an attacker can bypass authentication and authorization mechanisms by using publicly available Swagger API documentation.

GET /api/swagger.json HTTP/1.1
Host: example.com

HTTP/1.1 200 OK
Content-Type: application/json

{
  "swagger": "2.0",
  "info": {
    "title": "Example API",
    "version": "1.0.0"
  },
  "paths": {
    "/api/users": {
      "get": {
        "tags": ["users"],
        "summary": "Get all users",
        "operationId": "getUsers",
        "consumes": [
          "application/json"
        ],
        "produces": [
          "application/json"
        ],
        "responses": {
          "200": {
            "description": "successful operation",
            "schema": {
              "type": "array",
              "items": {
                "$ref": "#/definitions/User"
              }
            }
          }
        }
      }
    }
  }
}

Related incidents

  1. In April 2019, a publicly available Swagger API documentation exposed the personal information of millions of users of the dating website 3Fun.
  2. In July 2020, a publicly available Swagger API documentation exposed the personal information of millions of users of the online payment provider Paytm.
  3. In May 2020, a publicly available Swagger API documentation exposed the personal information of millions of users of the online travel booking platform MakeMyTrip.
  4. In August 2020, a publicly available Swagger API documentation exposed the personal information of millions of users of the online gaming platform Steam.
  5. In October 2020, a publicly available Swagger API documentation exposed the personal information of millions of users of the online banking platform Wells Fargo.

Curious? Convinced? Interested?

Arrange a no-obligation consultation with one of our product experts today.