Category:
Vulnerability Intelligence |
Vulnerability Class:
Improper Authorization |
CWE ID:
CWE-285 |
Executive Summary
THREAT |
IMPACT |
MITIGATION |
- Exposed Swagger endpoints allow unauthorized access to business and marketing operations.
- Threat actors leverage misconfigured endpoints to target customers by impersonating the company.
|
- Threat actors use exposed APIs to access and manipulate the victim company’s data.
- Unauthorized access to payments, refunds, and subscriptions.
- API keys allow threat actors to impersonate the company.
|
- Continuous monitoring of APIs.
- Data managed by APIs, especially PII, must be encrypted.
- Enable authorization checks to prevent misuse of API endpoints.
|
CloudSEK’s contextual AI digital risk platform
XVigil has identified an increase in instances of organizations exposing Swagger user interfaces. Many of these instances have high exploitability risks.
Technical Analysis
- Swagger specification (also known as OpenAPI) is an API description format for REST APIs. A Swagger file describes the API, including:
- Available endpoints
- Operations on each endpoint
- Operation parameters input
- Output for each operation
- Hence, unauthorized access to a company’s Swagger UI can enable threat actors to impersonate the company, manipulate their data, and target their customers.
Example of Exposed Swagger User Interfaces with High Exploitability Risk
[caption id="attachment_19833" align="aligncenter" width="1117"]
Exposed SwaggerUI[/caption]
Above is the exposed Swagger UI of a company, which has 2 exploitable endpoints:
-
/api/MobileOptIn
This endpoint allows threat actors to send WhatsApp messages to a mobile number, via the verified business Whatsapp account of the company.
[caption id="attachment_19834" align="aligncenter" width="619"]
MobileOptIn endpoint[/caption]
Upon clicking on the “Try it Out” option, the following is the response body that is displayed.
[caption id="attachment_19835" align="aligncenter" width="1023"]
MobileOptIn endpoint[/caption]
/api/OptOutGupshup
This endpoint allows threat actors to send WhatsApp messages to a mobile number, via the verified business Whatsapp account of the company, using Gupshup. Gupshup is a chatbot building and messaging platform that facilitates WhatsApp customer support and marketing.
[caption id="attachment_19836" align="aligncenter" width="1220"]
OptOutGupshup endpoint[/caption]
Information from Open Source
- Swagger is used by more than 6 million users across 22,000 companies in 194 countries.
- SwaggerUI has over 6,000 mentions on Shodan. This indicates that there is a high risk to organizations with exposed open SwaggerUI endpoints.
[caption id="attachment_19837" align="aligncenter" width="1543"]
Shodan Report[/caption]
Information from Cybercrime forums
Posts across cybercrime forums show that threat actors are leveraging exposed Swagger UI endpoints to find critical vulnerabilities such as Cross-site scripting (XSS), and further exploit it to target widely used services such as Paypal, Microsoft, Github, Yahoo, etc.
[caption id="attachment_19838" align="aligncenter" width="1829"]
Post on SwaggerUI posted on an underground forum[/caption]
[caption id="attachment_19839" align="aligncenter" width="1624"]
List of XSS in Swagger UI instances[/caption]
The post below shows a threat actor sharing an exploit kit for Swagger UI.
[caption id="attachment_19840" align="aligncenter" width="863"]
Post sharing exploit kit on an underground forum[/caption]
Impact & Mitigation
Impact |
Mitigation |
- Exposed APIs provide unauthorized access to business and marketing operations that can be misused to target a company’s customers.
- A threat actor can access and manipulate the victim’s data, using these operations.
- An attacker having direct access to customers’ data compromises data privacy, confidentiality, and integrity.
- Access to the API key, they can perform operations like sending media and SMS on behalf of the name of the legitimate business.
|
- Continuously monitor APIs in your attack surface.
- Data managed by an API, especially personally identifiable information (PII) or other sensitive data protected by compliance standards and regulations, must be encrypted.
- Enable strict authorization mechanisms for critical endpoints, to prevent their misuse.
|
References