- Exposed Swagger endpoints allow unauthorized access to business and marketing operations.
- Threat actors leverage misconfigured endpoints to target customers by impersonating the company.
- Threat actors use exposed APIs to access and manipulate the victim company’s data.
- Unauthorized access to payments, refunds, and subscriptions.
- API keys allow threat actors to impersonate the company.
- Continuous monitoring of APIs.
- Data managed by APIs, especially PII, must be encrypted.
- Enable authorization checks to prevent misuse of API endpoints.
’s contextual AI digital risk platform XVigil
has identified an increase in instances of organizations exposing Swagger user interfaces. Many of these instances have high exploitability risks.
- Swagger specification (also known as OpenAPI) is an API description format for REST APIs. A Swagger file describes the API, including:
- Available endpoints
- Operations on each endpoint
- Operation parameters input
- Output for each operation
- Hence, unauthorized access to a company’s Swagger UI can enable threat actors to impersonate the company, manipulate their data, and target their customers.
Example of Exposed Swagger User Interfaces with High Exploitability Risk
[caption id="attachment_19833" align="aligncenter" width="1117"]
Above is the exposed Swagger UI of a company, which has 2 exploitable endpoints:
This endpoint allows threat actors to send WhatsApp messages to a mobile number, via the verified business Whatsapp account of the company.
[caption id="attachment_19834" align="aligncenter" width="619"]
Upon clicking on the “Try it Out” option, the following is the response body that is displayed.
[caption id="attachment_19835" align="aligncenter" width="1023"]
This endpoint allows threat actors to send WhatsApp messages to a mobile number, via the verified business Whatsapp account of the company, using Gupshup. Gupshup is a chatbot building and messaging platform that facilitates WhatsApp customer support and marketing.
[caption id="attachment_19836" align="aligncenter" width="1220"]
Information from Open Source
- Swagger is used by more than 6 million users across 22,000 companies in 194 countries.
- SwaggerUI has over 6,000 mentions on Shodan. This indicates that there is a high risk to organizations with exposed open SwaggerUI endpoints.
[caption id="attachment_19837" align="aligncenter" width="1543"]
Information from Cybercrime forums
Posts across cybercrime forums show that threat actors are leveraging exposed Swagger UI endpoints to find critical vulnerabilities such as Cross-site scripting (XSS), and further exploit it to target widely used services such as Paypal, Microsoft, Github, Yahoo, etc.
[caption id="attachment_19838" align="aligncenter" width="1829"]
Post on SwaggerUI posted on an underground forum[/caption]
[caption id="attachment_19839" align="aligncenter" width="1624"]
List of XSS in Swagger UI instances[/caption]
The post below shows a threat actor sharing an exploit kit for Swagger UI.
[caption id="attachment_19840" align="aligncenter" width="863"]
Post sharing exploit kit on an underground forum[/caption]
Impact & Mitigation
- Exposed APIs provide unauthorized access to business and marketing operations that can be misused to target a company’s customers.
- A threat actor can access and manipulate the victim’s data, using these operations.
- An attacker having direct access to customers’ data compromises data privacy, confidentiality, and integrity.
- Access to the API key, they can perform operations like sending media and SMS on behalf of the name of the legitimate business.
- Continuously monitor APIs in your attack surface.
- Data managed by an API, especially personally identifiable information (PII) or other sensitive data protected by compliance standards and regulations, must be encrypted.
- Enable strict authorization mechanisms for critical endpoints, to prevent their misuse.