|Category: Vulnerability Intelligence||Vulnerability Class: Improper Authorization||CWE ID: CWE-285|
- Swagger specification (also known as OpenAPI) is an API description format for REST APIs. A Swagger file describes the API, including:
- Available endpoints
- Operations on each endpoint
- Operation parameters input
- Output for each operation
- Hence, unauthorized access to a company’s Swagger UI can enable threat actors to impersonate the company, manipulate their data, and target their customers.
- Swagger is used by more than 6 million users across 22,000 companies in 194 countries.
- SwaggerUI has over 6,000 mentions on Shodan. This indicates that there is a high risk to organizations with exposed open SwaggerUI endpoints.