Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/vavkamil/XSSwagger

A simple Swagger-ui scanner that can detect old versions vulnerable to various XSS attacks
https://github.com/vavkamil/XSSwagger

Last synced: about 1 month ago
JSON representation

A simple Swagger-ui scanner that can detect old versions vulnerable to various XSS attacks

Awesome Lists containing this project

README

        

# XSSwagger
Swagger-ui XSS scanner

A simple scanner that can find old versions of Swagger-ui vulnerable to various XSS attacks

#### XSS Vulnerabilities
https://snyk.io/vuln/npm:swagger-ui

#### Detecting Swagger UI version
https://github.com/swagger-api/swagger-ui/blob/master/docs/usage/version-detection.md

## Usage

```
vavkamil@localhost:~/Documents/Python/XSSwagger$ python3 xsswagger.py
) ( (
( /( )\ ))\ )
)\()|()/(()/(( ( ) ( ( ( ( ( (
((_)\ /(_))(_))\))( ( /( )\))()\))( ))\ )(
__((_|_))(_))((_)()\ )(_)|(_))((_))\ /((_|()\
\ \/ / __/ __|(()((_|(_)_ (()(_|()(_|_)) ((_)
> <\__ \__ \ V V / _` / _` / _` |/ -_)| '_|
/_/\_\___/___/\_/\_/\__,_\__, \__, |\___||_|
|___/|___/

usage: xsswagger.py [-h] (-d DOMAIN | -D DOMAINS) [-w WORDLIST] [-t THREADS]
xsswagger.py: error: one of the arguments -d -D is required
```

## Example

```
vavkamil@localhost:~/Documents/Python/XSSwagger$ python3 xsswagger.py -D test.txt
) ( (
( /( )\ ))\ )
)\()|()/(()/(( ( ) ( ( ( ( ( (
((_)\ /(_))(_))\))( ( /( )\))()\))( ))\ )(
__((_|_))(_))((_)()\ )(_)|(_))((_))\ /((_|()\
\ \/ / __/ __|(()((_|(_)_ (()(_|()(_|_)) ((_)
> <\__ \__ \ V V / _` / _` / _` |/ -_)| '_|
/_/\_\___/___/\_/\_/\__,_\__, \__, |\___||_|
|___/|___/

[i] Scanning multiple domains: test.txt
[i] Domains in a list: 5

****************************************************************************************************
****************************************************************************************************

[ Redirect ] https://dev.fitbit.com/build/reference/web-api/explore -> https://dev.fitbit.com/build/reference/web-api/explore/
[ 200 ] [ Swagger UI ] https://dev.fitbit.com/build/reference/web-api/explore/
[ Version ] 3.19.2 detected!

[ Vulnerable ] version 3.19.2 detected!
----------------------------------------------------------------------------------------------------
[ Severity ] Medium
[ Vulnerable ] <3.20.9
[ Published ] 14 Jun, 2019
[ Vulnerability ] Cross-site Scripting (XSS)
[ Detail ] https://snyk.io/vuln/SNYK-JS-SWAGGERUI-449921

****************************************************************************************************
****************************************************************************************************

[ 200 ] [ API Documentation ] https://promo-services-staging.brave.com/documentation
[ Version ] 2.1.4 detected!

[ Vulnerable ] version 2.1.4 detected!
----------------------------------------------------------------------------------------------------
[ Severity ] High
[ Vulnerable ] <2.2.1
[ Published ] 25 Jul, 2016
[ Vulnerability ] Cross-site Scripting (XSS)
[ Detail ] https://snyk.io/vuln/npm:swagger-ui:20160725
----------------------------------------------------------------------------------------------------
[ Severity ] Medium
[ Vulnerable ] <2.2.3
[ Published ] 13 Mar, 2017
[ Vulnerability ] Cross-site Scripting (XSS)
[ Detail ] https://snyk.io/vuln/npm:swagger-ui:20160901
----------------------------------------------------------------------------------------------------
[ Severity ] Medium
[ Vulnerable ] >=3.0.0 <3.0.13
[ Published ] 16 Jun, 2019
[ Vulnerability ] Cross-site Scripting (XSS)
[ Detail ] https://snyk.io/vuln/SNYK-JS-SWAGGERUI-449941
----------------------------------------------------------------------------------------------------
[ Severity ] Medium
[ Vulnerable ] <3.4.2
[ Published ] 25 Dec, 2017
[ Vulnerability ] Cross-site Scripting (XSS)
[ Detail ] https://snyk.io/vuln/npm:swagger-ui:20171031
----------------------------------------------------------------------------------------------------
[ Severity ] Medium
[ Vulnerable ] <3.18.0
[ Published ] 13 Jun, 2019
[ Vulnerability ] Reverse Tabnabbing
[ Detail ] https://snyk.io/vuln/SNYK-JS-SWAGGERUI-449808
----------------------------------------------------------------------------------------------------
[ Severity ] Medium
[ Vulnerable ] <3.20.9
[ Published ] 14 Jun, 2019
[ Vulnerability ] Cross-site Scripting (XSS)
[ Detail ] https://snyk.io/vuln/SNYK-JS-SWAGGERUI-449921

****************************************************************************************************
****************************************************************************************************

[ 200 ] [ Swagger UI ] https://api.hitbtc.com/api/2/explore/
[ Version ] 3.19.5 detected!

[ Vulnerable ] version 3.19.5 detected!
----------------------------------------------------------------------------------------------------
[ Severity ] Medium
[ Vulnerable ] <3.20.9
[ Published ] 14 Jun, 2019
[ Vulnerability ] Cross-site Scripting (XSS)
[ Detail ] https://snyk.io/vuln/SNYK-JS-SWAGGERUI-449921

****************************************************************************************************
****************************************************************************************************

[ 200 ] [ Swagger UI ] https://console.cloud.vmware.com/csp/gateway/slc/api/swagger-ui.html
[ Version ] Idk, please check manually!

[ Done ] Don't be evil!

```