Threat Actors Use Exposed Swagger UI to Misuse a Company’s Endpoints and Target Customers

Originally published at: https://cloudsek.com/threatintelligence/threat-actors-use-exposed-swagger-ui-to-misuse-a-companys-endpoints-and-target-customers/

 

Category:

Vulnerability Intelligence

Vulnerability Class:

Improper Authorization

CWE ID:

CWE-285

Executive Summary

THREAT IMPACT MITIGATION
  • Exposed Swagger endpoints allow unauthorized access to business and marketing operations.
  • Threat actors leverage misconfigured endpoints to target customers by impersonating the company.
  • Threat actors use exposed APIs to access and manipulate the victim company’s data.
  • Unauthorized access to payments, refunds, and subscriptions.
  • API keys allow threat actors to impersonate the company.
  • Continuous monitoring of APIs.
  • Data managed by APIs, especially PII, must be encrypted.
  • Enable authorization checks to prevent misuse of API endpoints.

CloudSEK’s contextual AI digital risk platform XVigil has identified an increase in instances of organizations exposing Swagger user interfaces. Many of these instances have high exploitability risks.

Technical Analysis

  • Swagger specification (also known as OpenAPI) is an API description format for REST APIs. A Swagger file describes the API, including:
    • Available endpoints
    • Operations on each endpoint
    • Operation parameters input
    • Output for each operation
  • Hence, unauthorized access to a company’s Swagger UI can enable threat actors to impersonate the company, manipulate their data, and target their customers.

Example of Exposed Swagger User Interfaces with High Exploitability Risk

 

Exposed SwaggerUI

 

Above is the exposed Swagger UI of a company, which has 2 exploitable endpoints:

  1. /api/MobileOptIn

This endpoint allows threat actors to send WhatsApp messages to a mobile number, via the verified business Whatsapp account of the company.

MobileOptIn endpointMobileOptIn endpoint

 

Upon clicking on the “Try it Out” option, the following is the response body that is displayed.

MobileOptIn endpoint

 

  1. /api/OptOutGupshup

This endpoint allows threat actors to send WhatsApp messages to a mobile number, via the verified business Whatsapp account of the company, using Gupshup. Gupshup is a chatbot building and messaging platform that facilitates WhatsApp customer support and marketing.

 

OptOutGupshup endpoint

Information from Open Source

  • Swagger is used by more than 6 million users across 22,000 companies in 194 countries.
  • SwaggerUI has over 6,000 mentions on Shodan. This indicates that there is a high risk to organizations with exposed open SwaggerUI endpoints.
Shodan Report

 

Information from Cybercrime forums

Posts across cybercrime forums show that threat actors are leveraging exposed Swagger UI endpoints to find critical vulnerabilities such as Cross-site scripting (XSS), and further exploit it to target widely used services such as Paypal, Microsoft, Github, Yahoo, etc.

Post on SwaggerUI posted on an underground forum

 

List of XSS in Swagger UI instances

 

The post below shows a threat actor sharing an exploit kit for Swagger UI.

Post sharing exploit kit on an underground forum

 

Impact & Mitigation

Impact Mitigation
  • Exposed APIs provide unauthorized access to business and marketing operations that can be misused to target a company’s customers.
  • A threat actor can access and manipulate the victim’s data, using these operations.
  • An attacker having direct access to customers’ data compromises data privacy, confidentiality, and integrity.
  • Access to the API key, they can perform operations like sending media and SMS on behalf of the name of the legitimate business.
  • Continuously monitor APIs in your attack surface.
  • Data managed by an API, especially personally identifiable information (PII) or other sensitive data protected by compliance standards and regulations, must be encrypted.
  • Enable strict authorization mechanisms for critical endpoints, to prevent their misuse.

References