Handling Swagger API Disclosure issue in FLW App

XMLWordPrintable

    • Type: Task
    • Resolution: Done
    • Priority: Medium
    • 3.1.0
    • Affects Version/s: None
    • AMRIT Sprint 28, AMRIT Sprint 29, AMRIT Sprint 30, AMRIT Sprint 35, AMRIT Sprint 39
    • FLW Mobile App
    • Prod

      Vulnerability Name: Swagger API Disclosure

      1. Vulnerable Point:
        a. https://amritdemo.piramalswasthya.org/flw-0.0.1/swagger-ui.html
        b. https://amritdemo.piramalswasthya.org/tmapi-v1.0/swagger-ui.html
      2. Observation / Description: It was observed that the Swagger API was publicly disclosed.
      3. Impact: An attacker can gain access to Swagger API if it is publicly accessible, which can lead to security breach.
      4. Recommendation: Never disclose Swagger API publicly.
      5. Recommendation Solution:
        a. It's an open source code, so Swagger can be disclose publicly;
        b. or Turn off (remove/ disable) Swagger API publicly in Production Environment/ UAT/ App Build

        1. image-2025-01-17-14-37-35-073.png
          image-2025-01-17-14-37-35-073.png
          78 kB
        2. image-2025-01-17-14-38-51-721.png
          image-2025-01-17-14-38-51-721.png
          78 kB
        3. image-2025-01-17-14-39-40-977.png
          image-2025-01-17-14-39-40-977.png
          58 kB

              Assignee:
              Ravi Shanigarapu
              Reporter:
              Madhava Ramu N
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved:

                  Estimated:
                  Original Estimate - 0 minutes
                  0m
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 day
                  1d