Handling Swagger API Disclosure issue in FLW App

XMLWordPrintable

    • Type: Task
    • Resolution: Done
    • Priority: Medium
    • 3.1.0
    • Affects Version/s: None
    • AMRIT Sprint 28, AMRIT Sprint 29, AMRIT Sprint 30, AMRIT Sprint 35, AMRIT Sprint 39
    • FLW Mobile App
    • Prod

      Vulnerability Name: Swagger API Disclosure

      1. Vulnerable Point:
        a. https://amritdemo.piramalswasthya.org/flw-0.0.1/swagger-ui.html
        b. https://amritdemo.piramalswasthya.org/tmapi-v1.0/swagger-ui.html
      2. Observation / Description: It was observed that the Swagger API was publicly disclosed.
      3. Impact: An attacker can gain access to Swagger API if it is publicly accessible, which can lead to security breach.
      4. Recommendation: Never disclose Swagger API publicly.
      5. Recommendation Solution:
        a. It's an open source code, so Swagger can be disclose publicly;
        b. or Turn off (remove/ disable) Swagger API publicly in Production Environment/ UAT/ App Build

        1. image-2025-01-17-14-37-35-073.png
          78 kB
          Ravi Shanigarapu
        2. image-2025-01-17-14-38-51-721.png
          78 kB
          Ravi Shanigarapu
        3. image-2025-01-17-14-39-40-977.png
          58 kB
          Ravi Shanigarapu

            Assignee:
            Ravi Shanigarapu
            Reporter:
            Madhava Ramu N
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - 0 minutes
                0m
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 1 day
                1d