Swagger API Documentation Exposes Sensitive Endpoints and Data Structures

XMLWordPrintable

    • Type: Bug
    • Resolution: Unresolved
    • Priority: High
    • 3.6.1
    • Affects Version/s: 3.4.0

      A Swagger API Disclosure vulnerability has been identified in the application. The publicly accessible Swagger (OpenAPI) documentation exposes sensitive API endpoints and internal implementation details without requiring authentication. This information could be leveraged by attackers to discover hidden endpoints, understand request/response formats, and potentially exploit other vulnerabilities.

      Vulnerability Name Vulnerable Point, Port or Parameter CVE/CWE CVSS Score Overall Risk
      (Severity)      		 Mapping with OWASP Testing Checklist Observation / Description Impact Recommendation Reference Steps to reproduce
      Swagger API Disclosure https://uatamrit.piramalswasthya.org/tm-api/swagger-ui/index.html CWE-200 6.2 Medium OWASP Configuration and Deploy Management Testing This represents a significant security risk as exposed API documentation can be used by attackers to understand and exploit backend APIs, leading to unauthorized access, data leaks, and attacks on the application. Attackers can discover internal API endpoints, business logic, request and response formats, and sensitive operational details without authentication.
       
      Increases the risk of automated attacks, such as brute-force, injection, or enumeration, due to the ready availability of endpoint documentation.
       
      Unauthenticated access may enable exploitation of unprotected functions, leading to data leakage, privilege escalation, or manipulation of application features.      		 Restrict access to Swagger or any API documentation to authenticated and authorized users only.
       
      Remove or disable Swagger endpoints in production environments if not needed.
       
      Implement strong authentication and authorization for sensitive API endpoints.      		 https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/12-API_Testing/01-API_Reconnaissance Step 1: During the security assessment, it was found that the Swagger API documentation was publicly accessible without authentication. Using directory search, two Swagger API endpoints were discovered and successfully extracted, exposing detailed API documentation and potentially sensitive API functions to unauthorized users.

            Assignee:
            Deep Shikha
            Reporter:
            Shashank Kharkwal
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: