Researchers have discovered a vulnerability within the Swagger specification which may place tools based on NodeJS, PHP, Ruby, and Java at risk of exploit.
According to Rapid7, the vulnerability has been found in injectable code payloads through the Swagger Code Generator for NodeJS, PHP, Ruby, and Java. If exploited, attackers can remotely execute code in a client or server to interact with definition of service systems, a concept the team says could be an “interesting space for future research.”
Other similar programming languages in the tool are possibly affected.
The Swagger Specification, donated and now acting as the foundation of the Open API Initiative (OAI), is used as the basis for describing REST APIs. The framework is used for a variety of purposes including scalable API deployment, testing, documentation and definition systems.
However, if crafted maliciously, Swagger documents can be used to create HTTP API clients & servers with embedded arbitrary code execution, often made possible through poor sanitization.
In this case, the security firm says that a vulnerability exists in trusting a malicious swagger document to create any generated code base locally, most often in the form of a dynamically generated API on the client side.
In addition, server-side, a vulnerability also exists in a service that consumes swagger to dynamically generate and serve API clients, server mocks and testing specs.
If exploited, depending on the target language, the vulnerability allows for remote code execution, code injections into browsers and the termination of block comments, among other issues.
Rapid7 first attempted to contact the vendor and API team at Swagger.io in April, and a proposed patch was provided to CERT on 16 June. On the date of public disclosure, 23 June, a Metasploit module has also been released, and the company recommends that santization tools such as the OWASP ESAPI are used to mitigate the threat in the meantime.
In addition, the cybersecurity firm says:
“Using double brackets for handlebars templates will usually prevent many types of injection attacks that involve single or double quote termination, however this will not stop a determined attacker who can inject variables without sanitization logic into multiline comments, inline code or variables.”
A fix has also been offered to swaggercodegen, but the problem is yet to be fully resolved.