CVE-2018-25031 PoC — Swagger UI 输入验证错误漏洞

Source

https://github.com/rafaelcintralopes/SwaggerUI-CVE-2018-25031

Associated Vulnerability

Title:Swagger UI 输入验证错误漏洞 (CVE-2018-25031)
Description:Swagger UI是一款支持可视化API资源并能够与之进行交互的开源工具。 Swagger-api Swagger UI 4.1.3之前版本中存在安全漏洞，该漏洞源于软件缺少对于用户提交的URL数据过滤和转义。攻击者可以通过特制的URL数据利用该漏洞进行欺骗攻击并显示远程OpenAPI定义。

Description

Exploit Swagger UI - User Interface (UI) Misrepresentation of Critical Information (CVE-2018-25031)

Readme

# Exploit Swagger UI - CVE-2018-25031
Exploit Swagger UI - User Interface (UI) Misrepresentation of Critical Information (CVE-2018-25031).

This exploit checks whether the Swagger UI used is susceptible to exploitation of the User Interface (UI) Misrepresentation of Critical Information vulnerability.

## Requirements
- Python 3
- Selenium
- Chrome Webdriver

## First use
Install Selenium
```
pip install selenium 
```
Clone the repository
```
git clone https://github.com/rafaelcintralopes/SwaggerUI-CVE-2018-25031.git
```
Change web browser driver path
```
drive_service = Service("C:/chromedriver.exe")
```

## Usage
```
python swagger-exploit.py https://[swagger-page].com
```

## References
- [Snyk](https://security.snyk.io/vuln/SNYK-JS-SWAGGERUI-2314885)
- [CVE-2018-25031](https://www.cve.org/CVERecord?id=CVE-2018-25031)

File Snapshot


 [4.0K]  /data/pocs/93eaed7f4b42a848f2f2563cad74a2f3e65dfd44
├── [ 833]  README.md
└── [2.2K]  swagger-exploit.py

0 directories, 2 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!