I've been on vacation trying to burn up my PTO and studying. No blogging, just diving deep into Hack-the-Box and security-related topics. I was a bit burned out from Hack Week in July and then a bunch of work stuff before DefCon. On the side, I've been running passive recon scans and found Swagger exposed on an API. At first, I thought it could be that I was on a corporate machine, but I tried on my phone which confirmed it.
An exposed Swagger allows a bad actor to map out your APIs and models even if the accessing of that API requires authentication and authorization.
<img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1694911092369/245d2b31-80e5-40a5-b185-f0079e8d0d14.png" alt class="image--center mx-auto" />
<img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1694910627396/7bf2668f-533f-4fc7-86f6-c323c313992c.png" alt class="image--center mx-auto" />
<img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1694910892918/abdaeb5d-0cd5-466a-83f4-28e56d85a9b0.png" alt class="image--center mx-auto" />
I think this is the third security issue I've reported at the company. The others were related to vendor software with improper authorization and another that was vulnerable to Log4J. It is indeed sad, that I am not ineligible for our Bug Bounty program. Both the non-prod and production Swagger are now disabled.
I learned something at DEF CON.
<h3 id="heading-links">Links</h3>
<a target="_blank" href="https://secapps.com/vulndb/swagger-exposure">https://secapps.com/vulndb/swagger-exposure</a>

I've been on vacation trying to burn up my PTO and studying. No blogging, just diving deep into Hack-the-Box and security-related topics. I was a bit burned out from Hack Week in July and then a bunch of work stuff before DefCon. On the side, I've been running passive recon scans and found Swagger exposed on an API. At first, I thought it could be that I was on a corporate machine, but I tried on my phone which confirmed it.

An exposed Swagger allows a bad actor to map out your APIs and models even if the accessing of that API requires authentication and authorization.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694911092369/245d2b31-80e5-40a5-b185-f0079e8d0d14.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694910627396/7bf2668f-533f-4fc7-86f6-c323c313992c.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1694910892918/abdaeb5d-0cd5-466a-83f4-28e56d85a9b0.png align="center")

I think this is the third security issue I've reported at the company. The others were related to vendor software with improper authorization and another that was vulnerable to Log4J. It is indeed sad, that I am not ineligible for our Bug Bounty program. Both the non-prod and production Swagger are now disabled.

I learned something at DEF CON.

### Links

[https://secapps.com/vulndb/swagger-exposure](https://secapps.com/vulndb/swagger-exposure)

Swagger Exposure

API Reconnaissance by attackers

I am a developer in Seattle with interests in Security (cyber and IRL), machine learning, and distributed systems.  The best practice is doing.  Teaching is learning.


Code Chronicles

Code Chronicles

Swagger Exposure

API Reconnaissance by attackers

Links