alphaspirit - Fotolia
Attackers could exploit the vulnerability to enable remote code execution, according to Rapid7 researchers, who have proposed changes to the specification to fix the vulnerability.
The researchers have also supplied a proposed pat to the co-ordination centre of the computer emergency response team (Cert) for the Software Engineering Institute (SEI) in the US, and has published a module for the Metasploit penetration testing framework.
In January 2016, the Swagger Specification was donated to the Open API Initiative (OAI) and is the foundation of the OpenAPI Specification, commonly known as Swagger.
The vulnerability disclosure is in accordance with Rapid7’s disclosure policy of publishing an advisory detailing a vulnerability 60 days after initial attempts to contact those responsible for the code.
For companies eager to provide value to the increasing need for scalable application programming interface (API) deployment and testing, using a spec that can ease and quicken the development, testing and deployability of service will be of high value.
However, Rapid7 researchers said in following such an API documentation/definition system, abuse of the trust in the tools and specification that generate services should be considered.
Read more about responsible disclosure
- Security researchers have praised Facebook’s WhatsApp cross-platform messenger service for its quick response to a vulnerability disclosure.
- Microsoft says it continues to support responsible disclosure of security vulnerabilities after a researcher went public with a zero-day vulnerability.
- Is 90 days enough time for software suppliers to address vulnerabilities?
This is achieved by the fact that some parsers/generators trust insufficiently sanitised parameters within a Swagger document to generate a code base, they said.
On the client side, a vulnerability exists in trusting a malicious Swagger document to create any generated code base locally, most often in the form of a dynamically generated API client.
On the server side, a vulnerability exists in a service that consumes Swagger to dynamically generate and serve API clients, server mock ups and testing specs.
Mitigations for all issues, the Rapid7 researchers said, include properly escaping parameters before injecting, while taking into account the context the variable(s) are used in inline code creation.
Mitigations also include what sanitisation efforts are in place to ensure the context of trust for an API specification can maintain a level of code creation free for remote code execution in the known, easily avoidable cases.