Information Leakage - Swagger Documentation

Description

Information Leakage through Swagger Documentation occurs when sensitive information such as API endpoints, request/response schemas, or authentication mechanisms are inadvertently exposed in publicly accessible Swagger documentation. Attackers can exploit this by gaining insights into the application's architecture and potentially identifying security weaknesses or entry points for attacks. To mitigate this vulnerability, developers should review and sanitize Swagger documentation to remove any sensitive details, ensure access controls are in place to restrict access to sensitive endpoints, and regularly update documentation to reflect changes in the application's configuration or security posture.

Remediation

Limit public access to your Swagger or OpenAPI documentation, placing it behind appropriate authentication if you must share it beyond development teams. Remove or mask any sensitive fields, credentials, or endpoints from the documentation. Regularly review and update your documentation to ensure it only exposes necessary information. Consider splitting documentation between public endpoints and internal, privileged ones. Employ a Web Application Firewall (WAF) or intrusion detection system to monitor and block suspicious traffic that exploits documented endpoints. Additionally, keep your API specifications aligned with your application’s real configuration and security posture, ensuring that newly deprecated or sensitive endpoints are not inadvertently exposed.

References

Severity

Owasp

Code: A02:2021

Category: Cryptographic Failures

Classification