Documentation
¶
Overview ¶
Package data holds embedded wordlists, content matchers, secret regexes, and the CVE registry that power SwaggerVu.
Index ¶
- Variables
- func CVEsForParam(param string) []string
- func DefaultPayload(param string) string
- func InjectionParams() []string
- func LooksLikeSwagger(body string) bool
- func MatchedMarker(body string) string
- func Paths() []string
- func PathsSorted() []string
- func PriorityPaths() []string
- type CVE
- type SecretPattern
Constants ¶
This section is empty.
Variables ¶
var SwaggerCVEs = []CVE{
{
ID: "CVE-2025-8191",
Title: "Swagger UI DOM XSS via configUrl/url (DOMPurify bypass)",
Affected: "swagger-ui >= 3.14.1 and < 3.38.0 (fixed in 3.38.1)",
Description: "Swagger UI renders the spec's description/markdown via React dangerouslySetInnerHTML after an outdated DOMPurify (<=2.2.2). A nested math/svg/textarea payload bypasses the sanitizer and executes JS. Loaded through the configUrl or url query parameter, so an attacker only needs a victim to open a crafted link.",
Param: "configUrl",
Technique: "dompurify-bypass-xss",
Reference: "https://nvd.nist.gov/vuln/detail/CVE-2025-8191",
},
{
ID: "CVE-2025-8191-url",
Title: "Swagger UI DOM XSS via url param (DOMPurify bypass)",
Affected: "swagger-ui >= 3.14.1 and < 3.38.0 (fixed in 3.38.1)",
Description: "Same DOMPurify-bypass DOM XSS as CVE-2025-8191, delivered through the url query parameter instead of configUrl.",
Param: "url",
Technique: "dompurify-bypass-xss",
Reference: "https://nvd.nist.gov/vuln/detail/CVE-2025-8191",
},
{
ID: "CVE-2018-25031",
Title: "Swagger UI relative/remote spec DOM XSS via configUrl/url",
Affected: "swagger-ui < 3.23.11 (and forks accepting configUrl/url)",
Description: "Swagger UI loads an externally supplied OpenAPI definition through the configUrl or url query parameter; a malicious spec can inject script/HTML into the rendered DOM.",
Param: "configUrl",
Technique: "configUrl-xss",
Reference: "https://nvd.nist.gov/vuln/detail/CVE-2018-25031",
},
{
ID: "CVE-2016-1000229",
Title: "swagger-ui index.html DOM XSS",
Affected: "swagger-ui 2.x",
Description: "Reflected/DOM XSS in older swagger-ui where spec-controlled values are rendered without sanitization.",
Param: "url",
Technique: "url-xss",
Reference: "https://nvd.nist.gov/vuln/detail/CVE-2016-1000229",
},
{
ID: "GENERIC-SPEC-HTML-INJECTION",
Title: "Spec-driven HTML/markup injection in API documentation renderers",
Affected: "Swagger UI / ReDoc / RapiDoc rendering untrusted description/markdown fields",
Description: "Description, title, and markdown fields from a remote spec are rendered into the docs page; unsanitized HTML in those fields leads to HTML injection or stored XSS.",
Param: "configUrl",
Technique: "html-injection",
Reference: "https://owasp.org/www-community/attacks/xss/",
},
}
SwaggerCVEs is the curated registry used by the exploit module, newest first. Every entry is verified against a primary source (NVD or a vendor/GHSA advisory) and has a matching confirmation path in internal/exploit.
var VersionRegex = regexp.MustCompile(`v?[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}`)
VersionRegex extracts a semantic version string from a matched page.
Functions ¶
func CVEsForParam ¶
CVEsForParam returns the IDs of every registry entry that uses the given param.
func DefaultPayload ¶
DefaultPayload returns the per-parameter PoC URL to inject. It prefers an environment override (SWAGGERVU_PAYLOAD_<PARAM>, param upper-cased, e.g. SWAGGERVU_PAYLOAD_CONFIGURL / SWAGGERVU_PAYLOAD_URL); when unset it falls back to the bundled default for that param. An empty result lets the exploit module use its local benign built-in PoC.
func InjectionParams ¶
func InjectionParams() []string
InjectionParams returns the distinct query parameters worth testing, in order.
func LooksLikeSwagger ¶
LooksLikeSwagger reports whether a response body contains a Swagger/OpenAPI marker.
func MatchedMarker ¶
MatchedMarker returns the first marker found, or "".
func Paths ¶
func Paths() []string
Paths returns the full, deduplicated discovery wordlist with priority paths first.
func PathsSorted ¶
func PathsSorted() []string
PathsSorted returns the wordlist sorted alphabetically (for --list-paths).
func PriorityPaths ¶
func PriorityPaths() []string
PriorityPaths returns only the high-signal subset.
Types ¶
type CVE ¶
type CVE struct {
ID string
Title string
Affected string
Description string
// Param is the query parameter abused to load an attacker-controlled spec.
Param string
// Technique: "configUrl-xss" | "url-xss" | "html-injection".
Technique string
Reference string
}
CVE describes a known Swagger/OpenAPI-tooling vulnerability and how SwaggerVu tests for it. PoCs are benign markers only — exploitation is opt-in and gated.
type SecretPattern ¶
SecretPattern is a named, compiled secret-detection regex.
func SecretPatterns ¶
func SecretPatterns() []SecretPattern
SecretPatterns returns the compiled secret-detection corpus.