Uncovering Vulnerabilities Through Swagger UI Directory Enumeration

4 min read4 days ago

About Me

Hi everyone! My name is Satyam Pawale, also known as @hackersatty in the bug bounty world. I started bug hunting in 2024 and have been passionate about finding security vulnerabilities ever since.

This blog is meant to share my experience and help others learn from it. If you like it or have any feedback, feel free to drop a comment below. Let’s get started!

A Goldmine of Bugs Hidden in Plain Sight

If you’ve been in the bug bounty hunting game or working on penetration testing engagements, you know that enumeration is the cornerstone of success. While tools and automation can take us far, one overlooked area where massive vulnerabilities hide is Swagger UI — and its directories.

Swagger UI is widely used to visualize and interact with APIs, but developers often misconfigure it or expose sensitive endpoints unknowingly. By mastering Swagger UI directory enumeration, I’ve uncovered several high-impact bugs that others overlooked. Today, I’m sharing my approach, findings, and some techniques that will help you extract the most value.

What is Swagger UI?

For those unfamiliar, Swagger UI is an open-source API documentation tool that helps developers design, build, and document REST APIs. It typically exposes endpoints for testing and debugging purposes. While convenient for developers, a misconfigured Swagger UI can leak sensitive information, like hidden directories, endpoints, or parameters.

Here’s why you should care:

Many sensitive endpoints are often left exposed.
Swagger UI may leak internal APIs or configurations.
It can help you map the application’s attack surface.
It’s easy to test, but hard to secure when misconfigured.

Swagger UI Enumeration Techniques

Here’s how you can extract and enumerate directories like a pro. These methods are based on my own findings and real-world bugs:

1. Locate Swagger UI Files

Start by identifying where Swagger files are hosted. Some common Swagger UI URLs to check are:

https://example.com/swagger.json
https://example.com/swagger/v1/swagger.json
https://example.com/api/swagger.json
https://example.com/api-docs
https://example.com/swagger-ui.html

Use tools like Gau, Wayback Machine, or Google Dorks:
inurl:swagger.json site:example.com
intitle:"Swagger UI" inurl:/api-docs

2. Analyze Swagger JSON Files

Once you have access to the swagger.json file, download it and search for directories and endpoints. Look for:

Hidden paths (e.g., /admin, /internal, /debug, /v2/api)
Deprecated endpoints
Sensitive parameters (e.g., API keys, tokens)

Example:

"paths": {
    "/admin/debug": {
        "get": {
            "description": "Access debug info"
        }
    },
    "/internal/config": {
        "post": {
            "description": "Post internal configurations"
        }
    }
}

3. Test for Misconfigurations

Once you’ve mapped directories, test for vulnerabilities like:

Broken Authentication: If /admin or /internal paths are accessible without credentials.
Sensitive Data Exposure: Directories exposing internal configurations, debug logs, or credentials.
IDORs: Look for object IDs or user-specific endpoints that might be manipulated.

4. Automate Directory Enumeration

For speed and efficiency, automate your testing:

Use tools like ffuf or custom scripts to brute-force directories extracted from Swagger files.
Example:

cat swagger.json | jq -r ‘.paths | keys[]’ | ffuf -u https://example.com/FUZZ

Combine it with Burp Suite for deeper API analysis.

Real-World Findings

Here are some bugs I’ve discovered through Swagger enumeration:

Unprotected Admin Endpoints: Accessing /admin/debug leaked server logs.
Sensitive Data Exposure: Swagger JSON revealed API keys hardcoded in query parameters.
Hidden APIs: A deprecated /internal/config endpoint led to privilege escalation.

These issues were missed by traditional scanners because they didn’t analyze Swagger files thoroughly.

Tips to Maximize Swagger Enumeration

Always check /swagger.json and /api-docs for endpoints.
Use manual analysis before automating. It helps catch subtle misconfigurations.
Search for outdated or deprecated endpoints. Developers often forget to remove them.
Test all parameters thoroughly for injection, authentication flaws, or IDOR.
Report bugs with clear POCs showing the enumeration steps and impact.

Impact of Misconfigured Swagger UI

Misconfigurations in Swagger UI can lead to severe security risks:

Information Disclosure: Leaking sensitive directories, credentials, and server info.
Unauthorized Access: Accessing internal or admin APIs without authentication.
Privilege Escalation: Hidden endpoints enabling critical actions.
Service Disruption: Debug APIs exposing server vulnerabilities.

Conclusion

Swagger UI is a powerful tool for developers, but it can be a double-edged sword when left misconfigured. By thoroughly enumerating Swagger files, you can uncover hidden directories and endpoints that often lead to high-impact vulnerabilities.

This technique has been a game-changer for me, helping me discover bugs missed by automated scanners and increasing my success rate in bug bounty programs.

If you’re serious about finding bugs, add Swagger UI enumeration to your toolkit and start hunting smarter.

Checkout My Swagger UI List

To make this even easier for you, I’ve compiled a unique Swagger UI directory list that you can use directly in your bug hunting. This list is based on my own findings and experience, and it’s helped me find bugs efficiently.

You can find the list on my GitHub here. Go ahead, clone it, and start hunting smarter!

Stay Updated

I regularly post my findings and detailed reports to help the community. If you found this helpful, check out my previous bug bounty write-ups and findings here. Follow me to stay updated on more advanced techniques!

Happy Hunting!

If you liked this write-up, feel free to share it and drop your thoughts below. Let’s keep learning and hacking together!