The popular open source API framework Swagger lets developers describe, produce, and consume RESTful web services using a human-friendly authoring format. But a vulnerability that could result in code execution because of unexpected user input is a sobering reminder to developers to never, ever, trust user input.
Swagger defines a standard, language-agnostic interface to REST APIs by allowing people and computers to discover and understand what a web service can do without having to dig through the original source code, documentation, or network traffic packets. Swagger’s code generators let developers easily access APIs and produce client-server code, but a problem arises when the generators are fed malicious input. Because Swagger’s generators and parsers don’t verify input when generating code, a maliciously-crafted Swagger document can result in remote code execution, Rapid7 said in a blog post disclosing the vulnerability.
To read this article in full or to leave a comment, please click here