Attackers Actively Scan for 'swagger.json' API Definitions
Threat actors are continuously scanning the internet for 'swagger.json' files, which expose API structures and can reveal vulnerable applications.
Enterprise applications frequently utilize complex standards for web services, with RESTful APIs and their associated definition files like Swagger (now OpenAPI) becoming increasingly prevalent. Swagger, and specifically its 'swagger.json' file, serves as a crucial interface description, akin to WSDL files or C/C++ header files, detailing how to interact with an API. While essential for developers to efficiently connect to and utilize APIs, these definition files inadvertently provide a detailed roadmap for attackers.
The SANS Internet Storm Center has observed a sustained and high volume of requests targeting various 'swagger.json' endpoints across the internet. This persistent scanning indicates that threat actors recognize the significant value these files hold in identifying potential targets. By examining the structure and metadata within a 'swagger.json' file, attackers can gain insights into the API's features and, critically, identify the underlying applications and their versions.
This intelligence allows attackers to pinpoint specific vulnerabilities associated with those applications, streamlining their efforts to find and exploit weaknesses. The data collected by SANS highlights the most frequently targeted 'swagger.json' URLs, with common paths such as '/swagger.json', '/api/v2/swagger.json', and '/swagger/v1/swagger.json' appearing repeatedly. These top targets have been scanned for years, demonstrating a long-standing attacker interest.
Beyond these established targets, the SANS report also notes the emergence of new, albeit less frequent, scanning patterns for 'swagger.json' files. These newer patterns, observed more recently, suggest evolving attacker methodologies or the discovery of new API deployment configurations. Examples include paths like '/%2Fswagger.json' and more complex nested structures within API documentation paths.
The sheer volume and continuous nature of these scans underscore a critical security concern: the potential for inadvertently exposed API definitions to become a primary vector for reconnaissance. While 'swagger.json' files are not inherently insecure, their public accessibility without proper access controls or sanitization can significantly increase an organization's attack surface.
Organizations are advised not to disable the use of 'swagger.json' files, as they are often a necessary component for API development and integration. Instead, the recommendation is to proactively scan internal environments for these files to identify any that may have been inappropriately published or left accessible to the public internet. This proactive approach allows for the remediation of exposed definitions before they can be exploited.
The broader context of RESTful API development, as highlighted by the SANS report, involves significant design decisions left to developers. This freedom, while enabling flexibility, also presents numerous opportunities for misconfigurations and security oversights that attackers can readily exploit. Vigilance in API security, including the proper management of definition files, remains paramount.
The ongoing scanning for 'swagger.json' files serves as a stark reminder that even seemingly innocuous development artifacts can become valuable intelligence for threat actors. A robust security posture requires not only protecting against direct exploits but also diligently managing the information that is exposed about an organization's systems and services.