Details
Alert ID 100043-2
Alert Type Script Active
Status alpha
Risk High
CWE 522
WASC
Technologies Targeted All
Tags CWE-522
OWASP_2017_A06
OWASP_2021_A05
POLICY_API
POLICY_PENTEST
More Info Scan Rule Help

Summary

Swagger UI endpoint exposes sensitive secrets such as client secrets, API keys, or OAuth tokens. These secrets may be accessible in the HTML source and should not be exposed publicly, as this can lead to compromise.

Solution

Remove hardcoded secrets from documentation and ensure the endpoint is protected with authentication.

Other Info

References

Code

scripts/scripts/active/SwaggerSecretDetector.js