Clarify disclosure and vulnerability risks for OpenAPI UIs

[davisnw]

Description

The page currently states:

• To limit information disclosure and security vulnerability, only enable Swagger UI in development environments.

However, this recommendation is only highlighted for Swagger UI, even though ReDoc and Scalar are also mentioned.

1. Are there particular reasons you consider "Swagger UI" to be more vulnerable than say Scalar or ReDoc?

2. "information disclosure" and "security vulnerability" are a bit vague. - Simply exposing Swagger UI should in general (barring supply chain attacks) not have any impact one way or another on the actual security of your endpoints.

   • In other words, if someone can inappropriately update or access information vi e.g. Swagger UI, ReDoc or Scalar, then they can already take advantage of those vulnerabilities by calling the same endpoint without Swagger UI, Redoc or Scalar available

3. If you're concerned about listing all endpoints - then you should also be concerned about MapOpenApi() calls

   • From a security standpoint all I can see is that it makes discovery of the endpoints a bit easier.
   • But if a user already has access to your application, then chances are a lot of your endpoints are already easily discoverable (e.g. in Blazor or angular client code, the api endpoints will be embedded, and it is also trivial to simply watch api requests in the browser dev tools network tab)
   • So hiding the OpenApi spec / UI seems to just be "security through obscurity"
     • I'm not saying there's no value in that (e.g. it may reduce attempts by low-skilled hackers), but it shouldn't be something we rely on as the core of our security efforts.

4. I can see a potential case for concerns about supply-chain attacks (e.g. if a malicious update were pushed to Swagger, it could potentially be used to access things such as authorization cookies, and damage would be limited by only enabling in environments without production data), but that is a general concern with all third-party code.

5. There may be some value in allowing certain power users to access the e.g. Swagger UI, so perhaps show an example of authorizing the Swagger UI / Redoc / Scalar / OpenAPI spec for certain users, or state more explicitly why you consider this to be a really bad idea.

So in summary, I'm suggesting:

1. Don't single out "Swagger UI" unless you have specific reasons that you consider it more risky than other Open API UIs

2. More clearly explain what the actual risks are

Page URL

https://learn.microsoft.com/en-us/aspnet/core/fundamentals/openapi/using-openapi-documents?view=aspnetcore-9.0

Content source URL

https://github.com/dotnet/AspNetCore.Docs/blob/main/aspnetcore/fundamentals/openapi/using-openapi-documents.md

Document ID

472b10ab-681b-f631-040d-025ef0a02329

Article author

@captainsafia

Metadata

• ID: 472b10ab-681b-f631-040d-025ef0a02329
• PlatformId: c973de58-a013-4aa0-ccef-0bd78e4749db
• Service: aspnet-core
• Sub-service: fundamentals

Related Issues

---

Associated WorkItem - 400564

[Rick-Anderson]

OpenAPI itself doesn't directly provide a UI, but it defines a standard for documenting APIs that tools like Swagger UI use to create interactive documentation.

The risk of Swagger UI in production apps is well know.
Using Swagger UI in production environments can introduce several security risks:

Increased Attack Surface: Swagger UI becomes an additional entry point that can be targeted by potential Denial-of-Service (DoS) attacks.

Information Exposure: Swagger UI exposes detailed documentation about your API endpoints, request/response structures, and data models, which can aid attackers in identifying vulnerabilities.

Injection Vulnerabilities: The exposed information in Swagger, including data formats and input validation details, can help attackers launch injection attacks like SQL injection or cross-site scripting (XSS).

Unauthorized Access Risks: Improper configuration of Swagger can result in unauthorized access to sensitive API endpoints or functionality.

if (app.Environment.IsDevelopment())
{
    app.MapOpenApi();
    app.MapScalarApiReference();
}

However, this recommendation is only highlighted for Swagger UI, even though ReDoc and Scalar are also mentioned.

Good point, I'll warn on them too.