Open AtifaFahmeen opened 5 years ago
Project : Demo App
Job : Default
Env : Default
Category : InvalidAuthSQL
Tags : [OWASP A1, [PCI DSS 3.0] 6.5.1, OTG-AUTHN-004, FX Top 10 - API Vulnerability, Non-Intrusive, Injection]
Severity : Major
Region : US_WEST_2
Result : fail
Status Code : 200
Headers : {X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 13 Feb 2019 08:08:27 GMT]}
Endpoint : http://54.215.136.217/api/v1/users/team-sign-up
Request : { "accountNonExpired" : false, "accountNonLocked" : false, "company" : "Waelchi-Waelchi", "createdBy" : "", "createdDate" : "", "credentialsNonExpired" : false, "email" : "marcel.trantow@yahoo.com", "enabled" : false, "id" : "", "inactive" : false, "jobTitle" : "Customer Consulting Agent", "location" : "Fynf8dZQ", "modifiedBy" : "", "modifiedDate" : "", "name" : "Fynf8dZQ", "password" : "Fynf8dZQ", "username" : "jordon.sauer", "version" : "" }
Response : { "requestId" : "None", "requestTime" : "2019-02-13T08:08:27.062+0000", "errors" : true, "messages" : [ { "type" : "ERROR", "key" : "", "value" : "Org name [Waelchi-Waelchi] exists." } ], "data" : false, "totalPages" : 0, "totalElements" : 0 }
Logs : 2019-02-13 08:08:27 DEBUG [ApiV1UsersTeamSignUpPostAuthInvalidSql] : URL [http://54.215.136.217/api/v1/users/team-sign-up] 2019-02-13 08:08:27 DEBUG [ApiV1UsersTeamSignUpPostAuthInvalidSql] : Method [POST] 2019-02-13 08:08:27 DEBUG [ApiV1UsersTeamSignUpPostAuthInvalidSql] : Request [{ "accountNonExpired" : false, "accountNonLocked" : false, "company" : "Waelchi-Waelchi", "createdBy" : "", "createdDate" : "", "credentialsNonExpired" : false, "email" : "marcel.trantow@yahoo.com", "enabled" : false, "id" : "", "inactive" : false, "jobTitle" : "Customer Consulting Agent", "location" : "Fynf8dZQ", "modifiedBy" : "", "modifiedDate" : "", "name" : "Fynf8dZQ", "password" : "Fynf8dZQ", "username" : "jordon.sauer", "version" : "" }] 2019-02-13 08:08:27 DEBUG [ApiV1UsersTeamSignUpPostAuthInvalidSql] : Request-Headers [{Content-Type=[application/json], Accept=[application/json]}] 2019-02-13 08:08:27 DEBUG [ApiV1UsersTeamSignUpPostAuthInvalidSql] : Response [{ "requestId" : "None", "requestTime" : "2019-02-13T08:08:27.062+0000", "errors" : true, "messages" : [ { "type" : "ERROR", "key" : "", "value" : "Org name [Waelchi-Waelchi] exists." } ], "data" : false, "totalPages" : 0, "totalElements" : 0 }] 2019-02-13 08:08:27 DEBUG [ApiV1UsersTeamSignUpPostAuthInvalidSql] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 13 Feb 2019 08:08:27 GMT]}] 2019-02-13 08:08:27 DEBUG [ApiV1UsersTeamSignUpPostAuthInvalidSql] : StatusCode [200] 2019-02-13 08:08:27 DEBUG [ApiV1UsersTeamSignUpPostAuthInvalidSql] : Time [1109] 2019-02-13 08:08:27 DEBUG [ApiV1UsersTeamSignUpPostAuthInvalidSql] : Size [209] 2019-02-13 08:08:27 ERROR [ApiV1UsersTeamSignUpPostAuthInvalidSql] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [200 == 401 OR 200 == 403] result [Failed]
--- FX Bot ---
Project : Demo App
Job : Default
Env : Default
Category : InvalidAuthSQL
Tags : [OWASP A1, [PCI DSS 3.0] 6.5.1, OTG-AUTHN-004, FX Top 10 - API Vulnerability, Non-Intrusive, Injection]
Severity : Major
Region : US_WEST_2
Result : fail
Status Code : 200
Headers : {X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 13 Feb 2019 08:08:27 GMT]}
Endpoint : http://54.215.136.217/api/v1/users/team-sign-up
Request :
{ "accountNonExpired" : false, "accountNonLocked" : false, "company" : "Waelchi-Waelchi", "createdBy" : "", "createdDate" : "", "credentialsNonExpired" : false, "email" : "marcel.trantow@yahoo.com", "enabled" : false, "id" : "", "inactive" : false, "jobTitle" : "Customer Consulting Agent", "location" : "Fynf8dZQ", "modifiedBy" : "", "modifiedDate" : "", "name" : "Fynf8dZQ", "password" : "Fynf8dZQ", "username" : "jordon.sauer", "version" : "" }
Response :
{ "requestId" : "None", "requestTime" : "2019-02-13T08:08:27.062+0000", "errors" : true, "messages" : [ { "type" : "ERROR", "key" : "", "value" : "Org name [Waelchi-Waelchi] exists." } ], "data" : false, "totalPages" : 0, "totalElements" : 0 }
Logs :
2019-02-13 08:08:27 DEBUG [ApiV1UsersTeamSignUpPostAuthInvalidSql] : URL [http://54.215.136.217/api/v1/users/team-sign-up] 2019-02-13 08:08:27 DEBUG [ApiV1UsersTeamSignUpPostAuthInvalidSql] : Method [POST] 2019-02-13 08:08:27 DEBUG [ApiV1UsersTeamSignUpPostAuthInvalidSql] : Request [{ "accountNonExpired" : false, "accountNonLocked" : false, "company" : "Waelchi-Waelchi", "createdBy" : "", "createdDate" : "", "credentialsNonExpired" : false, "email" : "marcel.trantow@yahoo.com", "enabled" : false, "id" : "", "inactive" : false, "jobTitle" : "Customer Consulting Agent", "location" : "Fynf8dZQ", "modifiedBy" : "", "modifiedDate" : "", "name" : "Fynf8dZQ", "password" : "Fynf8dZQ", "username" : "jordon.sauer", "version" : "" }] 2019-02-13 08:08:27 DEBUG [ApiV1UsersTeamSignUpPostAuthInvalidSql] : Request-Headers [{Content-Type=[application/json], Accept=[application/json]}] 2019-02-13 08:08:27 DEBUG [ApiV1UsersTeamSignUpPostAuthInvalidSql] : Response [{ "requestId" : "None", "requestTime" : "2019-02-13T08:08:27.062+0000", "errors" : true, "messages" : [ { "type" : "ERROR", "key" : "", "value" : "Org name [Waelchi-Waelchi] exists." } ], "data" : false, "totalPages" : 0, "totalElements" : 0 }] 2019-02-13 08:08:27 DEBUG [ApiV1UsersTeamSignUpPostAuthInvalidSql] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 13 Feb 2019 08:08:27 GMT]}] 2019-02-13 08:08:27 DEBUG [ApiV1UsersTeamSignUpPostAuthInvalidSql] : StatusCode [200] 2019-02-13 08:08:27 DEBUG [ApiV1UsersTeamSignUpPostAuthInvalidSql] : Time [1109] 2019-02-13 08:08:27 DEBUG [ApiV1UsersTeamSignUpPostAuthInvalidSql] : Size [209] 2019-02-13 08:08:27 ERROR [ApiV1UsersTeamSignUpPostAuthInvalidSql] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [200 == 401 OR 200 == 403] result [Failed]
--- FX Bot ---