NET BANKING APP : ApiV1SavingsTransactionPostSavingstransactionuserbDisallowAbact7

[asriz7777]

Project : NET BANKING APP

Job : Default

Env : Default

Category : ABAC_Level7

Tags : [FX Top 10 - API Vulnerability, Data_Access_Control]

Severity : Major

Region : FXLabs/US_WEST_1

Result : fail

Status Code : 200

Headers : {X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NWZmMmFlOGEtYzZhNi00MmQwLWE0NzctN2QyNGQ2ZWFkY2E1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Thu, 21 Feb 2019 03:53:18 GMT]}

Endpoint : http://54.215.136.217/api/v1/savings-transaction

Request :
{ "amount" : "2791", "availableBalance" : "1158260499", "createdBy" : "", "createdDate" : "", "description" : "jG6QqGvH", "id" : "8a80808d68e7215e01690e2f7eea113a", "inactive" : false, "modifiedBy" : "", "modifiedDate" : "", "status" : "jG6QqGvH", "type" : "jG6QqGvH", "users" : "false", "version" : "" }

Response :
{ "requestId" : "None", "requestTime" : "2019-02-21T03:53:19.364+0000", "errors" : false, "messages" : [ ], "data" : { "id" : "8a80808d68e7215e01690e2f7eea113a", "createdBy" : "", "createdDate" : null, "modifiedBy" : "8a8080236827ecb8016827ff44ad0000", "modifiedDate" : "2019-02-21T03:53:19.362+0000", "version" : null, "inactive" : false, "description" : "jG6QqGvH", "type" : "jG6QqGvH", "status" : "jG6QqGvH", "amount" : 2791.0, "availableBalance" : 1158260499, "user" : null }, "totalPages" : 0, "totalElements" : 0 }

Logs :
2019-02-21 03:53:06 DEBUG [UsersCreateUserBInitAbact7] : URL [http://54.215.136.217/api/v1/users/enterprise-sign-up] 2019-02-21 03:53:06 DEBUG [UsersCreateUserBInitAbact7] : Method [POST] 2019-02-21 03:53:06 DEBUG [UsersCreateUserBInitAbact7] : Request [{ "accountNonExpired" : false, "accountNonLocked" : false, "company" : "Connelly, Connelly and Connelly", "createdBy" : "", "createdDate" : "", "credentialsNonExpired" : false, "email" : "buster.schuppe@yahoo.com", "enabled" : false, "id" : "", "inactive" : false, "jobTitle" : "Forward Accounting Analyst", "location" : "2tbVvOWH", "modifiedBy" : "", "modifiedDate" : "", "name" : "2tbVvOWH", "password" : "2tbVvOWH", "privileges" : [ ], "username" : "lilyan.parker", "version" : "" }] 2019-02-21 03:53:06 DEBUG [UsersCreateUserBInitAbact7] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic dXNlckJAb25saW5lc3VwcG9ydC5pbzphZG1pbjEyMyQ=]}] 2019-02-21 03:53:06 DEBUG [UsersCreateUserBInitAbact7] : Response [{ "requestId" : "None", "requestTime" : "2019-02-21T03:53:06.369+0000", "errors" : true, "messages" : [ { "type" : "ERROR", "key" : "", "value" : "Org name [Connelly, Connelly and Connelly] exists." } ], "data" : false, "totalPages" : 0, "totalElements" : 0 }] 2019-02-21 03:53:06 DEBUG [UsersCreateUserBInitAbact7] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YTEyNWZmOTUtODZhNC00OTg3LTlmYWYtOTRkOGQ3YjJkMzAw; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Thu, 21 Feb 2019 03:53:05 GMT]}] 2019-02-21 03:53:06 DEBUG [UsersCreateUserBInitAbact7] : StatusCode [200] 2019-02-21 03:53:06 DEBUG [UsersCreateUserBInitAbact7] : Time [2972] 2019-02-21 03:53:06 DEBUG [UsersCreateUserBInitAbact7] : Size [225] 2019-02-21 03:53:06 DEBUG [UsersCreateUserBInitAbact7_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YTEyNWZmOTUtODZhNC00OTg3LTlmYWYtOTRkOGQ3YjJkMzAw; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Thu, 21 Feb 2019 03:53:05 GMT]}] 2019-02-21 03:53:06 DEBUG [UsersCreateUserBInitAbact7_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YTEyNWZmOTUtODZhNC00OTg3LTlmYWYtOTRkOGQ3YjJkMzAw; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Thu, 21 Feb 2019 03:53:05 GMT]}] 2019-02-21 03:53:06 DEBUG [UsersCreateUserBInitAbact7_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YTEyNWZmOTUtODZhNC00OTg3LTlmYWYtOTRkOGQ3YjJkMzAw; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Thu, 21 Feb 2019 03:53:05 GMT]}] 2019-02-21 03:53:06 DEBUG [UsersCreateUserBInitAbact7_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YTEyNWZmOTUtODZhNC00OTg3LTlmYWYtOTRkOGQ3YjJkMzAw; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Thu, 21 Feb 2019 03:53:05 GMT]}] 2019-02-21 03:53:07 DEBUG [SavingsTransactionCreateUserBInitAbact7] : URL [http://54.215.136.217/api/v1/savings-transaction] 2019-02-21 03:53:07 DEBUG [SavingsTransactionCreateUserBInitAbact7] : Method [POST] 2019-02-21 03:53:07 DEBUG [SavingsTransactionCreateUserBInitAbact7] : Request [{ "amount" : "6908", "availableBalance" : "1352727713", "createdBy" : "", "createdDate" : "", "description" : "J4hfdSuf", "id" : "", "inactive" : false, "modifiedBy" : "", "modifiedDate" : "", "status" : "J4hfdSuf", "type" : "J4hfdSuf", "users" : "false", "version" : "" }] 2019-02-21 03:53:07 DEBUG [SavingsTransactionCreateUserBInitAbact7] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic dXNlckJAb25saW5lc3VwcG9ydC5pbzphZG1pbjEyMyQ=]}] 2019-02-21 03:53:07 DEBUG [SavingsTransactionCreateUserBInitAbact7] : Response [{ "requestId" : "None", "requestTime" : "2019-02-21T03:53:07.563+0000", "errors" : false, "messages" : [ ], "data" : { "id" : "8a80808d68e7215e01690e2f7eea113a", "createdBy" : "8a8080236827ecb8016827ff44ad0000", "createdDate" : "2019-02-21T03:53:07.562+0000", "modifiedBy" : "8a8080236827ecb8016827ff44ad0000", "modifiedDate" : "2019-02-21T03:53:07.562+0000", "version" : null, "inactive" : false, "description" : "J4hfdSuf", "type" : "J4hfdSuf", "status" : "J4hfdSuf", "amount" : 6908.0, "availableBalance" : 1352727713, "user" : null }, "totalPages" : 0, "totalElements" : 0 }] 2019-02-21 03:53:07 DEBUG [SavingsTransactionCreateUserBInitAbact7] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NzgzYWVmOGItYjA0Mi00OTM4LTk4NzEtODU2YzMyNzJiOWQ1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Thu, 21 Feb 2019 03:53:06 GMT]}] 2019-02-21 03:53:07 DEBUG [SavingsTransactionCreateUserBInitAbact7] : StatusCode [200] 2019-02-21 03:53:07 DEBUG [SavingsTransactionCreateUserBInitAbact7] : Time [1151] 2019-02-21 03:53:07 DEBUG [SavingsTransactionCreateUserBInitAbact7] : Size [515] 2019-02-21 03:53:07 DEBUG [SavingsTransactionCreateUserBInitAbact7_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NzgzYWVmOGItYjA0Mi00OTM4LTk4NzEtODU2YzMyNzJiOWQ1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Thu, 21 Feb 2019 03:53:06 GMT]}] 2019-02-21 03:53:07 DEBUG [SavingsTransactionCreateUserBInitAbact7_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NzgzYWVmOGItYjA0Mi00OTM4LTk4NzEtODU2YzMyNzJiOWQ1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Thu, 21 Feb 2019 03:53:06 GMT]}] 2019-02-21 03:53:07 DEBUG [SavingsTransactionCreateUserBInitAbact7_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NzgzYWVmOGItYjA0Mi00OTM4LTk4NzEtODU2YzMyNzJiOWQ1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Thu, 21 Feb 2019 03:53:06 GMT]}] 2019-02-21 03:53:07 DEBUG [SavingsTransactionCreateUserBInitAbact7_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NzgzYWVmOGItYjA0Mi00OTM4LTk4NzEtODU2YzMyNzJiOWQ1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Thu, 21 Feb 2019 03:53:06 GMT]}] 2019-02-21 03:53:18 DEBUG [UsersCreateUserAInitAbact7] : URL [http://54.215.136.217/api/v1/users/enterprise-sign-up] 2019-02-21 03:53:18 DEBUG [UsersCreateUserAInitAbact7] : Method [POST] 2019-02-21 03:53:18 DEBUG [UsersCreateUserAInitAbact7] : Request [{ "accountNonExpired" : false, "accountNonLocked" : false, "company" : "Eichmann, Eichmann and Eichmann", "createdBy" : "", "createdDate" : "", "credentialsNonExpired" : false, "email" : "brandy.kilback@gmail.com", "enabled" : false, "id" : "", "inactive" : false, "jobTitle" : "Central Hospitality Strategist", "location" : "ysXS6knw", "modifiedBy" : "", "modifiedDate" : "", "name" : "ysXS6knw", "password" : "ysXS6knw", "privileges" : [ ], "username" : "ernestine.jones", "version" : "" }] 2019-02-21 03:53:18 DEBUG [UsersCreateUserAInitAbact7] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic dXNlckJAb25saW5lc3VwcG9ydC5pbzphZG1pbjEyMyQ=]}] 2019-02-21 03:53:18 DEBUG [UsersCreateUserAInitAbact7] : Response [{ "requestId" : "None", "requestTime" : "2019-02-21T03:53:17.972+0000", "errors" : true, "messages" : [ { "type" : "ERROR", "key" : "", "value" : "Org name [Eichmann, Eichmann and Eichmann] exists." } ], "data" : false, "totalPages" : 0, "totalElements" : 0 }] 2019-02-21 03:53:18 DEBUG [UsersCreateUserAInitAbact7] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MDYwZjVkOTQtNTY4Yy00NjkwLWI0N2QtOGQyZTJmYjQyNjZh; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Thu, 21 Feb 2019 03:53:17 GMT]}] 2019-02-21 03:53:18 DEBUG [UsersCreateUserAInitAbact7] : StatusCode [200] 2019-02-21 03:53:18 DEBUG [UsersCreateUserAInitAbact7] : Time [3027] 2019-02-21 03:53:18 DEBUG [UsersCreateUserAInitAbact7] : Size [225] 2019-02-21 03:53:18 DEBUG [UsersCreateUserAInitAbact7_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MDYwZjVkOTQtNTY4Yy00NjkwLWI0N2QtOGQyZTJmYjQyNjZh; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Thu, 21 Feb 2019 03:53:17 GMT]}] 2019-02-21 03:53:18 DEBUG [UsersCreateUserAInitAbact7_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MDYwZjVkOTQtNTY4Yy00NjkwLWI0N2QtOGQyZTJmYjQyNjZh; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Thu, 21 Feb 2019 03:53:17 GMT]}] 2019-02-21 03:53:18 DEBUG [UsersCreateUserAInitAbact7_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MDYwZjVkOTQtNTY4Yy00NjkwLWI0N2QtOGQyZTJmYjQyNjZh; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Thu, 21 Feb 2019 03:53:17 GMT]}] 2019-02-21 03:53:18 DEBUG [UsersCreateUserAInitAbact7_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MDYwZjVkOTQtNTY4Yy00NjkwLWI0N2QtOGQyZTJmYjQyNjZh; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Thu, 21 Feb 2019 03:53:17 GMT]}] 2019-02-21 03:53:19 DEBUG [ApiV1SavingsTransactionPostSavingstransactionuserbDisallowAbact7] : URL [http://54.215.136.217/api/v1/savings-transaction] 2019-02-21 03:53:19 DEBUG [ApiV1SavingsTransactionPostSavingstransactionuserbDisallowAbact7] : Method [POST] 2019-02-21 03:53:19 DEBUG [ApiV1SavingsTransactionPostSavingstransactionuserbDisallowAbact7] : Request [{ "amount" : "2791", "availableBalance" : "1158260499", "createdBy" : "", "createdDate" : "", "description" : "jG6QqGvH", "id" : "8a80808d68e7215e01690e2f7eea113a", "inactive" : false, "modifiedBy" : "", "modifiedDate" : "", "status" : "jG6QqGvH", "type" : "jG6QqGvH", "users" : "false", "version" : "" }] 2019-02-21 03:53:19 DEBUG [ApiV1SavingsTransactionPostSavingstransactionuserbDisallowAbact7] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic dXNlckJAb25saW5lc3VwcG9ydC5pbzphZG1pbjEyMyQ=]}] 2019-02-21 03:53:19 DEBUG [ApiV1SavingsTransactionPostSavingstransactionuserbDisallowAbact7] : Response [{ "requestId" : "None", "requestTime" : "2019-02-21T03:53:19.364+0000", "errors" : false, "messages" : [ ], "data" : { "id" : "8a80808d68e7215e01690e2f7eea113a", "createdBy" : "", "createdDate" : null, "modifiedBy" : "8a8080236827ecb8016827ff44ad0000", "modifiedDate" : "2019-02-21T03:53:19.362+0000", "version" : null, "inactive" : false, "description" : "jG6QqGvH", "type" : "jG6QqGvH", "status" : "jG6QqGvH", "amount" : 2791.0, "availableBalance" : 1158260499, "user" : null }, "totalPages" : 0, "totalElements" : 0 }] 2019-02-21 03:53:19 DEBUG [ApiV1SavingsTransactionPostSavingstransactionuserbDisallowAbact7] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NWZmMmFlOGEtYzZhNi00MmQwLWE0NzctN2QyNGQ2ZWFkY2E1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Thu, 21 Feb 2019 03:53:18 GMT]}] 2019-02-21 03:53:19 DEBUG [ApiV1SavingsTransactionPostSavingstransactionuserbDisallowAbact7] : StatusCode [200] 2019-02-21 03:53:19 DEBUG [ApiV1SavingsTransactionPostSavingstransactionuserbDisallowAbact7] : Time [1381] 2019-02-21 03:53:19 DEBUG [ApiV1SavingsTransactionPostSavingstransactionuserbDisallowAbact7] : Size [457] 2019-02-21 03:53:19 ERROR [ApiV1SavingsTransactionPostSavingstransactionuserbDisallowAbact7] : Assertion [@StatusCode == 401 OR @StatusCode == 403 OR @Response.errors == true] resolved-to [200 == 401 OR 200 == 403 OR false == true] result [Failed] 2019-02-21 03:53:19 DEBUG [ApiV1SavingsTransactionIdDeleteSavingstransactionabac7] : URL [http://54.215.136.217/api/v1/savings-transaction/8a80808d68e7215e01690e2f7eea113a] 2019-02-21 03:53:19 DEBUG [ApiV1SavingsTransactionIdDeleteSavingstransactionabac7] : Method [DELETE] 2019-02-21 03:53:19 DEBUG [ApiV1SavingsTransactionIdDeleteSavingstransactionabac7] : Request [null] 2019-02-21 03:53:19 DEBUG [ApiV1SavingsTransactionIdDeleteSavingstransactionabac7] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic dXNlckJAb25saW5lc3VwcG9ydC5pbzphZG1pbjEyMyQ=]}] 2019-02-21 03:53:19 DEBUG [ApiV1SavingsTransactionIdDeleteSavingstransactionabac7] : Response [{ "requestId" : "None", "requestTime" : "2019-02-21T03:53:19.711+0000", "errors" : false, "messages" : [ ], "data" : null, "totalPages" : 0, "totalElements" : 0 }] 2019-02-21 03:53:19 DEBUG [ApiV1SavingsTransactionIdDeleteSavingstransactionabac7] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MzI4YWJmMTMtMWJmMi00OTk5LTllY2ItMjBlNDYzNDBmMjE1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Thu, 21 Feb 2019 03:53:19 GMT]}] 2019-02-21 03:53:19 DEBUG [ApiV1SavingsTransactionIdDeleteSavingstransactionabac7] : StatusCode [200] 2019-02-21 03:53:19 DEBUG [ApiV1SavingsTransactionIdDeleteSavingstransactionabac7] : Time [346] 2019-02-21 03:53:19 DEBUG [ApiV1SavingsTransactionIdDeleteSavingstransactionabac7] : Size [139] 2019-02-21 03:53:19 INFO [null] : Assertion [@StatusCode == 200] resolved-to [200 == 200] result [Passed]

--- FX Bot ---