Vulnerability [Hijack_Level1] : POST:/api/v1/orgs

[asriz7777]

Project : FXABAC TEST

Template : ApiV1OrgsPostOrguserbDisallowHijack1

Run Id : 8a808011699a990101699ab0f9761b20

Job : Default

Env : Default

Category : Hijack_Level1

Tags : [FX Top 10 - API Vulnerability, Data_Access_Control]

Severity : Major

Region : FXLabs/US_WEST_1

Result : fail

Status Code : 403

Headers : {X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MmJjODUxZTUtZWQyMy00Mjc0LWFlOGUtYzY2YmMyNTBjMzQ3; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:34 GMT]}

Endpoint : http://13.56.210.25/api/v1/orgs

Request :
{ "billingEmail" : "wanda.fay@hotmail.com", "company" : "Schmidt LLC", "createdBy" : "", "createdDate" : "", "description" : "DkkkkFjd", "id" : "", "inactive" : false, "location" : "DkkkkFjd", "modifiedBy" : "", "modifiedDate" : "", "name" : "DkkkkFjd", "orgPlan" : "ENTERPRISE", "orgType" : "PERSONAL", "version" : "" }

Response :
{ "timestamp" : "2019-03-20T10:41:34.841+0000", "status" : 403, "error" : "Forbidden", "message" : "Forbidden", "path" : "/api/v1/orgs" }

Logs :
2019-03-20 10:41:34 DEBUG [OrgCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/orgs] 2019-03-20 10:41:34 DEBUG [OrgCreateUserBInitHijack1] : Method [POST] 2019-03-20 10:41:34 DEBUG [OrgCreateUserBInitHijack1] : Request [{ "billingEmail" : "MpJ9Ojnp", "company" : "Welch-Welch", "createdBy" : "", "createdDate" : "", "description" : "MpJ9Ojnp", "id" : "", "inactive" : false, "location" : "MpJ9Ojnp", "modifiedBy" : "", "modifiedDate" : "", "name" : "MpJ9Ojnp", "orgPlan" : "TEAM", "orgType" : "ENTERPRISE", "version" : "" }] 2019-03-20 10:41:34 DEBUG [OrgCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:41:34 DEBUG [OrgCreateUserBInitHijack1] : Response [{ "timestamp" : "2019-03-20T10:41:34.235+0000", "status" : 403, "error" : "Forbidden", "message" : "Forbidden", "path" : "/api/v1/orgs" }] 2019-03-20 10:41:34 DEBUG [OrgCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=Mzc5YjVmMjEtYjgyOS00OGFmLTg4NDgtMThmYzYyMDU2NDIw; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:34 GMT]}] 2019-03-20 10:41:34 DEBUG [OrgCreateUserBInitHijack1] : StatusCode [403] 2019-03-20 10:41:34 DEBUG [OrgCreateUserBInitHijack1] : Time [1418] 2019-03-20 10:41:34 DEBUG [OrgCreateUserBInitHijack1] : Size [121] 2019-03-20 10:41:34 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed] 2019-03-20 10:41:34 DEBUG [OrgCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=Mzc5YjVmMjEtYjgyOS00OGFmLTg4NDgtMThmYzYyMDU2NDIw; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:34 GMT]}] 2019-03-20 10:41:34 DEBUG [OrgCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=Mzc5YjVmMjEtYjgyOS00OGFmLTg4NDgtMThmYzYyMDU2NDIw; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:34 GMT]}] 2019-03-20 10:41:34 DEBUG [OrgCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=Mzc5YjVmMjEtYjgyOS00OGFmLTg4NDgtMThmYzYyMDU2NDIw; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:34 GMT]}] 2019-03-20 10:41:34 DEBUG [OrgCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=Mzc5YjVmMjEtYjgyOS00OGFmLTg4NDgtMThmYzYyMDU2NDIw; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:34 GMT]}] 2019-03-20 10:41:34 DEBUG [ApiV1OrgsPostOrguserbDisallowHijack1] : URL [http://13.56.210.25/api/v1/orgs] 2019-03-20 10:41:34 DEBUG [ApiV1OrgsPostOrguserbDisallowHijack1] : Method [POST] 2019-03-20 10:41:34 DEBUG [ApiV1OrgsPostOrguserbDisallowHijack1] : Request [{ "billingEmail" : "wanda.fay@hotmail.com", "company" : "Schmidt LLC", "createdBy" : "", "createdDate" : "", "description" : "DkkkkFjd", "id" : "", "inactive" : false, "location" : "DkkkkFjd", "modifiedBy" : "", "modifiedDate" : "", "name" : "DkkkkFjd", "orgPlan" : "ENTERPRISE", "orgType" : "PERSONAL", "version" : "" }] 2019-03-20 10:41:34 DEBUG [ApiV1OrgsPostOrguserbDisallowHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:41:34 DEBUG [ApiV1OrgsPostOrguserbDisallowHijack1] : Response [{ "timestamp" : "2019-03-20T10:41:34.841+0000", "status" : 403, "error" : "Forbidden", "message" : "Forbidden", "path" : "/api/v1/orgs" }] 2019-03-20 10:41:34 DEBUG [ApiV1OrgsPostOrguserbDisallowHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MmJjODUxZTUtZWQyMy00Mjc0LWFlOGUtYzY2YmMyNTBjMzQ3; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:34 GMT]}] 2019-03-20 10:41:34 DEBUG [ApiV1OrgsPostOrguserbDisallowHijack1] : StatusCode [403] 2019-03-20 10:41:34 DEBUG [ApiV1OrgsPostOrguserbDisallowHijack1] : Time [495] 2019-03-20 10:41:34 DEBUG [ApiV1OrgsPostOrguserbDisallowHijack1] : Size [121] 2019-03-20 10:41:34 INFO [ApiV1OrgsPostOrguserbDisallowHijack1] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [403 == 401 OR 403 == 403] result [Passed] 2019-03-20 10:41:35 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : URL [http://13.56.210.25/api/v1/orgs/] 2019-03-20 10:41:35 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Method [DELETE] 2019-03-20 10:41:35 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Request [null] 2019-03-20 10:41:35 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:41:35 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Response [{ "timestamp" : "2019-03-20T10:41:35.538+0000", "status" : 405, "error" : "Method Not Allowed", "message" : "Request method 'DELETE' not supported", "path" : "/api/v1/orgs/" }] 2019-03-20 10:41:35 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Response-Headers [{Allow=[GET, POST], X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=M2JjNTNmYjYtZjgwYy00ODlhLThlZDItNzc1YmJkNjVjMjg0; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:35 GMT]}] 2019-03-20 10:41:35 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : StatusCode [405] 2019-03-20 10:41:35 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Time [694] 2019-03-20 10:41:35 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Size [159] 2019-03-20 10:41:35 ERROR [null] : Assertion [@StatusCode == 200] resolved-to [405 == 200] result [Failed]

--- FX Bot ---

[asriz7777]

Project : FXABAC TEST

Template : ApiV1OrgsPostOrguserbDisallowHijack1

Run Id : 8a808011699a990101699ab3901a2277

Job : Default

Env : Default

Category : Hijack_Level1

Tags : [FX Top 10 - API Vulnerability, Data_Access_Control]

Severity : Major

Region : FXLabs/US_WEST_1

Result : fail

Status Code : 403

Headers : {X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZTJlZWYwNmEtMmIxMS00MzIwLWFjOTktMWU2MjQ5NGE5Mjdj; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:24 GMT]}

Endpoint : http://13.56.210.25/api/v1/orgs

Request :
{ "billingEmail" : "hans.wolff@hotmail.com", "company" : "Rogahn, Rogahn and Rogahn", "createdBy" : "", "createdDate" : "", "description" : "Qywzaz1P", "id" : "", "inactive" : false, "location" : "Qywzaz1P", "modifiedBy" : "", "modifiedDate" : "", "name" : "Qywzaz1P", "orgPlan" : "ENTERPRISE", "orgType" : "PERSONAL", "version" : "" }

Response :
{ "timestamp" : "2019-03-20T10:44:24.900+0000", "status" : 403, "error" : "Forbidden", "message" : "Forbidden", "path" : "/api/v1/orgs" }

Logs :
2019-03-20 10:44:23 DEBUG [OrgCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/orgs] 2019-03-20 10:44:23 DEBUG [OrgCreateUserBInitHijack1] : Method [POST] 2019-03-20 10:44:23 DEBUG [OrgCreateUserBInitHijack1] : Request [{ "billingEmail" : "DzYtr9J3", "company" : "Boyer-Boyer", "createdBy" : "", "createdDate" : "", "description" : "DzYtr9J3", "id" : "", "inactive" : false, "location" : "DzYtr9J3", "modifiedBy" : "", "modifiedDate" : "", "name" : "DzYtr9J3", "orgPlan" : "TEAM", "orgType" : "ENTERPRISE", "version" : "" }] 2019-03-20 10:44:23 DEBUG [OrgCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:44:23 DEBUG [OrgCreateUserBInitHijack1] : Response [{ "timestamp" : "2019-03-20T10:44:23.877+0000", "status" : 403, "error" : "Forbidden", "message" : "Forbidden", "path" : "/api/v1/orgs" }] 2019-03-20 10:44:23 DEBUG [OrgCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MTJiNDMzZmItZDgwNC00Yzc5LWFkNjgtNmU0NTlhNTcwZmVm; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:23 GMT]}] 2019-03-20 10:44:23 DEBUG [OrgCreateUserBInitHijack1] : StatusCode [403] 2019-03-20 10:44:23 DEBUG [OrgCreateUserBInitHijack1] : Time [982] 2019-03-20 10:44:23 DEBUG [OrgCreateUserBInitHijack1] : Size [121] 2019-03-20 10:44:23 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed] 2019-03-20 10:44:23 DEBUG [OrgCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MTJiNDMzZmItZDgwNC00Yzc5LWFkNjgtNmU0NTlhNTcwZmVm; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:23 GMT]}] 2019-03-20 10:44:23 DEBUG [OrgCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MTJiNDMzZmItZDgwNC00Yzc5LWFkNjgtNmU0NTlhNTcwZmVm; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:23 GMT]}] 2019-03-20 10:44:23 DEBUG [OrgCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MTJiNDMzZmItZDgwNC00Yzc5LWFkNjgtNmU0NTlhNTcwZmVm; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:23 GMT]}] 2019-03-20 10:44:23 DEBUG [OrgCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MTJiNDMzZmItZDgwNC00Yzc5LWFkNjgtNmU0NTlhNTcwZmVm; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:23 GMT]}] 2019-03-20 10:44:24 DEBUG [ApiV1OrgsPostOrguserbDisallowHijack1] : URL [http://13.56.210.25/api/v1/orgs] 2019-03-20 10:44:24 DEBUG [ApiV1OrgsPostOrguserbDisallowHijack1] : Method [POST] 2019-03-20 10:44:24 DEBUG [ApiV1OrgsPostOrguserbDisallowHijack1] : Request [{ "billingEmail" : "hans.wolff@hotmail.com", "company" : "Rogahn, Rogahn and Rogahn", "createdBy" : "", "createdDate" : "", "description" : "Qywzaz1P", "id" : "", "inactive" : false, "location" : "Qywzaz1P", "modifiedBy" : "", "modifiedDate" : "", "name" : "Qywzaz1P", "orgPlan" : "ENTERPRISE", "orgType" : "PERSONAL", "version" : "" }] 2019-03-20 10:44:24 DEBUG [ApiV1OrgsPostOrguserbDisallowHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:44:24 DEBUG [ApiV1OrgsPostOrguserbDisallowHijack1] : Response [{ "timestamp" : "2019-03-20T10:44:24.900+0000", "status" : 403, "error" : "Forbidden", "message" : "Forbidden", "path" : "/api/v1/orgs" }] 2019-03-20 10:44:24 DEBUG [ApiV1OrgsPostOrguserbDisallowHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZTJlZWYwNmEtMmIxMS00MzIwLWFjOTktMWU2MjQ5NGE5Mjdj; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:24 GMT]}] 2019-03-20 10:44:24 DEBUG [ApiV1OrgsPostOrguserbDisallowHijack1] : StatusCode [403] 2019-03-20 10:44:24 DEBUG [ApiV1OrgsPostOrguserbDisallowHijack1] : Time [920] 2019-03-20 10:44:24 DEBUG [ApiV1OrgsPostOrguserbDisallowHijack1] : Size [121] 2019-03-20 10:44:24 INFO [ApiV1OrgsPostOrguserbDisallowHijack1] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [403 == 401 OR 403 == 403] result [Passed] 2019-03-20 10:44:25 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : URL [http://13.56.210.25/api/v1/orgs/] 2019-03-20 10:44:25 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Method [DELETE] 2019-03-20 10:44:25 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Request [null] 2019-03-20 10:44:25 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:44:25 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Response [{ "timestamp" : "2019-03-20T10:44:25.678+0000", "status" : 405, "error" : "Method Not Allowed", "message" : "Request method 'DELETE' not supported", "path" : "/api/v1/orgs/" }] 2019-03-20 10:44:25 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Response-Headers [{Allow=[GET, POST], X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZmNkZGYzM2ItZjYyNC00ZmQ5LTgwMmUtNzVhYjQyZGJiZmE5; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:24 GMT]}] 2019-03-20 10:44:25 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : StatusCode [405] 2019-03-20 10:44:25 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Time [776] 2019-03-20 10:44:25 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Size [159] 2019-03-20 10:44:25 ERROR [null] : Assertion [@StatusCode == 200] resolved-to [405 == 200] result [Failed]

--- FX Bot ---

[asriz7777]

Project : FXABAC TEST

Template : ApiV1OrgsPostOrguserbDisallowHijack1

Run Id : 8a808011699a990101699ab3901a2277

Job : Default

Env : Default

Category : Hijack_Level1

Tags : [FX Top 10 - API Vulnerability, Data_Access_Control]

Severity : Major

Region : FXLabs/US_WEST_1

Result : fail

Status Code : 403

Headers : {X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZWYyNmZkNTctOTIyNS00ZTFjLTg3ZjgtOThmZDYzZDAxMWYy; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:50 GMT]}

Endpoint : http://13.56.210.25/api/v1/orgs

Request :
{ "billingEmail" : "ryder.hessel@hotmail.com", "company" : "Sanford, Sanford and Sanford", "createdBy" : "", "createdDate" : "", "description" : "asqRJ61m", "id" : "", "inactive" : false, "location" : "asqRJ61m", "modifiedBy" : "", "modifiedDate" : "", "name" : "asqRJ61m", "orgPlan" : "ENTERPRISE", "orgType" : "PERSONAL", "version" : "" }

Response :
{ "timestamp" : "2019-03-20T10:44:50.824+0000", "status" : 403, "error" : "Forbidden", "message" : "Forbidden", "path" : "/api/v1/orgs" }

Logs :
2019-03-20 10:44:49 DEBUG [OrgCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/orgs] 2019-03-20 10:44:49 DEBUG [OrgCreateUserBInitHijack1] : Method [POST] 2019-03-20 10:44:49 DEBUG [OrgCreateUserBInitHijack1] : Request [{ "billingEmail" : "7DuY7j03", "company" : "Hirthe-Hirthe", "createdBy" : "", "createdDate" : "", "description" : "7DuY7j03", "id" : "", "inactive" : false, "location" : "7DuY7j03", "modifiedBy" : "", "modifiedDate" : "", "name" : "7DuY7j03", "orgPlan" : "TEAM", "orgType" : "ENTERPRISE", "version" : "" }] 2019-03-20 10:44:49 DEBUG [OrgCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:44:49 DEBUG [OrgCreateUserBInitHijack1] : Response [{ "timestamp" : "2019-03-20T10:44:49.582+0000", "status" : 403, "error" : "Forbidden", "message" : "Forbidden", "path" : "/api/v1/orgs" }] 2019-03-20 10:44:49 DEBUG [OrgCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NDFmZTVjMjUtZDUwYi00MjNhLWE5OTYtMjZjZDFkMzEwYjQ1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:49 GMT]}] 2019-03-20 10:44:49 DEBUG [OrgCreateUserBInitHijack1] : StatusCode [403] 2019-03-20 10:44:49 DEBUG [OrgCreateUserBInitHijack1] : Time [1113] 2019-03-20 10:44:49 DEBUG [OrgCreateUserBInitHijack1] : Size [121] 2019-03-20 10:44:49 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed] 2019-03-20 10:44:49 DEBUG [OrgCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NDFmZTVjMjUtZDUwYi00MjNhLWE5OTYtMjZjZDFkMzEwYjQ1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:49 GMT]}] 2019-03-20 10:44:49 DEBUG [OrgCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NDFmZTVjMjUtZDUwYi00MjNhLWE5OTYtMjZjZDFkMzEwYjQ1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:49 GMT]}] 2019-03-20 10:44:49 DEBUG [OrgCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NDFmZTVjMjUtZDUwYi00MjNhLWE5OTYtMjZjZDFkMzEwYjQ1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:49 GMT]}] 2019-03-20 10:44:49 DEBUG [OrgCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NDFmZTVjMjUtZDUwYi00MjNhLWE5OTYtMjZjZDFkMzEwYjQ1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:49 GMT]}] 2019-03-20 10:44:50 DEBUG [ApiV1OrgsPostOrguserbDisallowHijack1] : URL [http://13.56.210.25/api/v1/orgs] 2019-03-20 10:44:50 DEBUG [ApiV1OrgsPostOrguserbDisallowHijack1] : Method [POST] 2019-03-20 10:44:50 DEBUG [ApiV1OrgsPostOrguserbDisallowHijack1] : Request [{ "billingEmail" : "ryder.hessel@hotmail.com", "company" : "Sanford, Sanford and Sanford", "createdBy" : "", "createdDate" : "", "description" : "asqRJ61m", "id" : "", "inactive" : false, "location" : "asqRJ61m", "modifiedBy" : "", "modifiedDate" : "", "name" : "asqRJ61m", "orgPlan" : "ENTERPRISE", "orgType" : "PERSONAL", "version" : "" }] 2019-03-20 10:44:50 DEBUG [ApiV1OrgsPostOrguserbDisallowHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:44:50 DEBUG [ApiV1OrgsPostOrguserbDisallowHijack1] : Response [{ "timestamp" : "2019-03-20T10:44:50.824+0000", "status" : 403, "error" : "Forbidden", "message" : "Forbidden", "path" : "/api/v1/orgs" }] 2019-03-20 10:44:50 DEBUG [ApiV1OrgsPostOrguserbDisallowHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZWYyNmZkNTctOTIyNS00ZTFjLTg3ZjgtOThmZDYzZDAxMWYy; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:50 GMT]}] 2019-03-20 10:44:50 DEBUG [ApiV1OrgsPostOrguserbDisallowHijack1] : StatusCode [403] 2019-03-20 10:44:50 DEBUG [ApiV1OrgsPostOrguserbDisallowHijack1] : Time [1004] 2019-03-20 10:44:50 DEBUG [ApiV1OrgsPostOrguserbDisallowHijack1] : Size [121] 2019-03-20 10:44:50 INFO [ApiV1OrgsPostOrguserbDisallowHijack1] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [403 == 401 OR 403 == 403] result [Passed] 2019-03-20 10:44:51 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : URL [http://13.56.210.25/api/v1/orgs/] 2019-03-20 10:44:51 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Method [DELETE] 2019-03-20 10:44:51 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Request [null] 2019-03-20 10:44:51 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:44:51 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Response [{ "timestamp" : "2019-03-20T10:44:51.913+0000", "status" : 405, "error" : "Method Not Allowed", "message" : "Request method 'DELETE' not supported", "path" : "/api/v1/orgs/" }] 2019-03-20 10:44:51 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Response-Headers [{Allow=[GET, POST], X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=M2NjZDdiODEtYzQxNC00MmM0LTk4NWUtMTgwZTQ5MGNiOGY5; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:51 GMT]}] 2019-03-20 10:44:51 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : StatusCode [405] 2019-03-20 10:44:51 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Time [1088] 2019-03-20 10:44:51 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Size [159] 2019-03-20 10:44:51 ERROR [null] : Assertion [@StatusCode == 200] resolved-to [405 == 200] result [Failed]

--- FX Bot ---

[asriz7777]

Project : FXABAC TEST

Template : ApiV1OrgsPostOrguserbDisallowHijack1

Run Id : 8a808011699a990101699ab3901a2277

Job : Default

Env : Default

Category : Hijack_Level1

Tags : [FX Top 10 - API Vulnerability, Data_Access_Control]

Severity : Major

Region : FXLabs/US_WEST_1

Result : fail

Status Code : 403

Headers : {X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZjZiMDliOWMtMTc2MC00MzlkLTllNGYtNmQ5ZjdiZDhhNDRk; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:52 GMT]}

Endpoint : http://13.56.210.25/api/v1/orgs

Request :
{ "billingEmail" : "neva.carroll@yahoo.com", "company" : "Johns, Johns and Johns", "createdBy" : "", "createdDate" : "", "description" : "zPheyMSo", "id" : "", "inactive" : false, "location" : "zPheyMSo", "modifiedBy" : "", "modifiedDate" : "", "name" : "zPheyMSo", "orgPlan" : "ENTERPRISE", "orgType" : "PERSONAL", "version" : "" }

Response :
{ "timestamp" : "2019-03-20T10:45:53.149+0000", "status" : 403, "error" : "Forbidden", "message" : "Forbidden", "path" : "/api/v1/orgs" }

Logs :
2019-03-20 10:45:51 DEBUG [OrgCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/orgs] 2019-03-20 10:45:51 DEBUG [OrgCreateUserBInitHijack1] : Method [POST] 2019-03-20 10:45:51 DEBUG [OrgCreateUserBInitHijack1] : Request [{ "billingEmail" : "LMPT6sOq", "company" : "Ratke, Ratke and Ratke", "createdBy" : "", "createdDate" : "", "description" : "LMPT6sOq", "id" : "", "inactive" : false, "location" : "LMPT6sOq", "modifiedBy" : "", "modifiedDate" : "", "name" : "LMPT6sOq", "orgPlan" : "TEAM", "orgType" : "ENTERPRISE", "version" : "" }] 2019-03-20 10:45:51 DEBUG [OrgCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:45:51 DEBUG [OrgCreateUserBInitHijack1] : Response [{ "timestamp" : "2019-03-20T10:45:51.130+0000", "status" : 403, "error" : "Forbidden", "message" : "Forbidden", "path" : "/api/v1/orgs" }] 2019-03-20 10:45:51 DEBUG [OrgCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=N2M1MzlmMGQtZmI4OS00MWY3LTk3YTUtODdmODdmNDQyMTli; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:50 GMT]}] 2019-03-20 10:45:51 DEBUG [OrgCreateUserBInitHijack1] : StatusCode [403] 2019-03-20 10:45:51 DEBUG [OrgCreateUserBInitHijack1] : Time [1365] 2019-03-20 10:45:51 DEBUG [OrgCreateUserBInitHijack1] : Size [121] 2019-03-20 10:45:51 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed] 2019-03-20 10:45:51 DEBUG [OrgCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=N2M1MzlmMGQtZmI4OS00MWY3LTk3YTUtODdmODdmNDQyMTli; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:50 GMT]}] 2019-03-20 10:45:51 DEBUG [OrgCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=N2M1MzlmMGQtZmI4OS00MWY3LTk3YTUtODdmODdmNDQyMTli; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:50 GMT]}] 2019-03-20 10:45:51 DEBUG [OrgCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=N2M1MzlmMGQtZmI4OS00MWY3LTk3YTUtODdmODdmNDQyMTli; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:50 GMT]}] 2019-03-20 10:45:51 DEBUG [OrgCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=N2M1MzlmMGQtZmI4OS00MWY3LTk3YTUtODdmODdmNDQyMTli; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:50 GMT]}] 2019-03-20 10:45:53 DEBUG [ApiV1OrgsPostOrguserbDisallowHijack1] : URL [http://13.56.210.25/api/v1/orgs] 2019-03-20 10:45:53 DEBUG [ApiV1OrgsPostOrguserbDisallowHijack1] : Method [POST] 2019-03-20 10:45:53 DEBUG [ApiV1OrgsPostOrguserbDisallowHijack1] : Request [{ "billingEmail" : "neva.carroll@yahoo.com", "company" : "Johns, Johns and Johns", "createdBy" : "", "createdDate" : "", "description" : "zPheyMSo", "id" : "", "inactive" : false, "location" : "zPheyMSo", "modifiedBy" : "", "modifiedDate" : "", "name" : "zPheyMSo", "orgPlan" : "ENTERPRISE", "orgType" : "PERSONAL", "version" : "" }] 2019-03-20 10:45:53 DEBUG [ApiV1OrgsPostOrguserbDisallowHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:45:53 DEBUG [ApiV1OrgsPostOrguserbDisallowHijack1] : Response [{ "timestamp" : "2019-03-20T10:45:53.149+0000", "status" : 403, "error" : "Forbidden", "message" : "Forbidden", "path" : "/api/v1/orgs" }] 2019-03-20 10:45:53 DEBUG [ApiV1OrgsPostOrguserbDisallowHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZjZiMDliOWMtMTc2MC00MzlkLTllNGYtNmQ5ZjdiZDhhNDRk; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:52 GMT]}] 2019-03-20 10:45:53 DEBUG [ApiV1OrgsPostOrguserbDisallowHijack1] : StatusCode [403] 2019-03-20 10:45:53 DEBUG [ApiV1OrgsPostOrguserbDisallowHijack1] : Time [1905] 2019-03-20 10:45:53 DEBUG [ApiV1OrgsPostOrguserbDisallowHijack1] : Size [121] 2019-03-20 10:45:53 INFO [ApiV1OrgsPostOrguserbDisallowHijack1] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [403 == 401 OR 403 == 403] result [Passed] 2019-03-20 10:45:55 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : URL [http://13.56.210.25/api/v1/orgs/] 2019-03-20 10:45:55 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Method [DELETE] 2019-03-20 10:45:55 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Request [null] 2019-03-20 10:45:55 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:45:55 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Response [{ "timestamp" : "2019-03-20T10:45:55.417+0000", "status" : 405, "error" : "Method Not Allowed", "message" : "Request method 'DELETE' not supported", "path" : "/api/v1/orgs/" }] 2019-03-20 10:45:55 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Response-Headers [{Allow=[GET, POST], X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YWExOGMzYmEtMjE3Yi00NjY3LWJhYTctNTg1N2U4MDg3Yzhj; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:54 GMT]}] 2019-03-20 10:45:55 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : StatusCode [405] 2019-03-20 10:45:55 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Time [2262] 2019-03-20 10:45:55 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Size [159] 2019-03-20 10:45:55 ERROR [null] : Assertion [@StatusCode == 200] resolved-to [405 == 200] result [Failed]

--- FX Bot ---