Vulnerability [Hijack_Level1] : POST:/api/v1/users/personal-sign-up

[asriz7777]

Project : FXABAC TEST

Template : ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1

Run Id : 8a808011699a990101699ab0f9761b20

Job : Default

Env : Default

Category : Hijack_Level1

Tags : [FX Top 10 - API Vulnerability, Data_Access_Control]

Severity : Major

Region : FXLabs/US_WEST_1

Result : fail

Status Code : 200

Headers : {X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=OTE2MTcxYTgtMjg2MS00MmE1LTgxZjUtOWIyNjIwY2Q2M2Q1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:35 GMT]}

Endpoint : http://13.56.210.25/api/v1/users/personal-sign-up

Request :
{ "accountNonExpired" : false, "accountNonLocked" : false, "company" : "VonRueden LLC", "createdBy" : "", "createdDate" : "", "credentialsNonExpired" : false, "email" : "grady.howell@hotmail.com", "enabled" : false, "id" : "", "inactive" : false, "jobTitle" : "Forward Banking Consultant", "location" : "QV1eyRUC", "modifiedBy" : "", "modifiedDate" : "", "name" : "QV1eyRUC", "password" : "QV1eyRUC", "privileges" : [ "QV1eyRUC" ], "username" : "juliana.schroeder", "version" : "" }

Response :
{ "requestId" : "None", "requestTime" : "2019-03-20T10:41:35.418+0000", "errors" : false, "messages" : [ { "type" : "INFO", "key" : "", "value" : "Sign-up successful!" } ], "data" : true, "totalPages" : 0, "totalElements" : 0 }

Logs :
2019-03-20 10:41:33 DEBUG [UsersCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/users/enterprise-sign-up] 2019-03-20 10:41:33 DEBUG [UsersCreateUserBInitHijack1] : Method [POST] 2019-03-20 10:41:33 DEBUG [UsersCreateUserBInitHijack1] : Request [{ "accountNonExpired" : false, "accountNonLocked" : false, "company" : "Luettgen Group", "createdBy" : "", "createdDate" : "", "credentialsNonExpired" : false, "email" : "clementina.mayert@gmail.com", "enabled" : false, "id" : "", "inactive" : false, "jobTitle" : "Technology Administrator", "location" : "bvBBXOwv", "modifiedBy" : "", "modifiedDate" : "", "name" : "bvBBXOwv", "password" : "bvBBXOwv", "username" : "lula.rau", "version" : "" }] 2019-03-20 10:41:33 DEBUG [UsersCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:41:33 DEBUG [UsersCreateUserBInitHijack1] : Response [{ "timestamp" : "2019-03-20T10:41:33.683+0000", "status" : 403, "error" : "Forbidden", "message" : "Forbidden", "path" : "/api/v1/users/enterprise-sign-up" }] 2019-03-20 10:41:33 DEBUG [UsersCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZWI0MGNjOWMtYzViOC00NTgxLTgwZDUtYWMyNDUzNDAyMDg3; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:32 GMT]}] 2019-03-20 10:41:33 DEBUG [UsersCreateUserBInitHijack1] : StatusCode [403] 2019-03-20 10:41:33 DEBUG [UsersCreateUserBInitHijack1] : Time [701] 2019-03-20 10:41:33 DEBUG [UsersCreateUserBInitHijack1] : Size [141] 2019-03-20 10:41:33 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed] 2019-03-20 10:41:33 DEBUG [UsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZWI0MGNjOWMtYzViOC00NTgxLTgwZDUtYWMyNDUzNDAyMDg3; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:32 GMT]}] 2019-03-20 10:41:33 DEBUG [UsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZWI0MGNjOWMtYzViOC00NTgxLTgwZDUtYWMyNDUzNDAyMDg3; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:32 GMT]}] 2019-03-20 10:41:33 DEBUG [UsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZWI0MGNjOWMtYzViOC00NTgxLTgwZDUtYWMyNDUzNDAyMDg3; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:32 GMT]}] 2019-03-20 10:41:33 DEBUG [UsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZWI0MGNjOWMtYzViOC00NTgxLTgwZDUtYWMyNDUzNDAyMDg3; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:32 GMT]}] 2019-03-20 10:41:35 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : URL [http://13.56.210.25/api/v1/users/personal-sign-up] 2019-03-20 10:41:35 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Method [POST] 2019-03-20 10:41:35 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Request [{ "accountNonExpired" : false, "accountNonLocked" : false, "company" : "VonRueden LLC", "createdBy" : "", "createdDate" : "", "credentialsNonExpired" : false, "email" : "grady.howell@hotmail.com", "enabled" : false, "id" : "", "inactive" : false, "jobTitle" : "Forward Banking Consultant", "location" : "QV1eyRUC", "modifiedBy" : "", "modifiedDate" : "", "name" : "QV1eyRUC", "password" : "QV1eyRUC", "privileges" : [ "QV1eyRUC" ], "username" : "juliana.schroeder", "version" : "" }] 2019-03-20 10:41:35 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:41:35 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Response [{ "requestId" : "None", "requestTime" : "2019-03-20T10:41:35.418+0000", "errors" : false, "messages" : [ { "type" : "INFO", "key" : "", "value" : "Sign-up successful!" } ], "data" : true, "totalPages" : 0, "totalElements" : 0 }] 2019-03-20 10:41:35 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=OTE2MTcxYTgtMjg2MS00MmE1LTgxZjUtOWIyNjIwY2Q2M2Q1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:35 GMT]}] 2019-03-20 10:41:35 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : StatusCode [200] 2019-03-20 10:41:35 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Time [1312] 2019-03-20 10:41:35 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Size [193] 2019-03-20 10:41:35 ERROR [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [200 == 401 OR 200 == 403] result [Failed]

--- FX Bot ---

[asriz7777]

Project : FXABAC TEST

Template : ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1

Run Id : 8a808011699a990101699ab3901a2277

Job : Default

Env : Default

Category : Hijack_Level1

Tags : [FX Top 10 - API Vulnerability, Data_Access_Control]

Severity : Major

Region : FXLabs/US_WEST_1

Result : fail

Status Code : 200

Headers : {X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NmZmODk2Y2ItNTE0NS00N2M1LWJmYzctZGM5ZTJiNWZhYWVk; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:25 GMT]}

Endpoint : http://13.56.210.25/api/v1/users/personal-sign-up

Request :
{ "accountNonExpired" : false, "accountNonLocked" : false, "company" : "Bode Group", "createdBy" : "", "createdDate" : "", "credentialsNonExpired" : false, "email" : "marian.hickle@yahoo.com", "enabled" : false, "id" : "", "inactive" : false, "jobTitle" : "Lead Advertising Architect", "location" : "Z1wERHW5", "modifiedBy" : "", "modifiedDate" : "", "name" : "Z1wERHW5", "password" : "Z1wERHW5", "privileges" : [ "Z1wERHW5" ], "username" : "eleanore.gulgowski", "version" : "" }

Response :
{ "requestId" : "None", "requestTime" : "2019-03-20T10:44:25.797+0000", "errors" : false, "messages" : [ { "type" : "INFO", "key" : "", "value" : "Sign-up successful!" } ], "data" : true, "totalPages" : 0, "totalElements" : 0 }

Logs :
2019-03-20 10:44:24 DEBUG [UsersCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/users/enterprise-sign-up] 2019-03-20 10:44:24 DEBUG [UsersCreateUserBInitHijack1] : Method [POST] 2019-03-20 10:44:24 DEBUG [UsersCreateUserBInitHijack1] : Request [{ "accountNonExpired" : false, "accountNonLocked" : false, "company" : "Yundt-Yundt", "createdBy" : "", "createdDate" : "", "credentialsNonExpired" : false, "email" : "ken.jones@gmail.com", "enabled" : false, "id" : "", "inactive" : false, "jobTitle" : "District Banking Director", "location" : "zkUCO17C", "modifiedBy" : "", "modifiedDate" : "", "name" : "zkUCO17C", "password" : "zkUCO17C", "username" : "alfonzo.borer", "version" : "" }] 2019-03-20 10:44:24 DEBUG [UsersCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:44:24 DEBUG [UsersCreateUserBInitHijack1] : Response [{ "timestamp" : "2019-03-20T10:44:24.298+0000", "status" : 403, "error" : "Forbidden", "message" : "Forbidden", "path" : "/api/v1/users/enterprise-sign-up" }] 2019-03-20 10:44:24 DEBUG [UsersCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZDE4OGVmM2YtN2U2NC00YzgxLTg3MTctYmFjZDFiOWU1NDM1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:23 GMT]}] 2019-03-20 10:44:24 DEBUG [UsersCreateUserBInitHijack1] : StatusCode [403] 2019-03-20 10:44:24 DEBUG [UsersCreateUserBInitHijack1] : Time [1237] 2019-03-20 10:44:24 DEBUG [UsersCreateUserBInitHijack1] : Size [141] 2019-03-20 10:44:24 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed] 2019-03-20 10:44:24 DEBUG [UsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZDE4OGVmM2YtN2U2NC00YzgxLTg3MTctYmFjZDFiOWU1NDM1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:23 GMT]}] 2019-03-20 10:44:24 DEBUG [UsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZDE4OGVmM2YtN2U2NC00YzgxLTg3MTctYmFjZDFiOWU1NDM1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:23 GMT]}] 2019-03-20 10:44:24 DEBUG [UsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZDE4OGVmM2YtN2U2NC00YzgxLTg3MTctYmFjZDFiOWU1NDM1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:23 GMT]}] 2019-03-20 10:44:24 DEBUG [UsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZDE4OGVmM2YtN2U2NC00YzgxLTg3MTctYmFjZDFiOWU1NDM1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:23 GMT]}] 2019-03-20 10:44:25 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : URL [http://13.56.210.25/api/v1/users/personal-sign-up] 2019-03-20 10:44:25 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Method [POST] 2019-03-20 10:44:25 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Request [{ "accountNonExpired" : false, "accountNonLocked" : false, "company" : "Bode Group", "createdBy" : "", "createdDate" : "", "credentialsNonExpired" : false, "email" : "marian.hickle@yahoo.com", "enabled" : false, "id" : "", "inactive" : false, "jobTitle" : "Lead Advertising Architect", "location" : "Z1wERHW5", "modifiedBy" : "", "modifiedDate" : "", "name" : "Z1wERHW5", "password" : "Z1wERHW5", "privileges" : [ "Z1wERHW5" ], "username" : "eleanore.gulgowski", "version" : "" }] 2019-03-20 10:44:25 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:44:25 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Response [{ "requestId" : "None", "requestTime" : "2019-03-20T10:44:25.797+0000", "errors" : false, "messages" : [ { "type" : "INFO", "key" : "", "value" : "Sign-up successful!" } ], "data" : true, "totalPages" : 0, "totalElements" : 0 }] 2019-03-20 10:44:25 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NmZmODk2Y2ItNTE0NS00N2M1LWJmYzctZGM5ZTJiNWZhYWVk; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:25 GMT]}] 2019-03-20 10:44:25 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : StatusCode [200] 2019-03-20 10:44:25 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Time [1220] 2019-03-20 10:44:25 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Size [193] 2019-03-20 10:44:25 ERROR [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [200 == 401 OR 200 == 403] result [Failed]

--- FX Bot ---

[asriz7777]

Project : FXABAC TEST

Template : ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1

Run Id : 8a808011699a990101699ab3901a2277

Job : Default

Env : Default

Category : Hijack_Level1

Tags : [FX Top 10 - API Vulnerability, Data_Access_Control]

Severity : Major

Region : FXLabs/US_WEST_1

Result : fail

Status Code : 200

Headers : {X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NThjYTVlNTAtZjU5NC00YmY2LWJmNDEtNWQ3ZGFiMTI0ODk2; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:22 GMT]}

Endpoint : http://13.56.210.25/api/v1/users/personal-sign-up

Request :
{ "accountNonExpired" : false, "accountNonLocked" : false, "company" : "Kuvalis-Kuvalis", "createdBy" : "", "createdDate" : "", "credentialsNonExpired" : false, "email" : "vince.dooley@hotmail.com", "enabled" : false, "id" : "", "inactive" : false, "jobTitle" : "Internal IT Assistant", "location" : "7kdli5iA", "modifiedBy" : "", "modifiedDate" : "", "name" : "7kdli5iA", "password" : "7kdli5iA", "privileges" : [ "7kdli5iA" ], "username" : "hyman.oconnell", "version" : "" }

Response :
{ "requestId" : "None", "requestTime" : "2019-03-20T10:45:22.787+0000", "errors" : false, "messages" : [ { "type" : "INFO", "key" : "", "value" : "Sign-up successful!" } ], "data" : true, "totalPages" : 0, "totalElements" : 0 }

Logs :
2019-03-20 10:45:20 DEBUG [UsersCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/users/enterprise-sign-up] 2019-03-20 10:45:20 DEBUG [UsersCreateUserBInitHijack1] : Method [POST] 2019-03-20 10:45:20 DEBUG [UsersCreateUserBInitHijack1] : Request [{ "accountNonExpired" : false, "accountNonLocked" : false, "company" : "Langosh LLC", "createdBy" : "", "createdDate" : "", "credentialsNonExpired" : false, "email" : "chyna.runte@gmail.com", "enabled" : false, "id" : "", "inactive" : false, "jobTitle" : "Legal Specialist", "location" : "ER6WIwpE", "modifiedBy" : "", "modifiedDate" : "", "name" : "ER6WIwpE", "password" : "ER6WIwpE", "username" : "beaulah.torp", "version" : "" }] 2019-03-20 10:45:20 DEBUG [UsersCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:45:20 DEBUG [UsersCreateUserBInitHijack1] : Response [{ "timestamp" : "2019-03-20T10:45:20.842+0000", "status" : 403, "error" : "Forbidden", "message" : "Forbidden", "path" : "/api/v1/users/enterprise-sign-up" }] 2019-03-20 10:45:20 DEBUG [UsersCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZGI4MzhjZjAtOWM2MC00ODdmLTg0NjMtNzA4M2ViZGIzYmEy; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:20 GMT]}] 2019-03-20 10:45:20 DEBUG [UsersCreateUserBInitHijack1] : StatusCode [403] 2019-03-20 10:45:20 DEBUG [UsersCreateUserBInitHijack1] : Time [1117] 2019-03-20 10:45:20 DEBUG [UsersCreateUserBInitHijack1] : Size [141] 2019-03-20 10:45:20 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed] 2019-03-20 10:45:20 DEBUG [UsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZGI4MzhjZjAtOWM2MC00ODdmLTg0NjMtNzA4M2ViZGIzYmEy; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:20 GMT]}] 2019-03-20 10:45:20 DEBUG [UsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZGI4MzhjZjAtOWM2MC00ODdmLTg0NjMtNzA4M2ViZGIzYmEy; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:20 GMT]}] 2019-03-20 10:45:20 DEBUG [UsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZGI4MzhjZjAtOWM2MC00ODdmLTg0NjMtNzA4M2ViZGIzYmEy; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:20 GMT]}] 2019-03-20 10:45:20 DEBUG [UsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZGI4MzhjZjAtOWM2MC00ODdmLTg0NjMtNzA4M2ViZGIzYmEy; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:20 GMT]}] 2019-03-20 10:45:22 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : URL [http://13.56.210.25/api/v1/users/personal-sign-up] 2019-03-20 10:45:22 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Method [POST] 2019-03-20 10:45:22 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Request [{ "accountNonExpired" : false, "accountNonLocked" : false, "company" : "Kuvalis-Kuvalis", "createdBy" : "", "createdDate" : "", "credentialsNonExpired" : false, "email" : "vince.dooley@hotmail.com", "enabled" : false, "id" : "", "inactive" : false, "jobTitle" : "Internal IT Assistant", "location" : "7kdli5iA", "modifiedBy" : "", "modifiedDate" : "", "name" : "7kdli5iA", "password" : "7kdli5iA", "privileges" : [ "7kdli5iA" ], "username" : "hyman.oconnell", "version" : "" }] 2019-03-20 10:45:22 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:45:22 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Response [{ "requestId" : "None", "requestTime" : "2019-03-20T10:45:22.787+0000", "errors" : false, "messages" : [ { "type" : "INFO", "key" : "", "value" : "Sign-up successful!" } ], "data" : true, "totalPages" : 0, "totalElements" : 0 }] 2019-03-20 10:45:22 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NThjYTVlNTAtZjU5NC00YmY2LWJmNDEtNWQ3ZGFiMTI0ODk2; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:22 GMT]}] 2019-03-20 10:45:22 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : StatusCode [200] 2019-03-20 10:45:22 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Time [1748] 2019-03-20 10:45:22 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Size [193] 2019-03-20 10:45:22 ERROR [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [200 == 401 OR 200 == 403] result [Failed]

--- FX Bot ---

[asriz7777]

Project : FXABAC TEST

Template : ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1

Run Id : 8a808011699a990101699ab3901a2277

Job : Default

Env : Default

Category : Hijack_Level1

Tags : [FX Top 10 - API Vulnerability, Data_Access_Control]

Severity : Major

Region : FXLabs/US_WEST_1

Result : fail

Status Code : 200

Headers : {X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZDc2YzllMWEtMWY0Yi00NTg3LTgwZDctYjY3OGZiNGU4ZDQy; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:46:38 GMT]}

Endpoint : http://13.56.210.25/api/v1/users/personal-sign-up

Request :
{ "accountNonExpired" : false, "accountNonLocked" : false, "company" : "Metz Group", "createdBy" : "", "createdDate" : "", "credentialsNonExpired" : false, "email" : "roger.kovacek@gmail.com", "enabled" : false, "id" : "", "inactive" : false, "jobTitle" : "Dynamic Coordinator", "location" : "KJuu1bZM", "modifiedBy" : "", "modifiedDate" : "", "name" : "KJuu1bZM", "password" : "KJuu1bZM", "privileges" : [ "KJuu1bZM" ], "username" : "claudie.dach", "version" : "" }

Response :
{ "requestId" : "None", "requestTime" : "2019-03-20T10:46:39.289+0000", "errors" : false, "messages" : [ { "type" : "INFO", "key" : "", "value" : "Sign-up successful!" } ], "data" : true, "totalPages" : 0, "totalElements" : 0 }

Logs :
2019-03-20 10:46:36 DEBUG [UsersCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/users/enterprise-sign-up] 2019-03-20 10:46:36 DEBUG [UsersCreateUserBInitHijack1] : Method [POST] 2019-03-20 10:46:36 DEBUG [UsersCreateUserBInitHijack1] : Request [{ "accountNonExpired" : false, "accountNonLocked" : false, "company" : "O'Keefe Inc", "createdBy" : "", "createdDate" : "", "credentialsNonExpired" : false, "email" : "rosetta.considine@gmail.com", "enabled" : false, "id" : "", "inactive" : false, "jobTitle" : "Advertising Director", "location" : "5hDEwWFR", "modifiedBy" : "", "modifiedDate" : "", "name" : "5hDEwWFR", "password" : "5hDEwWFR", "username" : "edwardo.quigley", "version" : "" }] 2019-03-20 10:46:36 DEBUG [UsersCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:46:36 DEBUG [UsersCreateUserBInitHijack1] : Response [{ "timestamp" : "2019-03-20T10:46:36.174+0000", "status" : 403, "error" : "Forbidden", "message" : "Forbidden", "path" : "/api/v1/users/enterprise-sign-up" }] 2019-03-20 10:46:36 DEBUG [UsersCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZjQxMmJiY2QtYmE2ZS00YWY3LWI2ZGUtZjg2YTZhMmE0ZTYx; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:46:35 GMT]}] 2019-03-20 10:46:36 DEBUG [UsersCreateUserBInitHijack1] : StatusCode [403] 2019-03-20 10:46:36 DEBUG [UsersCreateUserBInitHijack1] : Time [1216] 2019-03-20 10:46:36 DEBUG [UsersCreateUserBInitHijack1] : Size [141] 2019-03-20 10:46:36 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed] 2019-03-20 10:46:36 DEBUG [UsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZjQxMmJiY2QtYmE2ZS00YWY3LWI2ZGUtZjg2YTZhMmE0ZTYx; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:46:35 GMT]}] 2019-03-20 10:46:36 DEBUG [UsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZjQxMmJiY2QtYmE2ZS00YWY3LWI2ZGUtZjg2YTZhMmE0ZTYx; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:46:35 GMT]}] 2019-03-20 10:46:36 DEBUG [UsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZjQxMmJiY2QtYmE2ZS00YWY3LWI2ZGUtZjg2YTZhMmE0ZTYx; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:46:35 GMT]}] 2019-03-20 10:46:36 DEBUG [UsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZjQxMmJiY2QtYmE2ZS00YWY3LWI2ZGUtZjg2YTZhMmE0ZTYx; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:46:35 GMT]}] 2019-03-20 10:46:39 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : URL [http://13.56.210.25/api/v1/users/personal-sign-up] 2019-03-20 10:46:39 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Method [POST] 2019-03-20 10:46:39 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Request [{ "accountNonExpired" : false, "accountNonLocked" : false, "company" : "Metz Group", "createdBy" : "", "createdDate" : "", "credentialsNonExpired" : false, "email" : "roger.kovacek@gmail.com", "enabled" : false, "id" : "", "inactive" : false, "jobTitle" : "Dynamic Coordinator", "location" : "KJuu1bZM", "modifiedBy" : "", "modifiedDate" : "", "name" : "KJuu1bZM", "password" : "KJuu1bZM", "privileges" : [ "KJuu1bZM" ], "username" : "claudie.dach", "version" : "" }] 2019-03-20 10:46:39 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:46:39 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Response [{ "requestId" : "None", "requestTime" : "2019-03-20T10:46:39.289+0000", "errors" : false, "messages" : [ { "type" : "INFO", "key" : "", "value" : "Sign-up successful!" } ], "data" : true, "totalPages" : 0, "totalElements" : 0 }] 2019-03-20 10:46:39 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZDc2YzllMWEtMWY0Yi00NTg3LTgwZDctYjY3OGZiNGU4ZDQy; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:46:38 GMT]}] 2019-03-20 10:46:39 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : StatusCode [200] 2019-03-20 10:46:39 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Time [2824] 2019-03-20 10:46:39 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Size [193] 2019-03-20 10:46:39 ERROR [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [200 == 401 OR 200 == 403] result [Failed]

--- FX Bot ---