Open asriz7777 opened 5 years ago
Project : FXABAC TEST
Template : ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1
Run Id : 8a808011699a990101699ab3901a2277
Job : Default
Env : Default
Category : Hijack_Level1
Tags : [FX Top 10 - API Vulnerability, Data_Access_Control]
Severity : Major
Region : FXLabs/US_WEST_1
Result : fail
Status Code : 200
Headers : {X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NmZmODk2Y2ItNTE0NS00N2M1LWJmYzctZGM5ZTJiNWZhYWVk; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:25 GMT]}
Endpoint : http://13.56.210.25/api/v1/users/personal-sign-up
Request :
{
"accountNonExpired" : false,
"accountNonLocked" : false,
"company" : "Bode Group",
"createdBy" : "",
"createdDate" : "",
"credentialsNonExpired" : false,
"email" : "marian.hickle@yahoo.com",
"enabled" : false,
"id" : "",
"inactive" : false,
"jobTitle" : "Lead Advertising Architect",
"location" : "Z1wERHW5",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "Z1wERHW5",
"password" : "Z1wERHW5",
"privileges" : [ "Z1wERHW5" ],
"username" : "eleanore.gulgowski",
"version" : ""
}
Response :
{
"requestId" : "None",
"requestTime" : "2019-03-20T10:44:25.797+0000",
"errors" : false,
"messages" : [ {
"type" : "INFO",
"key" : "",
"value" : "Sign-up successful!"
} ],
"data" : true,
"totalPages" : 0,
"totalElements" : 0
}
Logs :
2019-03-20 10:44:24 DEBUG [UsersCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/users/enterprise-sign-up]
2019-03-20 10:44:24 DEBUG [UsersCreateUserBInitHijack1] : Method [POST]
2019-03-20 10:44:24 DEBUG [UsersCreateUserBInitHijack1] : Request [{
"accountNonExpired" : false,
"accountNonLocked" : false,
"company" : "Yundt-Yundt",
"createdBy" : "",
"createdDate" : "",
"credentialsNonExpired" : false,
"email" : "ken.jones@gmail.com",
"enabled" : false,
"id" : "",
"inactive" : false,
"jobTitle" : "District Banking Director",
"location" : "zkUCO17C",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "zkUCO17C",
"password" : "zkUCO17C",
"username" : "alfonzo.borer",
"version" : ""
}]
2019-03-20 10:44:24 DEBUG [UsersCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:44:24 DEBUG [UsersCreateUserBInitHijack1] : Response [{
"timestamp" : "2019-03-20T10:44:24.298+0000",
"status" : 403,
"error" : "Forbidden",
"message" : "Forbidden",
"path" : "/api/v1/users/enterprise-sign-up"
}]
2019-03-20 10:44:24 DEBUG [UsersCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZDE4OGVmM2YtN2U2NC00YzgxLTg3MTctYmFjZDFiOWU1NDM1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:23 GMT]}]
2019-03-20 10:44:24 DEBUG [UsersCreateUserBInitHijack1] : StatusCode [403]
2019-03-20 10:44:24 DEBUG [UsersCreateUserBInitHijack1] : Time [1237]
2019-03-20 10:44:24 DEBUG [UsersCreateUserBInitHijack1] : Size [141]
2019-03-20 10:44:24 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed]
2019-03-20 10:44:24 DEBUG [UsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZDE4OGVmM2YtN2U2NC00YzgxLTg3MTctYmFjZDFiOWU1NDM1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:23 GMT]}]
2019-03-20 10:44:24 DEBUG [UsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZDE4OGVmM2YtN2U2NC00YzgxLTg3MTctYmFjZDFiOWU1NDM1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:23 GMT]}]
2019-03-20 10:44:24 DEBUG [UsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZDE4OGVmM2YtN2U2NC00YzgxLTg3MTctYmFjZDFiOWU1NDM1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:23 GMT]}]
2019-03-20 10:44:24 DEBUG [UsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZDE4OGVmM2YtN2U2NC00YzgxLTg3MTctYmFjZDFiOWU1NDM1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:23 GMT]}]
2019-03-20 10:44:25 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : URL [http://13.56.210.25/api/v1/users/personal-sign-up]
2019-03-20 10:44:25 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Method [POST]
2019-03-20 10:44:25 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Request [{
"accountNonExpired" : false,
"accountNonLocked" : false,
"company" : "Bode Group",
"createdBy" : "",
"createdDate" : "",
"credentialsNonExpired" : false,
"email" : "marian.hickle@yahoo.com",
"enabled" : false,
"id" : "",
"inactive" : false,
"jobTitle" : "Lead Advertising Architect",
"location" : "Z1wERHW5",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "Z1wERHW5",
"password" : "Z1wERHW5",
"privileges" : [ "Z1wERHW5" ],
"username" : "eleanore.gulgowski",
"version" : ""
}]
2019-03-20 10:44:25 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:44:25 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Response [{
"requestId" : "None",
"requestTime" : "2019-03-20T10:44:25.797+0000",
"errors" : false,
"messages" : [ {
"type" : "INFO",
"key" : "",
"value" : "Sign-up successful!"
} ],
"data" : true,
"totalPages" : 0,
"totalElements" : 0
}]
2019-03-20 10:44:25 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NmZmODk2Y2ItNTE0NS00N2M1LWJmYzctZGM5ZTJiNWZhYWVk; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:25 GMT]}]
2019-03-20 10:44:25 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : StatusCode [200]
2019-03-20 10:44:25 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Time [1220]
2019-03-20 10:44:25 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Size [193]
2019-03-20 10:44:25 ERROR [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [200 == 401 OR 200 == 403] result [Failed]
--- FX Bot ---
Project : FXABAC TEST
Template : ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1
Run Id : 8a808011699a990101699ab3901a2277
Job : Default
Env : Default
Category : Hijack_Level1
Tags : [FX Top 10 - API Vulnerability, Data_Access_Control]
Severity : Major
Region : FXLabs/US_WEST_1
Result : fail
Status Code : 200
Headers : {X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NThjYTVlNTAtZjU5NC00YmY2LWJmNDEtNWQ3ZGFiMTI0ODk2; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:22 GMT]}
Endpoint : http://13.56.210.25/api/v1/users/personal-sign-up
Request :
{
"accountNonExpired" : false,
"accountNonLocked" : false,
"company" : "Kuvalis-Kuvalis",
"createdBy" : "",
"createdDate" : "",
"credentialsNonExpired" : false,
"email" : "vince.dooley@hotmail.com",
"enabled" : false,
"id" : "",
"inactive" : false,
"jobTitle" : "Internal IT Assistant",
"location" : "7kdli5iA",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "7kdli5iA",
"password" : "7kdli5iA",
"privileges" : [ "7kdli5iA" ],
"username" : "hyman.oconnell",
"version" : ""
}
Response :
{
"requestId" : "None",
"requestTime" : "2019-03-20T10:45:22.787+0000",
"errors" : false,
"messages" : [ {
"type" : "INFO",
"key" : "",
"value" : "Sign-up successful!"
} ],
"data" : true,
"totalPages" : 0,
"totalElements" : 0
}
Logs :
2019-03-20 10:45:20 DEBUG [UsersCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/users/enterprise-sign-up]
2019-03-20 10:45:20 DEBUG [UsersCreateUserBInitHijack1] : Method [POST]
2019-03-20 10:45:20 DEBUG [UsersCreateUserBInitHijack1] : Request [{
"accountNonExpired" : false,
"accountNonLocked" : false,
"company" : "Langosh LLC",
"createdBy" : "",
"createdDate" : "",
"credentialsNonExpired" : false,
"email" : "chyna.runte@gmail.com",
"enabled" : false,
"id" : "",
"inactive" : false,
"jobTitle" : "Legal Specialist",
"location" : "ER6WIwpE",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "ER6WIwpE",
"password" : "ER6WIwpE",
"username" : "beaulah.torp",
"version" : ""
}]
2019-03-20 10:45:20 DEBUG [UsersCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:45:20 DEBUG [UsersCreateUserBInitHijack1] : Response [{
"timestamp" : "2019-03-20T10:45:20.842+0000",
"status" : 403,
"error" : "Forbidden",
"message" : "Forbidden",
"path" : "/api/v1/users/enterprise-sign-up"
}]
2019-03-20 10:45:20 DEBUG [UsersCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZGI4MzhjZjAtOWM2MC00ODdmLTg0NjMtNzA4M2ViZGIzYmEy; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:20 GMT]}]
2019-03-20 10:45:20 DEBUG [UsersCreateUserBInitHijack1] : StatusCode [403]
2019-03-20 10:45:20 DEBUG [UsersCreateUserBInitHijack1] : Time [1117]
2019-03-20 10:45:20 DEBUG [UsersCreateUserBInitHijack1] : Size [141]
2019-03-20 10:45:20 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed]
2019-03-20 10:45:20 DEBUG [UsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZGI4MzhjZjAtOWM2MC00ODdmLTg0NjMtNzA4M2ViZGIzYmEy; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:20 GMT]}]
2019-03-20 10:45:20 DEBUG [UsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZGI4MzhjZjAtOWM2MC00ODdmLTg0NjMtNzA4M2ViZGIzYmEy; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:20 GMT]}]
2019-03-20 10:45:20 DEBUG [UsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZGI4MzhjZjAtOWM2MC00ODdmLTg0NjMtNzA4M2ViZGIzYmEy; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:20 GMT]}]
2019-03-20 10:45:20 DEBUG [UsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZGI4MzhjZjAtOWM2MC00ODdmLTg0NjMtNzA4M2ViZGIzYmEy; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:20 GMT]}]
2019-03-20 10:45:22 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : URL [http://13.56.210.25/api/v1/users/personal-sign-up]
2019-03-20 10:45:22 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Method [POST]
2019-03-20 10:45:22 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Request [{
"accountNonExpired" : false,
"accountNonLocked" : false,
"company" : "Kuvalis-Kuvalis",
"createdBy" : "",
"createdDate" : "",
"credentialsNonExpired" : false,
"email" : "vince.dooley@hotmail.com",
"enabled" : false,
"id" : "",
"inactive" : false,
"jobTitle" : "Internal IT Assistant",
"location" : "7kdli5iA",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "7kdli5iA",
"password" : "7kdli5iA",
"privileges" : [ "7kdli5iA" ],
"username" : "hyman.oconnell",
"version" : ""
}]
2019-03-20 10:45:22 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:45:22 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Response [{
"requestId" : "None",
"requestTime" : "2019-03-20T10:45:22.787+0000",
"errors" : false,
"messages" : [ {
"type" : "INFO",
"key" : "",
"value" : "Sign-up successful!"
} ],
"data" : true,
"totalPages" : 0,
"totalElements" : 0
}]
2019-03-20 10:45:22 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NThjYTVlNTAtZjU5NC00YmY2LWJmNDEtNWQ3ZGFiMTI0ODk2; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:22 GMT]}]
2019-03-20 10:45:22 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : StatusCode [200]
2019-03-20 10:45:22 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Time [1748]
2019-03-20 10:45:22 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Size [193]
2019-03-20 10:45:22 ERROR [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [200 == 401 OR 200 == 403] result [Failed]
--- FX Bot ---
Project : FXABAC TEST
Template : ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1
Run Id : 8a808011699a990101699ab3901a2277
Job : Default
Env : Default
Category : Hijack_Level1
Tags : [FX Top 10 - API Vulnerability, Data_Access_Control]
Severity : Major
Region : FXLabs/US_WEST_1
Result : fail
Status Code : 200
Headers : {X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZDc2YzllMWEtMWY0Yi00NTg3LTgwZDctYjY3OGZiNGU4ZDQy; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:46:38 GMT]}
Endpoint : http://13.56.210.25/api/v1/users/personal-sign-up
Request :
{
"accountNonExpired" : false,
"accountNonLocked" : false,
"company" : "Metz Group",
"createdBy" : "",
"createdDate" : "",
"credentialsNonExpired" : false,
"email" : "roger.kovacek@gmail.com",
"enabled" : false,
"id" : "",
"inactive" : false,
"jobTitle" : "Dynamic Coordinator",
"location" : "KJuu1bZM",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "KJuu1bZM",
"password" : "KJuu1bZM",
"privileges" : [ "KJuu1bZM" ],
"username" : "claudie.dach",
"version" : ""
}
Response :
{
"requestId" : "None",
"requestTime" : "2019-03-20T10:46:39.289+0000",
"errors" : false,
"messages" : [ {
"type" : "INFO",
"key" : "",
"value" : "Sign-up successful!"
} ],
"data" : true,
"totalPages" : 0,
"totalElements" : 0
}
Logs :
2019-03-20 10:46:36 DEBUG [UsersCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/users/enterprise-sign-up]
2019-03-20 10:46:36 DEBUG [UsersCreateUserBInitHijack1] : Method [POST]
2019-03-20 10:46:36 DEBUG [UsersCreateUserBInitHijack1] : Request [{
"accountNonExpired" : false,
"accountNonLocked" : false,
"company" : "O'Keefe Inc",
"createdBy" : "",
"createdDate" : "",
"credentialsNonExpired" : false,
"email" : "rosetta.considine@gmail.com",
"enabled" : false,
"id" : "",
"inactive" : false,
"jobTitle" : "Advertising Director",
"location" : "5hDEwWFR",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "5hDEwWFR",
"password" : "5hDEwWFR",
"username" : "edwardo.quigley",
"version" : ""
}]
2019-03-20 10:46:36 DEBUG [UsersCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:46:36 DEBUG [UsersCreateUserBInitHijack1] : Response [{
"timestamp" : "2019-03-20T10:46:36.174+0000",
"status" : 403,
"error" : "Forbidden",
"message" : "Forbidden",
"path" : "/api/v1/users/enterprise-sign-up"
}]
2019-03-20 10:46:36 DEBUG [UsersCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZjQxMmJiY2QtYmE2ZS00YWY3LWI2ZGUtZjg2YTZhMmE0ZTYx; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:46:35 GMT]}]
2019-03-20 10:46:36 DEBUG [UsersCreateUserBInitHijack1] : StatusCode [403]
2019-03-20 10:46:36 DEBUG [UsersCreateUserBInitHijack1] : Time [1216]
2019-03-20 10:46:36 DEBUG [UsersCreateUserBInitHijack1] : Size [141]
2019-03-20 10:46:36 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed]
2019-03-20 10:46:36 DEBUG [UsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZjQxMmJiY2QtYmE2ZS00YWY3LWI2ZGUtZjg2YTZhMmE0ZTYx; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:46:35 GMT]}]
2019-03-20 10:46:36 DEBUG [UsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZjQxMmJiY2QtYmE2ZS00YWY3LWI2ZGUtZjg2YTZhMmE0ZTYx; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:46:35 GMT]}]
2019-03-20 10:46:36 DEBUG [UsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZjQxMmJiY2QtYmE2ZS00YWY3LWI2ZGUtZjg2YTZhMmE0ZTYx; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:46:35 GMT]}]
2019-03-20 10:46:36 DEBUG [UsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZjQxMmJiY2QtYmE2ZS00YWY3LWI2ZGUtZjg2YTZhMmE0ZTYx; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:46:35 GMT]}]
2019-03-20 10:46:39 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : URL [http://13.56.210.25/api/v1/users/personal-sign-up]
2019-03-20 10:46:39 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Method [POST]
2019-03-20 10:46:39 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Request [{
"accountNonExpired" : false,
"accountNonLocked" : false,
"company" : "Metz Group",
"createdBy" : "",
"createdDate" : "",
"credentialsNonExpired" : false,
"email" : "roger.kovacek@gmail.com",
"enabled" : false,
"id" : "",
"inactive" : false,
"jobTitle" : "Dynamic Coordinator",
"location" : "KJuu1bZM",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "KJuu1bZM",
"password" : "KJuu1bZM",
"privileges" : [ "KJuu1bZM" ],
"username" : "claudie.dach",
"version" : ""
}]
2019-03-20 10:46:39 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:46:39 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Response [{
"requestId" : "None",
"requestTime" : "2019-03-20T10:46:39.289+0000",
"errors" : false,
"messages" : [ {
"type" : "INFO",
"key" : "",
"value" : "Sign-up successful!"
} ],
"data" : true,
"totalPages" : 0,
"totalElements" : 0
}]
2019-03-20 10:46:39 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZDc2YzllMWEtMWY0Yi00NTg3LTgwZDctYjY3OGZiNGU4ZDQy; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:46:38 GMT]}]
2019-03-20 10:46:39 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : StatusCode [200]
2019-03-20 10:46:39 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Time [2824]
2019-03-20 10:46:39 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Size [193]
2019-03-20 10:46:39 ERROR [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [200 == 401 OR 200 == 403] result [Failed]
--- FX Bot ---
Project : FXABAC TEST
Template : ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1
Run Id : 8a808011699a990101699ab0f9761b20
Job : Default
Env : Default
Category : Hijack_Level1
Tags : [FX Top 10 - API Vulnerability, Data_Access_Control]
Severity : Major
Region : FXLabs/US_WEST_1
Result : fail
Status Code : 200
Headers : {X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=OTE2MTcxYTgtMjg2MS00MmE1LTgxZjUtOWIyNjIwY2Q2M2Q1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:35 GMT]}
Endpoint : http://13.56.210.25/api/v1/users/personal-sign-up
Request :
{ "accountNonExpired" : false, "accountNonLocked" : false, "company" : "VonRueden LLC", "createdBy" : "", "createdDate" : "", "credentialsNonExpired" : false, "email" : "grady.howell@hotmail.com", "enabled" : false, "id" : "", "inactive" : false, "jobTitle" : "Forward Banking Consultant", "location" : "QV1eyRUC", "modifiedBy" : "", "modifiedDate" : "", "name" : "QV1eyRUC", "password" : "QV1eyRUC", "privileges" : [ "QV1eyRUC" ], "username" : "juliana.schroeder", "version" : "" }
Response :
{ "requestId" : "None", "requestTime" : "2019-03-20T10:41:35.418+0000", "errors" : false, "messages" : [ { "type" : "INFO", "key" : "", "value" : "Sign-up successful!" } ], "data" : true, "totalPages" : 0, "totalElements" : 0 }
Logs :
2019-03-20 10:41:33 DEBUG [UsersCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/users/enterprise-sign-up] 2019-03-20 10:41:33 DEBUG [UsersCreateUserBInitHijack1] : Method [POST] 2019-03-20 10:41:33 DEBUG [UsersCreateUserBInitHijack1] : Request [{ "accountNonExpired" : false, "accountNonLocked" : false, "company" : "Luettgen Group", "createdBy" : "", "createdDate" : "", "credentialsNonExpired" : false, "email" : "clementina.mayert@gmail.com", "enabled" : false, "id" : "", "inactive" : false, "jobTitle" : "Technology Administrator", "location" : "bvBBXOwv", "modifiedBy" : "", "modifiedDate" : "", "name" : "bvBBXOwv", "password" : "bvBBXOwv", "username" : "lula.rau", "version" : "" }] 2019-03-20 10:41:33 DEBUG [UsersCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:41:33 DEBUG [UsersCreateUserBInitHijack1] : Response [{ "timestamp" : "2019-03-20T10:41:33.683+0000", "status" : 403, "error" : "Forbidden", "message" : "Forbidden", "path" : "/api/v1/users/enterprise-sign-up" }] 2019-03-20 10:41:33 DEBUG [UsersCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZWI0MGNjOWMtYzViOC00NTgxLTgwZDUtYWMyNDUzNDAyMDg3; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:32 GMT]}] 2019-03-20 10:41:33 DEBUG [UsersCreateUserBInitHijack1] : StatusCode [403] 2019-03-20 10:41:33 DEBUG [UsersCreateUserBInitHijack1] : Time [701] 2019-03-20 10:41:33 DEBUG [UsersCreateUserBInitHijack1] : Size [141] 2019-03-20 10:41:33 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed] 2019-03-20 10:41:33 DEBUG [UsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZWI0MGNjOWMtYzViOC00NTgxLTgwZDUtYWMyNDUzNDAyMDg3; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:32 GMT]}] 2019-03-20 10:41:33 DEBUG [UsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZWI0MGNjOWMtYzViOC00NTgxLTgwZDUtYWMyNDUzNDAyMDg3; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:32 GMT]}] 2019-03-20 10:41:33 DEBUG [UsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZWI0MGNjOWMtYzViOC00NTgxLTgwZDUtYWMyNDUzNDAyMDg3; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:32 GMT]}] 2019-03-20 10:41:33 DEBUG [UsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZWI0MGNjOWMtYzViOC00NTgxLTgwZDUtYWMyNDUzNDAyMDg3; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:32 GMT]}] 2019-03-20 10:41:35 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : URL [http://13.56.210.25/api/v1/users/personal-sign-up] 2019-03-20 10:41:35 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Method [POST] 2019-03-20 10:41:35 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Request [{ "accountNonExpired" : false, "accountNonLocked" : false, "company" : "VonRueden LLC", "createdBy" : "", "createdDate" : "", "credentialsNonExpired" : false, "email" : "grady.howell@hotmail.com", "enabled" : false, "id" : "", "inactive" : false, "jobTitle" : "Forward Banking Consultant", "location" : "QV1eyRUC", "modifiedBy" : "", "modifiedDate" : "", "name" : "QV1eyRUC", "password" : "QV1eyRUC", "privileges" : [ "QV1eyRUC" ], "username" : "juliana.schroeder", "version" : "" }] 2019-03-20 10:41:35 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:41:35 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Response [{ "requestId" : "None", "requestTime" : "2019-03-20T10:41:35.418+0000", "errors" : false, "messages" : [ { "type" : "INFO", "key" : "", "value" : "Sign-up successful!" } ], "data" : true, "totalPages" : 0, "totalElements" : 0 }] 2019-03-20 10:41:35 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=OTE2MTcxYTgtMjg2MS00MmE1LTgxZjUtOWIyNjIwY2Q2M2Q1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:35 GMT]}] 2019-03-20 10:41:35 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : StatusCode [200] 2019-03-20 10:41:35 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Time [1312] 2019-03-20 10:41:35 DEBUG [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Size [193] 2019-03-20 10:41:35 ERROR [ApiV1UsersPersonalSignUpPostUsersuserbDisallowHijack1] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [200 == 401 OR 200 == 403] result [Failed]
--- FX Bot ---