Open asriz7777 opened 5 years ago
Project : FXABAC TEST
Template : ApiV1SkillsPutSkilluserbDisallowHijack1
Run Id : 8a808011699a990101699ab3901a2277
Job : Default
Env : Default
Category : Hijack_Level1
Tags : [FX Top 10 - API Vulnerability, Data_Access_Control]
Severity : Major
Region : FXLabs/US_WEST_1
Result : fail
Status Code : 400
Headers : {X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=OTdkYzBmODUtZDI5Ny00MGI0LTgwN2UtM2NhZWRlNWMzZGE1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:24 GMT]}
Endpoint : http://13.56.210.25/api/v1/skills
Request :
{
"accessKey" : "y0x2GQMg",
"createdBy" : "",
"createdDate" : "",
"description" : "y0x2GQMg",
"host" : "y0x2GQMg",
"id" : "",
"inactive" : false,
"key" : "y0x2GQMg",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "y0x2GQMg",
"opts" : [ {
"id" : "",
"label" : "y0x2GQMg",
"mandatory" : false,
"value" : "y0x2GQMg"
} ],
"org" : "",
"prop1" : "y0x2GQMg",
"prop2" : "y0x2GQMg",
"prop3" : "y0x2GQMg",
"prop4" : "y0x2GQMg",
"prop5" : "y0x2GQMg",
"secretKey" : "y0x2GQMg",
"skillType" : "VERSION_CONTROL",
"version" : ""
}
Response :
{
"timestamp" : "2019-03-20T10:44:25.590+0000",
"status" : 400,
"error" : "Bad Request",
"message" : "JSON parse error: Cannot construct instance of com.fxlabs.fxt.dto.base.NameDto
(although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value (''); nested exception is com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot construct instance of com.fxlabs.fxt.dto.base.NameDto
(although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value ('')\n at [Source: (PushbackInputStream); line: 19, column: 11] (through reference chain: com.fxlabs.fxt.dto.skills.Skill[\"org\"])",
"path" : "/api/v1/skills"
}
Logs :
2019-03-20 10:44:23 DEBUG [OrgCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/orgs]
2019-03-20 10:44:23 DEBUG [OrgCreateUserBInitHijack1] : Method [POST]
2019-03-20 10:44:23 DEBUG [OrgCreateUserBInitHijack1] : Request [{
"billingEmail" : "jPXGGG0o",
"company" : "Daniel Group",
"createdBy" : "",
"createdDate" : "",
"description" : "jPXGGG0o",
"id" : "",
"inactive" : false,
"location" : "jPXGGG0o",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "jPXGGG0o",
"orgPlan" : "TEAM",
"orgType" : "ENTERPRISE",
"version" : ""
}]
2019-03-20 10:44:23 DEBUG [OrgCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:44:23 DEBUG [OrgCreateUserBInitHijack1] : Response [{
"timestamp" : "2019-03-20T10:44:23.066+0000",
"status" : 403,
"error" : "Forbidden",
"message" : "Forbidden",
"path" : "/api/v1/orgs"
}]
2019-03-20 10:44:23 DEBUG [OrgCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NjMxOWViMGEtNzk0ZC00YWM2LThlZjItOGI1ODBjMGRkNjAw; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:22 GMT]}]
2019-03-20 10:44:23 DEBUG [OrgCreateUserBInitHijack1] : StatusCode [403]
2019-03-20 10:44:23 DEBUG [OrgCreateUserBInitHijack1] : Time [555]
2019-03-20 10:44:23 DEBUG [OrgCreateUserBInitHijack1] : Size [121]
2019-03-20 10:44:23 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed]
2019-03-20 10:44:23 DEBUG [OrgCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NjMxOWViMGEtNzk0ZC00YWM2LThlZjItOGI1ODBjMGRkNjAw; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:22 GMT]}]
2019-03-20 10:44:23 DEBUG [OrgCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NjMxOWViMGEtNzk0ZC00YWM2LThlZjItOGI1ODBjMGRkNjAw; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:22 GMT]}]
2019-03-20 10:44:23 DEBUG [OrgCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NjMxOWViMGEtNzk0ZC00YWM2LThlZjItOGI1ODBjMGRkNjAw; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:22 GMT]}]
2019-03-20 10:44:23 DEBUG [OrgCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NjMxOWViMGEtNzk0ZC00YWM2LThlZjItOGI1ODBjMGRkNjAw; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:22 GMT]}]
2019-03-20 10:44:24 DEBUG [SkillCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/skills]
2019-03-20 10:44:24 DEBUG [SkillCreateUserBInitHijack1] : Method [POST]
2019-03-20 10:44:24 DEBUG [SkillCreateUserBInitHijack1] : Request [{
"accessKey" : "MmnOKpHa",
"createdBy" : "",
"createdDate" : "",
"description" : "MmnOKpHa",
"host" : "MmnOKpHa",
"id" : "",
"inactive" : false,
"key" : "MmnOKpHa",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "MmnOKpHa",
"org" : "",
"prop1" : "MmnOKpHa",
"prop2" : "MmnOKpHa",
"prop3" : "MmnOKpHa",
"prop4" : "MmnOKpHa",
"prop5" : "MmnOKpHa",
"secretKey" : "MmnOKpHa",
"skillType" : "BOT_DEPLOYMENT",
"version" : ""
}]
2019-03-20 10:44:24 DEBUG [SkillCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:44:24 DEBUG [SkillCreateUserBInitHijack1] : Response [{
"timestamp" : "2019-03-20T10:44:24.263+0000",
"status" : 400,
"error" : "Bad Request",
"message" : "JSON parse error: Cannot construct instance of com.fxlabs.fxt.dto.base.NameDto
(although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value (''); nested exception is com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot construct instance of com.fxlabs.fxt.dto.base.NameDto
(although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value ('')\n at [Source: (PushbackInputStream); line: 13, column: 11] (through reference chain: com.fxlabs.fxt.dto.skills.Skill[\"org\"])",
"path" : "/api/v1/skills"
}]
2019-03-20 10:44:24 DEBUG [SkillCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NDJjMTZiMGItOGNlOC00NTU3LWJiZjQtYWY5YTZkMTZlZDMy; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:23 GMT]}]
2019-03-20 10:44:24 DEBUG [SkillCreateUserBInitHijack1] : StatusCode [400]
2019-03-20 10:44:24 DEBUG [SkillCreateUserBInitHijack1] : Time [1197]
2019-03-20 10:44:24 DEBUG [SkillCreateUserBInitHijack1] : Size [716]
2019-03-20 10:44:24 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [400 == 200 OR 400 == 201] result [Failed]
2019-03-20 10:44:24 DEBUG [SkillCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NDJjMTZiMGItOGNlOC00NTU3LWJiZjQtYWY5YTZkMTZlZDMy; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:23 GMT]}]
2019-03-20 10:44:24 DEBUG [SkillCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NDJjMTZiMGItOGNlOC00NTU3LWJiZjQtYWY5YTZkMTZlZDMy; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:23 GMT]}]
2019-03-20 10:44:24 DEBUG [SkillCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NDJjMTZiMGItOGNlOC00NTU3LWJiZjQtYWY5YTZkMTZlZDMy; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:23 GMT]}]
2019-03-20 10:44:24 DEBUG [SkillCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NDJjMTZiMGItOGNlOC00NTU3LWJiZjQtYWY5YTZkMTZlZDMy; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:23 GMT]}]
2019-03-20 10:44:24 DEBUG [OrgCreateUserAInitHijack1] : URL [http://13.56.210.25/api/v1/orgs]
2019-03-20 10:44:24 DEBUG [OrgCreateUserAInitHijack1] : Method [POST]
2019-03-20 10:44:24 DEBUG [OrgCreateUserAInitHijack1] : Request [{
"billingEmail" : "Oz468NoE",
"company" : "West-West",
"createdBy" : "",
"createdDate" : "",
"description" : "Oz468NoE",
"id" : "",
"inactive" : false,
"location" : "Oz468NoE",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "Oz468NoE",
"orgPlan" : "TEAM",
"orgType" : "ENTERPRISE",
"version" : ""
}]
2019-03-20 10:44:24 DEBUG [OrgCreateUserAInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:44:24 DEBUG [OrgCreateUserAInitHijack1] : Response [{
"timestamp" : "2019-03-20T10:44:24.908+0000",
"status" : 403,
"error" : "Forbidden",
"message" : "Forbidden",
"path" : "/api/v1/orgs"
}]
2019-03-20 10:44:24 DEBUG [OrgCreateUserAInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=OThkZTcyYjItYjQ0Zi00NzkxLThjN2UtYTkxZjYwYWJkYTQ4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:24 GMT]}]
2019-03-20 10:44:24 DEBUG [OrgCreateUserAInitHijack1] : StatusCode [403]
2019-03-20 10:44:24 DEBUG [OrgCreateUserAInitHijack1] : Time [591]
2019-03-20 10:44:24 DEBUG [OrgCreateUserAInitHijack1] : Size [121]
2019-03-20 10:44:24 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed]
2019-03-20 10:44:24 DEBUG [OrgCreateUserAInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=OThkZTcyYjItYjQ0Zi00NzkxLThjN2UtYTkxZjYwYWJkYTQ4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:24 GMT]}]
2019-03-20 10:44:24 DEBUG [OrgCreateUserAInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=OThkZTcyYjItYjQ0Zi00NzkxLThjN2UtYTkxZjYwYWJkYTQ4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:24 GMT]}]
2019-03-20 10:44:24 DEBUG [OrgCreateUserAInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=OThkZTcyYjItYjQ0Zi00NzkxLThjN2UtYTkxZjYwYWJkYTQ4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:24 GMT]}]
2019-03-20 10:44:24 DEBUG [OrgCreateUserAInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=OThkZTcyYjItYjQ0Zi00NzkxLThjN2UtYTkxZjYwYWJkYTQ4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:24 GMT]}]
2019-03-20 10:44:25 DEBUG [ApiV1SkillsPutSkilluserbDisallowHijack1] : URL [http://13.56.210.25/api/v1/skills]
2019-03-20 10:44:25 DEBUG [ApiV1SkillsPutSkilluserbDisallowHijack1] : Method [PUT]
2019-03-20 10:44:25 DEBUG [ApiV1SkillsPutSkilluserbDisallowHijack1] : Request [{
"accessKey" : "y0x2GQMg",
"createdBy" : "",
"createdDate" : "",
"description" : "y0x2GQMg",
"host" : "y0x2GQMg",
"id" : "",
"inactive" : false,
"key" : "y0x2GQMg",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "y0x2GQMg",
"opts" : [ {
"id" : "",
"label" : "y0x2GQMg",
"mandatory" : false,
"value" : "y0x2GQMg"
} ],
"org" : "",
"prop1" : "y0x2GQMg",
"prop2" : "y0x2GQMg",
"prop3" : "y0x2GQMg",
"prop4" : "y0x2GQMg",
"prop5" : "y0x2GQMg",
"secretKey" : "y0x2GQMg",
"skillType" : "VERSION_CONTROL",
"version" : ""
}]
2019-03-20 10:44:25 DEBUG [ApiV1SkillsPutSkilluserbDisallowHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:44:25 DEBUG [ApiV1SkillsPutSkilluserbDisallowHijack1] : Response [{
"timestamp" : "2019-03-20T10:44:25.590+0000",
"status" : 400,
"error" : "Bad Request",
"message" : "JSON parse error: Cannot construct instance of com.fxlabs.fxt.dto.base.NameDto
(although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value (''); nested exception is com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot construct instance of com.fxlabs.fxt.dto.base.NameDto
(although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value ('')\n at [Source: (PushbackInputStream); line: 19, column: 11] (through reference chain: com.fxlabs.fxt.dto.skills.Skill[\"org\"])",
"path" : "/api/v1/skills"
}]
2019-03-20 10:44:25 DEBUG [ApiV1SkillsPutSkilluserbDisallowHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=OTdkYzBmODUtZDI5Ny00MGI0LTgwN2UtM2NhZWRlNWMzZGE1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:24 GMT]}]
2019-03-20 10:44:25 DEBUG [ApiV1SkillsPutSkilluserbDisallowHijack1] : StatusCode [400]
2019-03-20 10:44:25 DEBUG [ApiV1SkillsPutSkilluserbDisallowHijack1] : Time [679]
2019-03-20 10:44:25 DEBUG [ApiV1SkillsPutSkilluserbDisallowHijack1] : Size [716]
2019-03-20 10:44:25 ERROR [ApiV1SkillsPutSkilluserbDisallowHijack1] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [400 == 401 OR 400 == 403] result [Failed]
2019-03-20 10:44:26 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : URL [http://13.56.210.25/api/v1/skills/]
2019-03-20 10:44:26 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : Method [DELETE]
2019-03-20 10:44:26 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : Request [null]
2019-03-20 10:44:26 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:44:26 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : Response [{
"timestamp" : "2019-03-20T10:44:26.027+0000",
"status" : 405,
"error" : "Method Not Allowed",
"message" : "Request method 'DELETE' not supported",
"path" : "/api/v1/skills/"
}]
2019-03-20 10:44:26 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : Response-Headers [{Allow=[GET, POST, PUT], X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YzMwZjU1ZjQtZGEwOS00M2E5LTgxZWUtMWFkMDI5ZDg4YTJk; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:25 GMT]}]
2019-03-20 10:44:26 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : StatusCode [405]
2019-03-20 10:44:26 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : Time [454]
2019-03-20 10:44:26 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : Size [161]
2019-03-20 10:44:26 ERROR [null] : Assertion [@StatusCode == 200] resolved-to [405 == 200] result [Failed]
2019-03-20 10:44:26 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : URL [http://13.56.210.25/api/v1/orgs/]
2019-03-20 10:44:26 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Method [DELETE]
2019-03-20 10:44:26 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Request [null]
2019-03-20 10:44:26 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:44:26 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Response [{
"timestamp" : "2019-03-20T10:44:26.508+0000",
"status" : 405,
"error" : "Method Not Allowed",
"message" : "Request method 'DELETE' not supported",
"path" : "/api/v1/orgs/"
}]
2019-03-20 10:44:26 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Response-Headers [{Allow=[GET, POST], X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZmM2YTVlZDQtYmY5Zi00ZjU5LWE1NTUtOGNiYzlkY2MxZjY1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:25 GMT]}]
2019-03-20 10:44:26 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : StatusCode [405]
2019-03-20 10:44:26 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Time [462]
2019-03-20 10:44:26 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Size [159]
2019-03-20 10:44:26 ERROR [null] : Assertion [@StatusCode == 200] resolved-to [405 == 200] result [Failed]
--- FX Bot ---
Project : FXABAC TEST
Template : ApiV1SkillsPutSkilluserbDisallowHijack1
Run Id : 8a808011699a990101699ab3901a2277
Job : Default
Env : Default
Category : Hijack_Level1
Tags : [FX Top 10 - API Vulnerability, Data_Access_Control]
Severity : Major
Region : FXLabs/US_WEST_1
Result : fail
Status Code : 400
Headers : {X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MmJmYWE4ODgtZDRlYi00NTUwLWE5NzItNDQwMDgzZWQ3NjRh; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:13 GMT]}
Endpoint : http://13.56.210.25/api/v1/skills
Request :
{
"accessKey" : "NLuT0fG0",
"createdBy" : "",
"createdDate" : "",
"description" : "NLuT0fG0",
"host" : "NLuT0fG0",
"id" : "",
"inactive" : false,
"key" : "NLuT0fG0",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "NLuT0fG0",
"opts" : [ {
"id" : "",
"label" : "NLuT0fG0",
"mandatory" : false,
"value" : "NLuT0fG0"
} ],
"org" : "",
"prop1" : "NLuT0fG0",
"prop2" : "NLuT0fG0",
"prop3" : "NLuT0fG0",
"prop4" : "NLuT0fG0",
"prop5" : "NLuT0fG0",
"secretKey" : "NLuT0fG0",
"skillType" : "VERSION_CONTROL",
"version" : ""
}
Response :
{
"timestamp" : "2019-03-20T10:45:13.962+0000",
"status" : 400,
"error" : "Bad Request",
"message" : "JSON parse error: Cannot construct instance of com.fxlabs.fxt.dto.base.NameDto
(although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value (''); nested exception is com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot construct instance of com.fxlabs.fxt.dto.base.NameDto
(although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value ('')\n at [Source: (PushbackInputStream); line: 19, column: 11] (through reference chain: com.fxlabs.fxt.dto.skills.Skill[\"org\"])",
"path" : "/api/v1/skills"
}
Logs :
2019-03-20 10:45:10 DEBUG [OrgCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/orgs]
2019-03-20 10:45:10 DEBUG [OrgCreateUserBInitHijack1] : Method [POST]
2019-03-20 10:45:10 DEBUG [OrgCreateUserBInitHijack1] : Request [{
"billingEmail" : "ljFRuWgk",
"company" : "Rippin-Rippin",
"createdBy" : "",
"createdDate" : "",
"description" : "ljFRuWgk",
"id" : "",
"inactive" : false,
"location" : "ljFRuWgk",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "ljFRuWgk",
"orgPlan" : "TEAM",
"orgType" : "ENTERPRISE",
"version" : ""
}]
2019-03-20 10:45:10 DEBUG [OrgCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:45:10 DEBUG [OrgCreateUserBInitHijack1] : Response [{
"timestamp" : "2019-03-20T10:45:10.037+0000",
"status" : 403,
"error" : "Forbidden",
"message" : "Forbidden",
"path" : "/api/v1/orgs"
}]
2019-03-20 10:45:10 DEBUG [OrgCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=Y2Q5ZGVhNzUtMTMyMC00MjViLTliMDItMDhmYTRkNjk5MGJj; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:09 GMT]}]
2019-03-20 10:45:10 DEBUG [OrgCreateUserBInitHijack1] : StatusCode [403]
2019-03-20 10:45:10 DEBUG [OrgCreateUserBInitHijack1] : Time [1288]
2019-03-20 10:45:10 DEBUG [OrgCreateUserBInitHijack1] : Size [121]
2019-03-20 10:45:10 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed]
2019-03-20 10:45:10 DEBUG [OrgCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=Y2Q5ZGVhNzUtMTMyMC00MjViLTliMDItMDhmYTRkNjk5MGJj; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:09 GMT]}]
2019-03-20 10:45:10 DEBUG [OrgCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=Y2Q5ZGVhNzUtMTMyMC00MjViLTliMDItMDhmYTRkNjk5MGJj; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:09 GMT]}]
2019-03-20 10:45:10 DEBUG [OrgCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=Y2Q5ZGVhNzUtMTMyMC00MjViLTliMDItMDhmYTRkNjk5MGJj; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:09 GMT]}]
2019-03-20 10:45:10 DEBUG [OrgCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=Y2Q5ZGVhNzUtMTMyMC00MjViLTliMDItMDhmYTRkNjk5MGJj; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:09 GMT]}]
2019-03-20 10:45:11 DEBUG [SkillCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/skills]
2019-03-20 10:45:11 DEBUG [SkillCreateUserBInitHijack1] : Method [POST]
2019-03-20 10:45:11 DEBUG [SkillCreateUserBInitHijack1] : Request [{
"accessKey" : "dB43vdPJ",
"createdBy" : "",
"createdDate" : "",
"description" : "dB43vdPJ",
"host" : "dB43vdPJ",
"id" : "",
"inactive" : false,
"key" : "dB43vdPJ",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "dB43vdPJ",
"org" : "",
"prop1" : "dB43vdPJ",
"prop2" : "dB43vdPJ",
"prop3" : "dB43vdPJ",
"prop4" : "dB43vdPJ",
"prop5" : "dB43vdPJ",
"secretKey" : "dB43vdPJ",
"skillType" : "BOT_DEPLOYMENT",
"version" : ""
}]
2019-03-20 10:45:11 DEBUG [SkillCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:45:11 DEBUG [SkillCreateUserBInitHijack1] : Response [{
"timestamp" : "2019-03-20T10:45:10.966+0000",
"status" : 400,
"error" : "Bad Request",
"message" : "JSON parse error: Cannot construct instance of com.fxlabs.fxt.dto.base.NameDto
(although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value (''); nested exception is com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot construct instance of com.fxlabs.fxt.dto.base.NameDto
(although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value ('')\n at [Source: (PushbackInputStream); line: 13, column: 11] (through reference chain: com.fxlabs.fxt.dto.skills.Skill[\"org\"])",
"path" : "/api/v1/skills"
}]
2019-03-20 10:45:11 DEBUG [SkillCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YzdlYjIxMjMtZWMwZi00M2YyLThjZDItNDVlMmNiZDc1YzJh; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:10 GMT]}]
2019-03-20 10:45:11 DEBUG [SkillCreateUserBInitHijack1] : StatusCode [400]
2019-03-20 10:45:11 DEBUG [SkillCreateUserBInitHijack1] : Time [933]
2019-03-20 10:45:11 DEBUG [SkillCreateUserBInitHijack1] : Size [716]
2019-03-20 10:45:11 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [400 == 200 OR 400 == 201] result [Failed]
2019-03-20 10:45:11 DEBUG [SkillCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YzdlYjIxMjMtZWMwZi00M2YyLThjZDItNDVlMmNiZDc1YzJh; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:10 GMT]}]
2019-03-20 10:45:11 DEBUG [SkillCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YzdlYjIxMjMtZWMwZi00M2YyLThjZDItNDVlMmNiZDc1YzJh; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:10 GMT]}]
2019-03-20 10:45:11 DEBUG [SkillCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YzdlYjIxMjMtZWMwZi00M2YyLThjZDItNDVlMmNiZDc1YzJh; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:10 GMT]}]
2019-03-20 10:45:11 DEBUG [SkillCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YzdlYjIxMjMtZWMwZi00M2YyLThjZDItNDVlMmNiZDc1YzJh; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:10 GMT]}]
2019-03-20 10:45:12 DEBUG [OrgCreateUserAInitHijack1] : URL [http://13.56.210.25/api/v1/orgs]
2019-03-20 10:45:12 DEBUG [OrgCreateUserAInitHijack1] : Method [POST]
2019-03-20 10:45:12 DEBUG [OrgCreateUserAInitHijack1] : Request [{
"billingEmail" : "SBsgcpiL",
"company" : "Kovacek-Kovacek",
"createdBy" : "",
"createdDate" : "",
"description" : "SBsgcpiL",
"id" : "",
"inactive" : false,
"location" : "SBsgcpiL",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "SBsgcpiL",
"orgPlan" : "TEAM",
"orgType" : "ENTERPRISE",
"version" : ""
}]
2019-03-20 10:45:12 DEBUG [OrgCreateUserAInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:45:12 DEBUG [OrgCreateUserAInitHijack1] : Response [{
"timestamp" : "2019-03-20T10:45:12.526+0000",
"status" : 403,
"error" : "Forbidden",
"message" : "Forbidden",
"path" : "/api/v1/orgs"
}]
2019-03-20 10:45:12 DEBUG [OrgCreateUserAInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=Y2UzZTBlMjUtNmU0ZS00YTQ4LTgwOWEtYTVlOTM0YjdkNGFl; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:12 GMT]}]
2019-03-20 10:45:12 DEBUG [OrgCreateUserAInitHijack1] : StatusCode [403]
2019-03-20 10:45:12 DEBUG [OrgCreateUserAInitHijack1] : Time [1499]
2019-03-20 10:45:12 DEBUG [OrgCreateUserAInitHijack1] : Size [121]
2019-03-20 10:45:12 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed]
2019-03-20 10:45:12 DEBUG [OrgCreateUserAInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=Y2UzZTBlMjUtNmU0ZS00YTQ4LTgwOWEtYTVlOTM0YjdkNGFl; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:12 GMT]}]
2019-03-20 10:45:12 DEBUG [OrgCreateUserAInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=Y2UzZTBlMjUtNmU0ZS00YTQ4LTgwOWEtYTVlOTM0YjdkNGFl; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:12 GMT]}]
2019-03-20 10:45:12 DEBUG [OrgCreateUserAInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=Y2UzZTBlMjUtNmU0ZS00YTQ4LTgwOWEtYTVlOTM0YjdkNGFl; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:12 GMT]}]
2019-03-20 10:45:12 DEBUG [OrgCreateUserAInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=Y2UzZTBlMjUtNmU0ZS00YTQ4LTgwOWEtYTVlOTM0YjdkNGFl; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:12 GMT]}]
2019-03-20 10:45:13 DEBUG [ApiV1SkillsPutSkilluserbDisallowHijack1] : URL [http://13.56.210.25/api/v1/skills]
2019-03-20 10:45:13 DEBUG [ApiV1SkillsPutSkilluserbDisallowHijack1] : Method [PUT]
2019-03-20 10:45:13 DEBUG [ApiV1SkillsPutSkilluserbDisallowHijack1] : Request [{
"accessKey" : "NLuT0fG0",
"createdBy" : "",
"createdDate" : "",
"description" : "NLuT0fG0",
"host" : "NLuT0fG0",
"id" : "",
"inactive" : false,
"key" : "NLuT0fG0",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "NLuT0fG0",
"opts" : [ {
"id" : "",
"label" : "NLuT0fG0",
"mandatory" : false,
"value" : "NLuT0fG0"
} ],
"org" : "",
"prop1" : "NLuT0fG0",
"prop2" : "NLuT0fG0",
"prop3" : "NLuT0fG0",
"prop4" : "NLuT0fG0",
"prop5" : "NLuT0fG0",
"secretKey" : "NLuT0fG0",
"skillType" : "VERSION_CONTROL",
"version" : ""
}]
2019-03-20 10:45:13 DEBUG [ApiV1SkillsPutSkilluserbDisallowHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:45:13 DEBUG [ApiV1SkillsPutSkilluserbDisallowHijack1] : Response [{
"timestamp" : "2019-03-20T10:45:13.962+0000",
"status" : 400,
"error" : "Bad Request",
"message" : "JSON parse error: Cannot construct instance of com.fxlabs.fxt.dto.base.NameDto
(although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value (''); nested exception is com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot construct instance of com.fxlabs.fxt.dto.base.NameDto
(although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value ('')\n at [Source: (PushbackInputStream); line: 19, column: 11] (through reference chain: com.fxlabs.fxt.dto.skills.Skill[\"org\"])",
"path" : "/api/v1/skills"
}]
2019-03-20 10:45:13 DEBUG [ApiV1SkillsPutSkilluserbDisallowHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MmJmYWE4ODgtZDRlYi00NTUwLWE5NzItNDQwMDgzZWQ3NjRh; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:13 GMT]}]
2019-03-20 10:45:13 DEBUG [ApiV1SkillsPutSkilluserbDisallowHijack1] : StatusCode [400]
2019-03-20 10:45:13 DEBUG [ApiV1SkillsPutSkilluserbDisallowHijack1] : Time [1436]
2019-03-20 10:45:13 DEBUG [ApiV1SkillsPutSkilluserbDisallowHijack1] : Size [716]
2019-03-20 10:45:13 ERROR [ApiV1SkillsPutSkilluserbDisallowHijack1] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [400 == 401 OR 400 == 403] result [Failed]
2019-03-20 10:45:15 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : URL [http://13.56.210.25/api/v1/skills/]
2019-03-20 10:45:15 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : Method [DELETE]
2019-03-20 10:45:15 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : Request [null]
2019-03-20 10:45:15 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:45:15 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : Response [{
"timestamp" : "2019-03-20T10:45:15.479+0000",
"status" : 405,
"error" : "Method Not Allowed",
"message" : "Request method 'DELETE' not supported",
"path" : "/api/v1/skills/"
}]
2019-03-20 10:45:15 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : Response-Headers [{Allow=[GET, POST, PUT], X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YzdjNjRkMjUtM2U1OC00Y2IyLThlMDgtNDhkYzRmNDgzYzlm; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:15 GMT]}]
2019-03-20 10:45:15 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : StatusCode [405]
2019-03-20 10:45:15 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : Time [1518]
2019-03-20 10:45:15 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : Size [161]
2019-03-20 10:45:15 ERROR [null] : Assertion [@StatusCode == 200] resolved-to [405 == 200] result [Failed]
2019-03-20 10:45:16 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : URL [http://13.56.210.25/api/v1/orgs/]
2019-03-20 10:45:16 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Method [DELETE]
2019-03-20 10:45:16 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Request [null]
2019-03-20 10:45:16 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:45:16 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Response [{
"timestamp" : "2019-03-20T10:45:16.700+0000",
"status" : 405,
"error" : "Method Not Allowed",
"message" : "Request method 'DELETE' not supported",
"path" : "/api/v1/orgs/"
}]
2019-03-20 10:45:16 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Response-Headers [{Allow=[GET, POST], X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MzZjNzI5MTgtNmEzNy00NjM2LTgwYjktNWUwOTE3ODUzYWRk; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:16 GMT]}]
2019-03-20 10:45:16 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : StatusCode [405]
2019-03-20 10:45:16 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Time [1216]
2019-03-20 10:45:16 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Size [159]
2019-03-20 10:45:16 ERROR [null] : Assertion [@StatusCode == 200] resolved-to [405 == 200] result [Failed]
--- FX Bot ---
Project : FXABAC TEST
Template : ApiV1SkillsPutSkilluserbDisallowHijack1
Run Id : 8a808011699a990101699ab0f9761b20
Job : Default
Env : Default
Category : Hijack_Level1
Tags : [FX Top 10 - API Vulnerability, Data_Access_Control]
Severity : Major
Region : FXLabs/US_WEST_1
Result : fail
Status Code : 400
Headers : {X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NjUyMjkwZTItN2M2Zi00ZWQ2LWFiNmEtMWU4MDI4MGEzNjNi; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:34 GMT]}
Endpoint : http://13.56.210.25/api/v1/skills
Request :
{ "accessKey" : "Rbr5jXZC", "createdBy" : "", "createdDate" : "", "description" : "Rbr5jXZC", "host" : "Rbr5jXZC", "id" : "", "inactive" : false, "key" : "Rbr5jXZC", "modifiedBy" : "", "modifiedDate" : "", "name" : "Rbr5jXZC", "opts" : [ { "id" : "", "label" : "Rbr5jXZC", "mandatory" : false, "value" : "Rbr5jXZC" } ], "org" : "", "prop1" : "Rbr5jXZC", "prop2" : "Rbr5jXZC", "prop3" : "Rbr5jXZC", "prop4" : "Rbr5jXZC", "prop5" : "Rbr5jXZC", "secretKey" : "Rbr5jXZC", "skillType" : "VERSION_CONTROL", "version" : "" }
Response :
{ "timestamp" : "2019-03-20T10:41:34.890+0000", "status" : 400, "error" : "Bad Request", "message" : "JSON parse error: Cannot construct instance of
com.fxlabs.fxt.dto.base.NameDto
(although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value (''); nested exception is com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot construct instance ofcom.fxlabs.fxt.dto.base.NameDto
(although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value ('')\n at [Source: (PushbackInputStream); line: 19, column: 11] (through reference chain: com.fxlabs.fxt.dto.skills.Skill[\"org\"])", "path" : "/api/v1/skills" }Logs :
2019-03-20 10:41:32 DEBUG [OrgCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/orgs] 2019-03-20 10:41:32 DEBUG [OrgCreateUserBInitHijack1] : Method [POST] 2019-03-20 10:41:32 DEBUG [OrgCreateUserBInitHijack1] : Request [{ "billingEmail" : "qea6GbAC", "company" : "Rolfson LLC", "createdBy" : "", "createdDate" : "", "description" : "qea6GbAC", "id" : "", "inactive" : false, "location" : "qea6GbAC", "modifiedBy" : "", "modifiedDate" : "", "name" : "qea6GbAC", "orgPlan" : "TEAM", "orgType" : "ENTERPRISE", "version" : "" }] 2019-03-20 10:41:32 DEBUG [OrgCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:41:32 DEBUG [OrgCreateUserBInitHijack1] : Response [{ "timestamp" : "2019-03-20T10:41:32.920+0000", "status" : 403, "error" : "Forbidden", "message" : "Forbidden", "path" : "/api/v1/orgs" }] 2019-03-20 10:41:32 DEBUG [OrgCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZDM3ZDdhMGUtZmUyYS00N2Q3LWFjNTgtZGViODgxYzk4MWI2; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:32 GMT]}] 2019-03-20 10:41:32 DEBUG [OrgCreateUserBInitHijack1] : StatusCode [403] 2019-03-20 10:41:32 DEBUG [OrgCreateUserBInitHijack1] : Time [540] 2019-03-20 10:41:32 DEBUG [OrgCreateUserBInitHijack1] : Size [121] 2019-03-20 10:41:32 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed] 2019-03-20 10:41:32 DEBUG [OrgCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZDM3ZDdhMGUtZmUyYS00N2Q3LWFjNTgtZGViODgxYzk4MWI2; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:32 GMT]}] 2019-03-20 10:41:32 DEBUG [OrgCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZDM3ZDdhMGUtZmUyYS00N2Q3LWFjNTgtZGViODgxYzk4MWI2; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:32 GMT]}] 2019-03-20 10:41:32 DEBUG [OrgCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZDM3ZDdhMGUtZmUyYS00N2Q3LWFjNTgtZGViODgxYzk4MWI2; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:32 GMT]}] 2019-03-20 10:41:32 DEBUG [OrgCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZDM3ZDdhMGUtZmUyYS00N2Q3LWFjNTgtZGViODgxYzk4MWI2; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:32 GMT]}] 2019-03-20 10:41:33 DEBUG [SkillCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/skills] 2019-03-20 10:41:33 DEBUG [SkillCreateUserBInitHijack1] : Method [POST] 2019-03-20 10:41:33 DEBUG [SkillCreateUserBInitHijack1] : Request [{ "accessKey" : "PoLnbPmw", "createdBy" : "", "createdDate" : "", "description" : "PoLnbPmw", "host" : "PoLnbPmw", "id" : "", "inactive" : false, "key" : "PoLnbPmw", "modifiedBy" : "", "modifiedDate" : "", "name" : "PoLnbPmw", "org" : "", "prop1" : "PoLnbPmw", "prop2" : "PoLnbPmw", "prop3" : "PoLnbPmw", "prop4" : "PoLnbPmw", "prop5" : "PoLnbPmw", "secretKey" : "PoLnbPmw", "skillType" : "BOT_DEPLOYMENT", "version" : "" }] 2019-03-20 10:41:33 DEBUG [SkillCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:41:33 DEBUG [SkillCreateUserBInitHijack1] : Response [{ "timestamp" : "2019-03-20T10:41:33.693+0000", "status" : 400, "error" : "Bad Request", "message" : "JSON parse error: Cannot construct instance of
com.fxlabs.fxt.dto.base.NameDto
(although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value (''); nested exception is com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot construct instance ofcom.fxlabs.fxt.dto.base.NameDto
(although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value ('')\n at [Source: (PushbackInputStream); line: 13, column: 11] (through reference chain: com.fxlabs.fxt.dto.skills.Skill[\"org\"])", "path" : "/api/v1/skills" }] 2019-03-20 10:41:33 DEBUG [SkillCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NzViY2VhOGYtYTkwNy00NjE2LWE0YmUtOTJlYTBiOTYxZWE4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:32 GMT]}] 2019-03-20 10:41:33 DEBUG [SkillCreateUserBInitHijack1] : StatusCode [400] 2019-03-20 10:41:33 DEBUG [SkillCreateUserBInitHijack1] : Time [770] 2019-03-20 10:41:33 DEBUG [SkillCreateUserBInitHijack1] : Size [716] 2019-03-20 10:41:33 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [400 == 200 OR 400 == 201] result [Failed] 2019-03-20 10:41:33 DEBUG [SkillCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NzViY2VhOGYtYTkwNy00NjE2LWE0YmUtOTJlYTBiOTYxZWE4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:32 GMT]}] 2019-03-20 10:41:33 DEBUG [SkillCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NzViY2VhOGYtYTkwNy00NjE2LWE0YmUtOTJlYTBiOTYxZWE4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:32 GMT]}] 2019-03-20 10:41:33 DEBUG [SkillCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NzViY2VhOGYtYTkwNy00NjE2LWE0YmUtOTJlYTBiOTYxZWE4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:32 GMT]}] 2019-03-20 10:41:33 DEBUG [SkillCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NzViY2VhOGYtYTkwNy00NjE2LWE0YmUtOTJlYTBiOTYxZWE4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:32 GMT]}] 2019-03-20 10:41:34 DEBUG [OrgCreateUserAInitHijack1] : URL [http://13.56.210.25/api/v1/orgs] 2019-03-20 10:41:34 DEBUG [OrgCreateUserAInitHijack1] : Method [POST] 2019-03-20 10:41:34 DEBUG [OrgCreateUserAInitHijack1] : Request [{ "billingEmail" : "hBp4iJXA", "company" : "Borer-Borer", "createdBy" : "", "createdDate" : "", "description" : "hBp4iJXA", "id" : "", "inactive" : false, "location" : "hBp4iJXA", "modifiedBy" : "", "modifiedDate" : "", "name" : "hBp4iJXA", "orgPlan" : "TEAM", "orgType" : "ENTERPRISE", "version" : "" }] 2019-03-20 10:41:34 DEBUG [OrgCreateUserAInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:41:34 DEBUG [OrgCreateUserAInitHijack1] : Response [{ "timestamp" : "2019-03-20T10:41:34.411+0000", "status" : 403, "error" : "Forbidden", "message" : "Forbidden", "path" : "/api/v1/orgs" }] 2019-03-20 10:41:34 DEBUG [OrgCreateUserAInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MjkxZjE0NjgtNjZmMC00NTQ2LTg0NjYtYmM4NTY4ZmJhMDJm; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:34 GMT]}] 2019-03-20 10:41:34 DEBUG [OrgCreateUserAInitHijack1] : StatusCode [403] 2019-03-20 10:41:34 DEBUG [OrgCreateUserAInitHijack1] : Time [572] 2019-03-20 10:41:34 DEBUG [OrgCreateUserAInitHijack1] : Size [121] 2019-03-20 10:41:34 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed] 2019-03-20 10:41:34 DEBUG [OrgCreateUserAInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MjkxZjE0NjgtNjZmMC00NTQ2LTg0NjYtYmM4NTY4ZmJhMDJm; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:34 GMT]}] 2019-03-20 10:41:34 DEBUG [OrgCreateUserAInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MjkxZjE0NjgtNjZmMC00NTQ2LTg0NjYtYmM4NTY4ZmJhMDJm; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:34 GMT]}] 2019-03-20 10:41:34 DEBUG [OrgCreateUserAInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MjkxZjE0NjgtNjZmMC00NTQ2LTg0NjYtYmM4NTY4ZmJhMDJm; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:34 GMT]}] 2019-03-20 10:41:34 DEBUG [OrgCreateUserAInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MjkxZjE0NjgtNjZmMC00NTQ2LTg0NjYtYmM4NTY4ZmJhMDJm; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:34 GMT]}] 2019-03-20 10:41:34 DEBUG [ApiV1SkillsPutSkilluserbDisallowHijack1] : URL [http://13.56.210.25/api/v1/skills] 2019-03-20 10:41:34 DEBUG [ApiV1SkillsPutSkilluserbDisallowHijack1] : Method [PUT] 2019-03-20 10:41:34 DEBUG [ApiV1SkillsPutSkilluserbDisallowHijack1] : Request [{ "accessKey" : "Rbr5jXZC", "createdBy" : "", "createdDate" : "", "description" : "Rbr5jXZC", "host" : "Rbr5jXZC", "id" : "", "inactive" : false, "key" : "Rbr5jXZC", "modifiedBy" : "", "modifiedDate" : "", "name" : "Rbr5jXZC", "opts" : [ { "id" : "", "label" : "Rbr5jXZC", "mandatory" : false, "value" : "Rbr5jXZC" } ], "org" : "", "prop1" : "Rbr5jXZC", "prop2" : "Rbr5jXZC", "prop3" : "Rbr5jXZC", "prop4" : "Rbr5jXZC", "prop5" : "Rbr5jXZC", "secretKey" : "Rbr5jXZC", "skillType" : "VERSION_CONTROL", "version" : "" }] 2019-03-20 10:41:34 DEBUG [ApiV1SkillsPutSkilluserbDisallowHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:41:34 DEBUG [ApiV1SkillsPutSkilluserbDisallowHijack1] : Response [{ "timestamp" : "2019-03-20T10:41:34.890+0000", "status" : 400, "error" : "Bad Request", "message" : "JSON parse error: Cannot construct instance ofcom.fxlabs.fxt.dto.base.NameDto
(although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value (''); nested exception is com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot construct instance ofcom.fxlabs.fxt.dto.base.NameDto
(although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value ('')\n at [Source: (PushbackInputStream); line: 19, column: 11] (through reference chain: com.fxlabs.fxt.dto.skills.Skill[\"org\"])", "path" : "/api/v1/skills" }] 2019-03-20 10:41:34 DEBUG [ApiV1SkillsPutSkilluserbDisallowHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NjUyMjkwZTItN2M2Zi00ZWQ2LWFiNmEtMWU4MDI4MGEzNjNi; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:34 GMT]}] 2019-03-20 10:41:34 DEBUG [ApiV1SkillsPutSkilluserbDisallowHijack1] : StatusCode [400] 2019-03-20 10:41:34 DEBUG [ApiV1SkillsPutSkilluserbDisallowHijack1] : Time [478] 2019-03-20 10:41:34 DEBUG [ApiV1SkillsPutSkilluserbDisallowHijack1] : Size [716] 2019-03-20 10:41:34 ERROR [ApiV1SkillsPutSkilluserbDisallowHijack1] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [400 == 401 OR 400 == 403] result [Failed] 2019-03-20 10:41:35 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : URL [http://13.56.210.25/api/v1/skills/] 2019-03-20 10:41:35 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : Method [DELETE] 2019-03-20 10:41:35 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : Request [null] 2019-03-20 10:41:35 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:41:35 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : Response [{ "timestamp" : "2019-03-20T10:41:35.400+0000", "status" : 405, "error" : "Method Not Allowed", "message" : "Request method 'DELETE' not supported", "path" : "/api/v1/skills/" }] 2019-03-20 10:41:35 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : Response-Headers [{Allow=[GET, POST, PUT], X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NjY5NDMzOTAtZWI5Yi00ZGZiLWFmMmEtOWY1ZDhmZDliODg5; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:35 GMT]}] 2019-03-20 10:41:35 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : StatusCode [405] 2019-03-20 10:41:35 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : Time [509] 2019-03-20 10:41:35 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : Size [161] 2019-03-20 10:41:35 ERROR [null] : Assertion [@StatusCode == 200] resolved-to [405 == 200] result [Failed] 2019-03-20 10:41:35 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : URL [http://13.56.210.25/api/v1/orgs/] 2019-03-20 10:41:35 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Method [DELETE] 2019-03-20 10:41:35 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Request [null] 2019-03-20 10:41:35 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:41:35 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Response [{ "timestamp" : "2019-03-20T10:41:35.898+0000", "status" : 405, "error" : "Method Not Allowed", "message" : "Request method 'DELETE' not supported", "path" : "/api/v1/orgs/" }] 2019-03-20 10:41:35 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Response-Headers [{Allow=[GET, POST], X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MmVlNjZkM2UtYjkzMS00NmY2LThjN2YtNDlmZDFiYmU2ODIw; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:35 GMT]}] 2019-03-20 10:41:35 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : StatusCode [405] 2019-03-20 10:41:35 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Time [497] 2019-03-20 10:41:35 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Size [159] 2019-03-20 10:41:35 ERROR [null] : Assertion [@StatusCode == 200] resolved-to [405 == 200] result [Failed]--- FX Bot ---