Vulnerability [Hijack_Level1] : POST:/api/v1/users/team-sign-up

[asriz7777]

Project : FXABAC TEST

Template : ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1

Run Id : 8a808011699a990101699ab0f9761b20

Job : Default

Env : Default

Category : Hijack_Level1

Tags : [FX Top 10 - API Vulnerability, Data_Access_Control]

Severity : Major

Region : FXLabs/US_WEST_1

Result : fail

Status Code : 403

Headers : {X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=Y2Y4MDkyOTMtMThkMi00YzgwLWFjZGYtZWU5YWEzYTJiMTQ1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:37 GMT]}

Endpoint : http://13.56.210.25/api/v1/users/team-sign-up

Request :
{ "accountNonExpired" : false, "accountNonLocked" : false, "company" : "Heathcote-Heathcote", "createdBy" : "", "createdDate" : "", "credentialsNonExpired" : false, "email" : "tamia.koss@yahoo.com", "enabled" : false, "id" : "", "inactive" : false, "jobTitle" : "Senior Marketing Specialist", "location" : "zpJjsNdp", "modifiedBy" : "", "modifiedDate" : "", "name" : "zpJjsNdp", "password" : "zpJjsNdp", "privileges" : [ "zpJjsNdp" ], "username" : "marilou.lowe", "version" : "" }

Response :
{ "timestamp" : "2019-03-20T10:41:37.427+0000", "status" : 403, "error" : "Forbidden", "message" : "Forbidden", "path" : "/api/v1/users/team-sign-up" }

Logs :
2019-03-20 10:41:36 DEBUG [UsersCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/users/enterprise-sign-up] 2019-03-20 10:41:36 DEBUG [UsersCreateUserBInitHijack1] : Method [POST] 2019-03-20 10:41:36 DEBUG [UsersCreateUserBInitHijack1] : Request [{ "accountNonExpired" : false, "accountNonLocked" : false, "company" : "Hammes, Hammes and Hammes", "createdBy" : "", "createdDate" : "", "credentialsNonExpired" : false, "email" : "armani.corkery@yahoo.com", "enabled" : false, "id" : "", "inactive" : false, "jobTitle" : "Design Analyst", "location" : "DrqgjEdh", "modifiedBy" : "", "modifiedDate" : "", "name" : "DrqgjEdh", "password" : "DrqgjEdh", "username" : "elian.weber", "version" : "" }] 2019-03-20 10:41:36 DEBUG [UsersCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:41:36 DEBUG [UsersCreateUserBInitHijack1] : Response [{ "timestamp" : "2019-03-20T10:41:36.456+0000", "status" : 403, "error" : "Forbidden", "message" : "Forbidden", "path" : "/api/v1/users/enterprise-sign-up" }] 2019-03-20 10:41:36 DEBUG [UsersCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YjZkMTA0NjgtMDk5ZC00MWRkLWE2MDEtOTkzOTRmMTc1Yzg3; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:36 GMT]}] 2019-03-20 10:41:36 DEBUG [UsersCreateUserBInitHijack1] : StatusCode [403] 2019-03-20 10:41:36 DEBUG [UsersCreateUserBInitHijack1] : Time [568] 2019-03-20 10:41:36 DEBUG [UsersCreateUserBInitHijack1] : Size [141] 2019-03-20 10:41:36 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed] 2019-03-20 10:41:36 DEBUG [UsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YjZkMTA0NjgtMDk5ZC00MWRkLWE2MDEtOTkzOTRmMTc1Yzg3; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:36 GMT]}] 2019-03-20 10:41:36 DEBUG [UsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YjZkMTA0NjgtMDk5ZC00MWRkLWE2MDEtOTkzOTRmMTc1Yzg3; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:36 GMT]}] 2019-03-20 10:41:36 DEBUG [UsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YjZkMTA0NjgtMDk5ZC00MWRkLWE2MDEtOTkzOTRmMTc1Yzg3; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:36 GMT]}] 2019-03-20 10:41:36 DEBUG [UsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YjZkMTA0NjgtMDk5ZC00MWRkLWE2MDEtOTkzOTRmMTc1Yzg3; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:36 GMT]}] 2019-03-20 10:41:37 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : URL [http://13.56.210.25/api/v1/users/team-sign-up] 2019-03-20 10:41:37 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Method [POST] 2019-03-20 10:41:37 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Request [{ "accountNonExpired" : false, "accountNonLocked" : false, "company" : "Heathcote-Heathcote", "createdBy" : "", "createdDate" : "", "credentialsNonExpired" : false, "email" : "tamia.koss@yahoo.com", "enabled" : false, "id" : "", "inactive" : false, "jobTitle" : "Senior Marketing Specialist", "location" : "zpJjsNdp", "modifiedBy" : "", "modifiedDate" : "", "name" : "zpJjsNdp", "password" : "zpJjsNdp", "privileges" : [ "zpJjsNdp" ], "username" : "marilou.lowe", "version" : "" }] 2019-03-20 10:41:37 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:41:37 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Response [{ "timestamp" : "2019-03-20T10:41:37.427+0000", "status" : 403, "error" : "Forbidden", "message" : "Forbidden", "path" : "/api/v1/users/team-sign-up" }] 2019-03-20 10:41:37 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=Y2Y4MDkyOTMtMThkMi00YzgwLWFjZGYtZWU5YWEzYTJiMTQ1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:37 GMT]}] 2019-03-20 10:41:37 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : StatusCode [403] 2019-03-20 10:41:37 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Time [470] 2019-03-20 10:41:37 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Size [135] 2019-03-20 10:41:37 INFO [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [403 == 401 OR 403 == 403] result [Passed]

--- FX Bot ---

[asriz7777]

Project : FXABAC TEST

Template : ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1

Run Id : 8a808011699a990101699ab3901a2277

Job : Default

Env : Default

Category : Hijack_Level1

Tags : [FX Top 10 - API Vulnerability, Data_Access_Control]

Severity : Major

Region : FXLabs/US_WEST_1

Result : fail

Status Code : 403

Headers : {X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YjBlZTk3NTYtYTdmMC00NDE5LWI2OTgtMTJmMDAzMzE0MDBj; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:27 GMT]}

Endpoint : http://13.56.210.25/api/v1/users/team-sign-up

Request :
{ "accountNonExpired" : false, "accountNonLocked" : false, "company" : "Lynch LLC", "createdBy" : "", "createdDate" : "", "credentialsNonExpired" : false, "email" : "morris.kulas@yahoo.com", "enabled" : false, "id" : "", "inactive" : false, "jobTitle" : "Marketing Technician", "location" : "wHwgU7Dp", "modifiedBy" : "", "modifiedDate" : "", "name" : "wHwgU7Dp", "password" : "wHwgU7Dp", "privileges" : [ "wHwgU7Dp" ], "username" : "nedra.herman", "version" : "" }

Response :
{ "timestamp" : "2019-03-20T10:44:27.821+0000", "status" : 403, "error" : "Forbidden", "message" : "Forbidden", "path" : "/api/v1/users/team-sign-up" }

Logs :
2019-03-20 10:44:26 DEBUG [UsersCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/users/enterprise-sign-up] 2019-03-20 10:44:26 DEBUG [UsersCreateUserBInitHijack1] : Method [POST] 2019-03-20 10:44:26 DEBUG [UsersCreateUserBInitHijack1] : Request [{ "accountNonExpired" : false, "accountNonLocked" : false, "company" : "Moore-Moore", "createdBy" : "", "createdDate" : "", "credentialsNonExpired" : false, "email" : "max.schmeler@yahoo.com", "enabled" : false, "id" : "", "inactive" : false, "jobTitle" : "Manufacturing Planner", "location" : "TyckrIbB", "modifiedBy" : "", "modifiedDate" : "", "name" : "TyckrIbB", "password" : "TyckrIbB", "username" : "teagan.ernser", "version" : "" }] 2019-03-20 10:44:26 DEBUG [UsersCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:44:26 DEBUG [UsersCreateUserBInitHijack1] : Response [{ "timestamp" : "2019-03-20T10:44:26.859+0000", "status" : 403, "error" : "Forbidden", "message" : "Forbidden", "path" : "/api/v1/users/enterprise-sign-up" }] 2019-03-20 10:44:26 DEBUG [UsersCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MDE1NGYyODAtMTczNS00MTU5LTgxOTUtYmUzZTI1OTNhODFh; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:26 GMT]}] 2019-03-20 10:44:26 DEBUG [UsersCreateUserBInitHijack1] : StatusCode [403] 2019-03-20 10:44:26 DEBUG [UsersCreateUserBInitHijack1] : Time [619] 2019-03-20 10:44:26 DEBUG [UsersCreateUserBInitHijack1] : Size [141] 2019-03-20 10:44:26 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed] 2019-03-20 10:44:26 DEBUG [UsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MDE1NGYyODAtMTczNS00MTU5LTgxOTUtYmUzZTI1OTNhODFh; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:26 GMT]}] 2019-03-20 10:44:26 DEBUG [UsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MDE1NGYyODAtMTczNS00MTU5LTgxOTUtYmUzZTI1OTNhODFh; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:26 GMT]}] 2019-03-20 10:44:26 DEBUG [UsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MDE1NGYyODAtMTczNS00MTU5LTgxOTUtYmUzZTI1OTNhODFh; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:26 GMT]}] 2019-03-20 10:44:26 DEBUG [UsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MDE1NGYyODAtMTczNS00MTU5LTgxOTUtYmUzZTI1OTNhODFh; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:26 GMT]}] 2019-03-20 10:44:27 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : URL [http://13.56.210.25/api/v1/users/team-sign-up] 2019-03-20 10:44:27 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Method [POST] 2019-03-20 10:44:27 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Request [{ "accountNonExpired" : false, "accountNonLocked" : false, "company" : "Lynch LLC", "createdBy" : "", "createdDate" : "", "credentialsNonExpired" : false, "email" : "morris.kulas@yahoo.com", "enabled" : false, "id" : "", "inactive" : false, "jobTitle" : "Marketing Technician", "location" : "wHwgU7Dp", "modifiedBy" : "", "modifiedDate" : "", "name" : "wHwgU7Dp", "password" : "wHwgU7Dp", "privileges" : [ "wHwgU7Dp" ], "username" : "nedra.herman", "version" : "" }] 2019-03-20 10:44:27 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:44:27 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Response [{ "timestamp" : "2019-03-20T10:44:27.821+0000", "status" : 403, "error" : "Forbidden", "message" : "Forbidden", "path" : "/api/v1/users/team-sign-up" }] 2019-03-20 10:44:27 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YjBlZTk3NTYtYTdmMC00NDE5LWI2OTgtMTJmMDAzMzE0MDBj; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:27 GMT]}] 2019-03-20 10:44:27 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : StatusCode [403] 2019-03-20 10:44:27 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Time [650] 2019-03-20 10:44:27 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Size [135] 2019-03-20 10:44:27 INFO [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [403 == 401 OR 403 == 403] result [Passed]

--- FX Bot ---

[asriz7777]

Project : FXABAC TEST

Template : ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1

Run Id : 8a808011699a990101699ab3901a2277

Job : Default

Env : Default

Category : Hijack_Level1

Tags : [FX Top 10 - API Vulnerability, Data_Access_Control]

Severity : Major

Region : FXLabs/US_WEST_1

Result : fail

Status Code : 403

Headers : {X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YzQ5MDQxNWMtODY4Zi00NTkwLTgwZjctN2IyNjVjZjI1MzA4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:25 GMT]}

Endpoint : http://13.56.210.25/api/v1/users/team-sign-up

Request :
{ "accountNonExpired" : false, "accountNonLocked" : false, "company" : "Nienow-Nienow", "createdBy" : "", "createdDate" : "", "credentialsNonExpired" : false, "email" : "zola.lindgren@hotmail.com", "enabled" : false, "id" : "", "inactive" : false, "jobTitle" : "Customer Retail Producer", "location" : "8W2eohd8", "modifiedBy" : "", "modifiedDate" : "", "name" : "8W2eohd8", "password" : "8W2eohd8", "privileges" : [ "8W2eohd8" ], "username" : "jovan.schaden", "version" : "" }

Response :
{ "timestamp" : "2019-03-20T10:45:25.732+0000", "status" : 403, "error" : "Forbidden", "message" : "Forbidden", "path" : "/api/v1/users/team-sign-up" }

Logs :
2019-03-20 10:45:24 DEBUG [UsersCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/users/enterprise-sign-up] 2019-03-20 10:45:24 DEBUG [UsersCreateUserBInitHijack1] : Method [POST] 2019-03-20 10:45:24 DEBUG [UsersCreateUserBInitHijack1] : Request [{ "accountNonExpired" : false, "accountNonLocked" : false, "company" : "Emard-Emard", "createdBy" : "", "createdDate" : "", "credentialsNonExpired" : false, "email" : "xzavier.runolfsdottir@hotmail.com", "enabled" : false, "id" : "", "inactive" : false, "jobTitle" : "Regional Advertising Executive", "location" : "y5VR8OH4", "modifiedBy" : "", "modifiedDate" : "", "name" : "y5VR8OH4", "password" : "y5VR8OH4", "username" : "aracely.homenick", "version" : "" }] 2019-03-20 10:45:24 DEBUG [UsersCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:45:24 DEBUG [UsersCreateUserBInitHijack1] : Response [{ "timestamp" : "2019-03-20T10:45:24.462+0000", "status" : 403, "error" : "Forbidden", "message" : "Forbidden", "path" : "/api/v1/users/enterprise-sign-up" }] 2019-03-20 10:45:24 DEBUG [UsersCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MDdjOGUyMDUtMTQzYi00NTQ2LWFmODktYjkxN2MyNmI0MWFh; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:24 GMT]}] 2019-03-20 10:45:24 DEBUG [UsersCreateUserBInitHijack1] : StatusCode [403] 2019-03-20 10:45:24 DEBUG [UsersCreateUserBInitHijack1] : Time [1443] 2019-03-20 10:45:24 DEBUG [UsersCreateUserBInitHijack1] : Size [141] 2019-03-20 10:45:24 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed] 2019-03-20 10:45:24 DEBUG [UsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MDdjOGUyMDUtMTQzYi00NTQ2LWFmODktYjkxN2MyNmI0MWFh; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:24 GMT]}] 2019-03-20 10:45:24 DEBUG [UsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MDdjOGUyMDUtMTQzYi00NTQ2LWFmODktYjkxN2MyNmI0MWFh; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:24 GMT]}] 2019-03-20 10:45:24 DEBUG [UsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MDdjOGUyMDUtMTQzYi00NTQ2LWFmODktYjkxN2MyNmI0MWFh; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:24 GMT]}] 2019-03-20 10:45:24 DEBUG [UsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MDdjOGUyMDUtMTQzYi00NTQ2LWFmODktYjkxN2MyNmI0MWFh; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:24 GMT]}] 2019-03-20 10:45:25 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : URL [http://13.56.210.25/api/v1/users/team-sign-up] 2019-03-20 10:45:25 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Method [POST] 2019-03-20 10:45:25 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Request [{ "accountNonExpired" : false, "accountNonLocked" : false, "company" : "Nienow-Nienow", "createdBy" : "", "createdDate" : "", "credentialsNonExpired" : false, "email" : "zola.lindgren@hotmail.com", "enabled" : false, "id" : "", "inactive" : false, "jobTitle" : "Customer Retail Producer", "location" : "8W2eohd8", "modifiedBy" : "", "modifiedDate" : "", "name" : "8W2eohd8", "password" : "8W2eohd8", "privileges" : [ "8W2eohd8" ], "username" : "jovan.schaden", "version" : "" }] 2019-03-20 10:45:25 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:45:25 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Response [{ "timestamp" : "2019-03-20T10:45:25.732+0000", "status" : 403, "error" : "Forbidden", "message" : "Forbidden", "path" : "/api/v1/users/team-sign-up" }] 2019-03-20 10:45:25 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YzQ5MDQxNWMtODY4Zi00NTkwLTgwZjctN2IyNjVjZjI1MzA4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:25 GMT]}] 2019-03-20 10:45:25 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : StatusCode [403] 2019-03-20 10:45:25 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Time [1042] 2019-03-20 10:45:25 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Size [135] 2019-03-20 10:45:25 INFO [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [403 == 401 OR 403 == 403] result [Passed]

--- FX Bot ---

[asriz7777]

Project : FXABAC TEST

Template : ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1

Run Id : 8a808011699a990101699ab3901a2277

Job : Default

Env : Default

Category : Hijack_Level1

Tags : [FX Top 10 - API Vulnerability, Data_Access_Control]

Severity : Major

Region : FXLabs/US_WEST_1

Result : fail

Status Code : 403

Headers : {X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=Y2M4MGNhNmYtM2I5Ni00N2YyLTllMGMtMTI4YzIwMTNkOTVm; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:46:42 GMT]}

Endpoint : http://13.56.210.25/api/v1/users/team-sign-up

Request :
{ "accountNonExpired" : false, "accountNonLocked" : false, "company" : "Durgan Inc", "createdBy" : "", "createdDate" : "", "credentialsNonExpired" : false, "email" : "adam.leuschke@gmail.com", "enabled" : false, "id" : "", "inactive" : false, "jobTitle" : "Administration Developer", "location" : "ZAlXODv6", "modifiedBy" : "", "modifiedDate" : "", "name" : "ZAlXODv6", "password" : "ZAlXODv6", "privileges" : [ "ZAlXODv6" ], "username" : "caroline.boyle", "version" : "" }

Response :
{ "timestamp" : "2019-03-20T10:46:42.948+0000", "status" : 403, "error" : "Forbidden", "message" : "Forbidden", "path" : "/api/v1/users/team-sign-up" }

Logs :
2019-03-20 10:46:40 DEBUG [UsersCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/users/enterprise-sign-up] 2019-03-20 10:46:40 DEBUG [UsersCreateUserBInitHijack1] : Method [POST] 2019-03-20 10:46:40 DEBUG [UsersCreateUserBInitHijack1] : Request [{ "accountNonExpired" : false, "accountNonLocked" : false, "company" : "Stoltenberg-Stoltenberg", "createdBy" : "", "createdDate" : "", "credentialsNonExpired" : false, "email" : "sabina.kreiger@gmail.com", "enabled" : false, "id" : "", "inactive" : false, "jobTitle" : "Dynamic Coordinator", "location" : "RyhqwQuR", "modifiedBy" : "", "modifiedDate" : "", "name" : "RyhqwQuR", "password" : "RyhqwQuR", "username" : "emilie.wilkinson", "version" : "" }] 2019-03-20 10:46:40 DEBUG [UsersCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:46:40 DEBUG [UsersCreateUserBInitHijack1] : Response [{ "timestamp" : "2019-03-20T10:46:40.942+0000", "status" : 403, "error" : "Forbidden", "message" : "Forbidden", "path" : "/api/v1/users/enterprise-sign-up" }] 2019-03-20 10:46:40 DEBUG [UsersCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=M2FlZGMwYWItZWNmZi00NzM2LWFmYjEtY2UwN2MzZTdiYTI4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:46:40 GMT]}] 2019-03-20 10:46:40 DEBUG [UsersCreateUserBInitHijack1] : StatusCode [403] 2019-03-20 10:46:40 DEBUG [UsersCreateUserBInitHijack1] : Time [1296] 2019-03-20 10:46:40 DEBUG [UsersCreateUserBInitHijack1] : Size [141] 2019-03-20 10:46:40 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed] 2019-03-20 10:46:40 DEBUG [UsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=M2FlZGMwYWItZWNmZi00NzM2LWFmYjEtY2UwN2MzZTdiYTI4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:46:40 GMT]}] 2019-03-20 10:46:40 DEBUG [UsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=M2FlZGMwYWItZWNmZi00NzM2LWFmYjEtY2UwN2MzZTdiYTI4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:46:40 GMT]}] 2019-03-20 10:46:40 DEBUG [UsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=M2FlZGMwYWItZWNmZi00NzM2LWFmYjEtY2UwN2MzZTdiYTI4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:46:40 GMT]}] 2019-03-20 10:46:40 DEBUG [UsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=M2FlZGMwYWItZWNmZi00NzM2LWFmYjEtY2UwN2MzZTdiYTI4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:46:40 GMT]}] 2019-03-20 10:46:42 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : URL [http://13.56.210.25/api/v1/users/team-sign-up] 2019-03-20 10:46:42 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Method [POST] 2019-03-20 10:46:42 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Request [{ "accountNonExpired" : false, "accountNonLocked" : false, "company" : "Durgan Inc", "createdBy" : "", "createdDate" : "", "credentialsNonExpired" : false, "email" : "adam.leuschke@gmail.com", "enabled" : false, "id" : "", "inactive" : false, "jobTitle" : "Administration Developer", "location" : "ZAlXODv6", "modifiedBy" : "", "modifiedDate" : "", "name" : "ZAlXODv6", "password" : "ZAlXODv6", "privileges" : [ "ZAlXODv6" ], "username" : "caroline.boyle", "version" : "" }] 2019-03-20 10:46:42 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:46:42 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Response [{ "timestamp" : "2019-03-20T10:46:42.948+0000", "status" : 403, "error" : "Forbidden", "message" : "Forbidden", "path" : "/api/v1/users/team-sign-up" }] 2019-03-20 10:46:42 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=Y2M4MGNhNmYtM2I5Ni00N2YyLTllMGMtMTI4YzIwMTNkOTVm; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:46:42 GMT]}] 2019-03-20 10:46:42 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : StatusCode [403] 2019-03-20 10:46:42 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Time [1800] 2019-03-20 10:46:42 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Size [135] 2019-03-20 10:46:42 INFO [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [403 == 401 OR 403 == 403] result [Passed]

--- FX Bot ---