Open asriz7777 opened 5 years ago
Project : FXABAC TEST
Template : ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1
Run Id : 8a808011699a990101699ab3901a2277
Job : Default
Env : Default
Category : Hijack_Level1
Tags : [FX Top 10 - API Vulnerability, Data_Access_Control]
Severity : Major
Region : FXLabs/US_WEST_1
Result : fail
Status Code : 403
Headers : {X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YjBlZTk3NTYtYTdmMC00NDE5LWI2OTgtMTJmMDAzMzE0MDBj; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:27 GMT]}
Endpoint : http://13.56.210.25/api/v1/users/team-sign-up
Request :
{
"accountNonExpired" : false,
"accountNonLocked" : false,
"company" : "Lynch LLC",
"createdBy" : "",
"createdDate" : "",
"credentialsNonExpired" : false,
"email" : "morris.kulas@yahoo.com",
"enabled" : false,
"id" : "",
"inactive" : false,
"jobTitle" : "Marketing Technician",
"location" : "wHwgU7Dp",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "wHwgU7Dp",
"password" : "wHwgU7Dp",
"privileges" : [ "wHwgU7Dp" ],
"username" : "nedra.herman",
"version" : ""
}
Response :
{
"timestamp" : "2019-03-20T10:44:27.821+0000",
"status" : 403,
"error" : "Forbidden",
"message" : "Forbidden",
"path" : "/api/v1/users/team-sign-up"
}
Logs :
2019-03-20 10:44:26 DEBUG [UsersCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/users/enterprise-sign-up]
2019-03-20 10:44:26 DEBUG [UsersCreateUserBInitHijack1] : Method [POST]
2019-03-20 10:44:26 DEBUG [UsersCreateUserBInitHijack1] : Request [{
"accountNonExpired" : false,
"accountNonLocked" : false,
"company" : "Moore-Moore",
"createdBy" : "",
"createdDate" : "",
"credentialsNonExpired" : false,
"email" : "max.schmeler@yahoo.com",
"enabled" : false,
"id" : "",
"inactive" : false,
"jobTitle" : "Manufacturing Planner",
"location" : "TyckrIbB",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "TyckrIbB",
"password" : "TyckrIbB",
"username" : "teagan.ernser",
"version" : ""
}]
2019-03-20 10:44:26 DEBUG [UsersCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:44:26 DEBUG [UsersCreateUserBInitHijack1] : Response [{
"timestamp" : "2019-03-20T10:44:26.859+0000",
"status" : 403,
"error" : "Forbidden",
"message" : "Forbidden",
"path" : "/api/v1/users/enterprise-sign-up"
}]
2019-03-20 10:44:26 DEBUG [UsersCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MDE1NGYyODAtMTczNS00MTU5LTgxOTUtYmUzZTI1OTNhODFh; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:26 GMT]}]
2019-03-20 10:44:26 DEBUG [UsersCreateUserBInitHijack1] : StatusCode [403]
2019-03-20 10:44:26 DEBUG [UsersCreateUserBInitHijack1] : Time [619]
2019-03-20 10:44:26 DEBUG [UsersCreateUserBInitHijack1] : Size [141]
2019-03-20 10:44:26 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed]
2019-03-20 10:44:26 DEBUG [UsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MDE1NGYyODAtMTczNS00MTU5LTgxOTUtYmUzZTI1OTNhODFh; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:26 GMT]}]
2019-03-20 10:44:26 DEBUG [UsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MDE1NGYyODAtMTczNS00MTU5LTgxOTUtYmUzZTI1OTNhODFh; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:26 GMT]}]
2019-03-20 10:44:26 DEBUG [UsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MDE1NGYyODAtMTczNS00MTU5LTgxOTUtYmUzZTI1OTNhODFh; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:26 GMT]}]
2019-03-20 10:44:26 DEBUG [UsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MDE1NGYyODAtMTczNS00MTU5LTgxOTUtYmUzZTI1OTNhODFh; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:26 GMT]}]
2019-03-20 10:44:27 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : URL [http://13.56.210.25/api/v1/users/team-sign-up]
2019-03-20 10:44:27 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Method [POST]
2019-03-20 10:44:27 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Request [{
"accountNonExpired" : false,
"accountNonLocked" : false,
"company" : "Lynch LLC",
"createdBy" : "",
"createdDate" : "",
"credentialsNonExpired" : false,
"email" : "morris.kulas@yahoo.com",
"enabled" : false,
"id" : "",
"inactive" : false,
"jobTitle" : "Marketing Technician",
"location" : "wHwgU7Dp",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "wHwgU7Dp",
"password" : "wHwgU7Dp",
"privileges" : [ "wHwgU7Dp" ],
"username" : "nedra.herman",
"version" : ""
}]
2019-03-20 10:44:27 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:44:27 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Response [{
"timestamp" : "2019-03-20T10:44:27.821+0000",
"status" : 403,
"error" : "Forbidden",
"message" : "Forbidden",
"path" : "/api/v1/users/team-sign-up"
}]
2019-03-20 10:44:27 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YjBlZTk3NTYtYTdmMC00NDE5LWI2OTgtMTJmMDAzMzE0MDBj; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:27 GMT]}]
2019-03-20 10:44:27 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : StatusCode [403]
2019-03-20 10:44:27 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Time [650]
2019-03-20 10:44:27 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Size [135]
2019-03-20 10:44:27 INFO [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [403 == 401 OR 403 == 403] result [Passed]
--- FX Bot ---
Project : FXABAC TEST
Template : ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1
Run Id : 8a808011699a990101699ab3901a2277
Job : Default
Env : Default
Category : Hijack_Level1
Tags : [FX Top 10 - API Vulnerability, Data_Access_Control]
Severity : Major
Region : FXLabs/US_WEST_1
Result : fail
Status Code : 403
Headers : {X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YzQ5MDQxNWMtODY4Zi00NTkwLTgwZjctN2IyNjVjZjI1MzA4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:25 GMT]}
Endpoint : http://13.56.210.25/api/v1/users/team-sign-up
Request :
{
"accountNonExpired" : false,
"accountNonLocked" : false,
"company" : "Nienow-Nienow",
"createdBy" : "",
"createdDate" : "",
"credentialsNonExpired" : false,
"email" : "zola.lindgren@hotmail.com",
"enabled" : false,
"id" : "",
"inactive" : false,
"jobTitle" : "Customer Retail Producer",
"location" : "8W2eohd8",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "8W2eohd8",
"password" : "8W2eohd8",
"privileges" : [ "8W2eohd8" ],
"username" : "jovan.schaden",
"version" : ""
}
Response :
{
"timestamp" : "2019-03-20T10:45:25.732+0000",
"status" : 403,
"error" : "Forbidden",
"message" : "Forbidden",
"path" : "/api/v1/users/team-sign-up"
}
Logs :
2019-03-20 10:45:24 DEBUG [UsersCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/users/enterprise-sign-up]
2019-03-20 10:45:24 DEBUG [UsersCreateUserBInitHijack1] : Method [POST]
2019-03-20 10:45:24 DEBUG [UsersCreateUserBInitHijack1] : Request [{
"accountNonExpired" : false,
"accountNonLocked" : false,
"company" : "Emard-Emard",
"createdBy" : "",
"createdDate" : "",
"credentialsNonExpired" : false,
"email" : "xzavier.runolfsdottir@hotmail.com",
"enabled" : false,
"id" : "",
"inactive" : false,
"jobTitle" : "Regional Advertising Executive",
"location" : "y5VR8OH4",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "y5VR8OH4",
"password" : "y5VR8OH4",
"username" : "aracely.homenick",
"version" : ""
}]
2019-03-20 10:45:24 DEBUG [UsersCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:45:24 DEBUG [UsersCreateUserBInitHijack1] : Response [{
"timestamp" : "2019-03-20T10:45:24.462+0000",
"status" : 403,
"error" : "Forbidden",
"message" : "Forbidden",
"path" : "/api/v1/users/enterprise-sign-up"
}]
2019-03-20 10:45:24 DEBUG [UsersCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MDdjOGUyMDUtMTQzYi00NTQ2LWFmODktYjkxN2MyNmI0MWFh; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:24 GMT]}]
2019-03-20 10:45:24 DEBUG [UsersCreateUserBInitHijack1] : StatusCode [403]
2019-03-20 10:45:24 DEBUG [UsersCreateUserBInitHijack1] : Time [1443]
2019-03-20 10:45:24 DEBUG [UsersCreateUserBInitHijack1] : Size [141]
2019-03-20 10:45:24 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed]
2019-03-20 10:45:24 DEBUG [UsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MDdjOGUyMDUtMTQzYi00NTQ2LWFmODktYjkxN2MyNmI0MWFh; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:24 GMT]}]
2019-03-20 10:45:24 DEBUG [UsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MDdjOGUyMDUtMTQzYi00NTQ2LWFmODktYjkxN2MyNmI0MWFh; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:24 GMT]}]
2019-03-20 10:45:24 DEBUG [UsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MDdjOGUyMDUtMTQzYi00NTQ2LWFmODktYjkxN2MyNmI0MWFh; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:24 GMT]}]
2019-03-20 10:45:24 DEBUG [UsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MDdjOGUyMDUtMTQzYi00NTQ2LWFmODktYjkxN2MyNmI0MWFh; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:24 GMT]}]
2019-03-20 10:45:25 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : URL [http://13.56.210.25/api/v1/users/team-sign-up]
2019-03-20 10:45:25 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Method [POST]
2019-03-20 10:45:25 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Request [{
"accountNonExpired" : false,
"accountNonLocked" : false,
"company" : "Nienow-Nienow",
"createdBy" : "",
"createdDate" : "",
"credentialsNonExpired" : false,
"email" : "zola.lindgren@hotmail.com",
"enabled" : false,
"id" : "",
"inactive" : false,
"jobTitle" : "Customer Retail Producer",
"location" : "8W2eohd8",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "8W2eohd8",
"password" : "8W2eohd8",
"privileges" : [ "8W2eohd8" ],
"username" : "jovan.schaden",
"version" : ""
}]
2019-03-20 10:45:25 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:45:25 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Response [{
"timestamp" : "2019-03-20T10:45:25.732+0000",
"status" : 403,
"error" : "Forbidden",
"message" : "Forbidden",
"path" : "/api/v1/users/team-sign-up"
}]
2019-03-20 10:45:25 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YzQ5MDQxNWMtODY4Zi00NTkwLTgwZjctN2IyNjVjZjI1MzA4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:25 GMT]}]
2019-03-20 10:45:25 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : StatusCode [403]
2019-03-20 10:45:25 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Time [1042]
2019-03-20 10:45:25 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Size [135]
2019-03-20 10:45:25 INFO [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [403 == 401 OR 403 == 403] result [Passed]
--- FX Bot ---
Project : FXABAC TEST
Template : ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1
Run Id : 8a808011699a990101699ab3901a2277
Job : Default
Env : Default
Category : Hijack_Level1
Tags : [FX Top 10 - API Vulnerability, Data_Access_Control]
Severity : Major
Region : FXLabs/US_WEST_1
Result : fail
Status Code : 403
Headers : {X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=Y2M4MGNhNmYtM2I5Ni00N2YyLTllMGMtMTI4YzIwMTNkOTVm; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:46:42 GMT]}
Endpoint : http://13.56.210.25/api/v1/users/team-sign-up
Request :
{
"accountNonExpired" : false,
"accountNonLocked" : false,
"company" : "Durgan Inc",
"createdBy" : "",
"createdDate" : "",
"credentialsNonExpired" : false,
"email" : "adam.leuschke@gmail.com",
"enabled" : false,
"id" : "",
"inactive" : false,
"jobTitle" : "Administration Developer",
"location" : "ZAlXODv6",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "ZAlXODv6",
"password" : "ZAlXODv6",
"privileges" : [ "ZAlXODv6" ],
"username" : "caroline.boyle",
"version" : ""
}
Response :
{
"timestamp" : "2019-03-20T10:46:42.948+0000",
"status" : 403,
"error" : "Forbidden",
"message" : "Forbidden",
"path" : "/api/v1/users/team-sign-up"
}
Logs :
2019-03-20 10:46:40 DEBUG [UsersCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/users/enterprise-sign-up]
2019-03-20 10:46:40 DEBUG [UsersCreateUserBInitHijack1] : Method [POST]
2019-03-20 10:46:40 DEBUG [UsersCreateUserBInitHijack1] : Request [{
"accountNonExpired" : false,
"accountNonLocked" : false,
"company" : "Stoltenberg-Stoltenberg",
"createdBy" : "",
"createdDate" : "",
"credentialsNonExpired" : false,
"email" : "sabina.kreiger@gmail.com",
"enabled" : false,
"id" : "",
"inactive" : false,
"jobTitle" : "Dynamic Coordinator",
"location" : "RyhqwQuR",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "RyhqwQuR",
"password" : "RyhqwQuR",
"username" : "emilie.wilkinson",
"version" : ""
}]
2019-03-20 10:46:40 DEBUG [UsersCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:46:40 DEBUG [UsersCreateUserBInitHijack1] : Response [{
"timestamp" : "2019-03-20T10:46:40.942+0000",
"status" : 403,
"error" : "Forbidden",
"message" : "Forbidden",
"path" : "/api/v1/users/enterprise-sign-up"
}]
2019-03-20 10:46:40 DEBUG [UsersCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=M2FlZGMwYWItZWNmZi00NzM2LWFmYjEtY2UwN2MzZTdiYTI4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:46:40 GMT]}]
2019-03-20 10:46:40 DEBUG [UsersCreateUserBInitHijack1] : StatusCode [403]
2019-03-20 10:46:40 DEBUG [UsersCreateUserBInitHijack1] : Time [1296]
2019-03-20 10:46:40 DEBUG [UsersCreateUserBInitHijack1] : Size [141]
2019-03-20 10:46:40 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed]
2019-03-20 10:46:40 DEBUG [UsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=M2FlZGMwYWItZWNmZi00NzM2LWFmYjEtY2UwN2MzZTdiYTI4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:46:40 GMT]}]
2019-03-20 10:46:40 DEBUG [UsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=M2FlZGMwYWItZWNmZi00NzM2LWFmYjEtY2UwN2MzZTdiYTI4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:46:40 GMT]}]
2019-03-20 10:46:40 DEBUG [UsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=M2FlZGMwYWItZWNmZi00NzM2LWFmYjEtY2UwN2MzZTdiYTI4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:46:40 GMT]}]
2019-03-20 10:46:40 DEBUG [UsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=M2FlZGMwYWItZWNmZi00NzM2LWFmYjEtY2UwN2MzZTdiYTI4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:46:40 GMT]}]
2019-03-20 10:46:42 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : URL [http://13.56.210.25/api/v1/users/team-sign-up]
2019-03-20 10:46:42 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Method [POST]
2019-03-20 10:46:42 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Request [{
"accountNonExpired" : false,
"accountNonLocked" : false,
"company" : "Durgan Inc",
"createdBy" : "",
"createdDate" : "",
"credentialsNonExpired" : false,
"email" : "adam.leuschke@gmail.com",
"enabled" : false,
"id" : "",
"inactive" : false,
"jobTitle" : "Administration Developer",
"location" : "ZAlXODv6",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "ZAlXODv6",
"password" : "ZAlXODv6",
"privileges" : [ "ZAlXODv6" ],
"username" : "caroline.boyle",
"version" : ""
}]
2019-03-20 10:46:42 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:46:42 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Response [{
"timestamp" : "2019-03-20T10:46:42.948+0000",
"status" : 403,
"error" : "Forbidden",
"message" : "Forbidden",
"path" : "/api/v1/users/team-sign-up"
}]
2019-03-20 10:46:42 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=Y2M4MGNhNmYtM2I5Ni00N2YyLTllMGMtMTI4YzIwMTNkOTVm; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:46:42 GMT]}]
2019-03-20 10:46:42 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : StatusCode [403]
2019-03-20 10:46:42 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Time [1800]
2019-03-20 10:46:42 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Size [135]
2019-03-20 10:46:42 INFO [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [403 == 401 OR 403 == 403] result [Passed]
--- FX Bot ---
Project : FXABAC TEST
Template : ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1
Run Id : 8a808011699a990101699ab0f9761b20
Job : Default
Env : Default
Category : Hijack_Level1
Tags : [FX Top 10 - API Vulnerability, Data_Access_Control]
Severity : Major
Region : FXLabs/US_WEST_1
Result : fail
Status Code : 403
Headers : {X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=Y2Y4MDkyOTMtMThkMi00YzgwLWFjZGYtZWU5YWEzYTJiMTQ1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:37 GMT]}
Endpoint : http://13.56.210.25/api/v1/users/team-sign-up
Request :
{ "accountNonExpired" : false, "accountNonLocked" : false, "company" : "Heathcote-Heathcote", "createdBy" : "", "createdDate" : "", "credentialsNonExpired" : false, "email" : "tamia.koss@yahoo.com", "enabled" : false, "id" : "", "inactive" : false, "jobTitle" : "Senior Marketing Specialist", "location" : "zpJjsNdp", "modifiedBy" : "", "modifiedDate" : "", "name" : "zpJjsNdp", "password" : "zpJjsNdp", "privileges" : [ "zpJjsNdp" ], "username" : "marilou.lowe", "version" : "" }
Response :
{ "timestamp" : "2019-03-20T10:41:37.427+0000", "status" : 403, "error" : "Forbidden", "message" : "Forbidden", "path" : "/api/v1/users/team-sign-up" }
Logs :
2019-03-20 10:41:36 DEBUG [UsersCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/users/enterprise-sign-up] 2019-03-20 10:41:36 DEBUG [UsersCreateUserBInitHijack1] : Method [POST] 2019-03-20 10:41:36 DEBUG [UsersCreateUserBInitHijack1] : Request [{ "accountNonExpired" : false, "accountNonLocked" : false, "company" : "Hammes, Hammes and Hammes", "createdBy" : "", "createdDate" : "", "credentialsNonExpired" : false, "email" : "armani.corkery@yahoo.com", "enabled" : false, "id" : "", "inactive" : false, "jobTitle" : "Design Analyst", "location" : "DrqgjEdh", "modifiedBy" : "", "modifiedDate" : "", "name" : "DrqgjEdh", "password" : "DrqgjEdh", "username" : "elian.weber", "version" : "" }] 2019-03-20 10:41:36 DEBUG [UsersCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:41:36 DEBUG [UsersCreateUserBInitHijack1] : Response [{ "timestamp" : "2019-03-20T10:41:36.456+0000", "status" : 403, "error" : "Forbidden", "message" : "Forbidden", "path" : "/api/v1/users/enterprise-sign-up" }] 2019-03-20 10:41:36 DEBUG [UsersCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YjZkMTA0NjgtMDk5ZC00MWRkLWE2MDEtOTkzOTRmMTc1Yzg3; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:36 GMT]}] 2019-03-20 10:41:36 DEBUG [UsersCreateUserBInitHijack1] : StatusCode [403] 2019-03-20 10:41:36 DEBUG [UsersCreateUserBInitHijack1] : Time [568] 2019-03-20 10:41:36 DEBUG [UsersCreateUserBInitHijack1] : Size [141] 2019-03-20 10:41:36 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed] 2019-03-20 10:41:36 DEBUG [UsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YjZkMTA0NjgtMDk5ZC00MWRkLWE2MDEtOTkzOTRmMTc1Yzg3; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:36 GMT]}] 2019-03-20 10:41:36 DEBUG [UsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YjZkMTA0NjgtMDk5ZC00MWRkLWE2MDEtOTkzOTRmMTc1Yzg3; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:36 GMT]}] 2019-03-20 10:41:36 DEBUG [UsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YjZkMTA0NjgtMDk5ZC00MWRkLWE2MDEtOTkzOTRmMTc1Yzg3; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:36 GMT]}] 2019-03-20 10:41:36 DEBUG [UsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YjZkMTA0NjgtMDk5ZC00MWRkLWE2MDEtOTkzOTRmMTc1Yzg3; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:36 GMT]}] 2019-03-20 10:41:37 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : URL [http://13.56.210.25/api/v1/users/team-sign-up] 2019-03-20 10:41:37 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Method [POST] 2019-03-20 10:41:37 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Request [{ "accountNonExpired" : false, "accountNonLocked" : false, "company" : "Heathcote-Heathcote", "createdBy" : "", "createdDate" : "", "credentialsNonExpired" : false, "email" : "tamia.koss@yahoo.com", "enabled" : false, "id" : "", "inactive" : false, "jobTitle" : "Senior Marketing Specialist", "location" : "zpJjsNdp", "modifiedBy" : "", "modifiedDate" : "", "name" : "zpJjsNdp", "password" : "zpJjsNdp", "privileges" : [ "zpJjsNdp" ], "username" : "marilou.lowe", "version" : "" }] 2019-03-20 10:41:37 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:41:37 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Response [{ "timestamp" : "2019-03-20T10:41:37.427+0000", "status" : 403, "error" : "Forbidden", "message" : "Forbidden", "path" : "/api/v1/users/team-sign-up" }] 2019-03-20 10:41:37 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=Y2Y4MDkyOTMtMThkMi00YzgwLWFjZGYtZWU5YWEzYTJiMTQ1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:37 GMT]}] 2019-03-20 10:41:37 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : StatusCode [403] 2019-03-20 10:41:37 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Time [470] 2019-03-20 10:41:37 DEBUG [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Size [135] 2019-03-20 10:41:37 INFO [ApiV1UsersTeamSignUpPostUsersuserbDisallowHijack1] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [403 == 401 OR 403 == 403] result [Passed]
--- FX Bot ---