Open asriz7777 opened 5 years ago
Project : FXABAC TEST
Template : NullPutOrgusersuserbDisallowHijack1
Run Id : 8a808011699a990101699ab3901a2277
Job : Default
Env : Default
Category : Hijack_Level1
Tags : [FX Top 10 - API Vulnerability, Data_Access_Control]
Severity : Major
Region : FXLabs/US_WEST_1
Result : fail
Status Code : 500
Headers : {}
Endpoint : http://13.56.210.25null
Request :
{
"createdBy" : "",
"createdDate" : "",
"forceResetPwd" : false,
"id" : "",
"inactive" : false,
"modifiedBy" : "",
"modifiedDate" : "",
"org" : "",
"orgRole" : "WRITE",
"status" : "ACTIVE",
"userType" : "DEFAULT",
"users" : "",
"version" : ""
}
Response :
I/O error on PUT request for "http://13.56.210.25null": 13.56.210.25null; nested exception is java.net.UnknownHostException: 13.56.210.25null
Logs :
2019-03-20 10:44:28 DEBUG [UsersCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/users/enterprise-sign-up]
2019-03-20 10:44:28 DEBUG [UsersCreateUserBInitHijack1] : Method [POST]
2019-03-20 10:44:28 DEBUG [UsersCreateUserBInitHijack1] : Request [{
"accountNonExpired" : false,
"accountNonLocked" : false,
"company" : "Jerde-Jerde",
"createdBy" : "",
"createdDate" : "",
"credentialsNonExpired" : false,
"email" : "hailee.orn@gmail.com",
"enabled" : false,
"id" : "",
"inactive" : false,
"jobTitle" : "Marketing Executive",
"location" : "ONMonZB4",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "ONMonZB4",
"password" : "ONMonZB4",
"username" : "lempi.bernhard",
"version" : ""
}]
2019-03-20 10:44:28 DEBUG [UsersCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:44:28 DEBUG [UsersCreateUserBInitHijack1] : Response [{
"timestamp" : "2019-03-20T10:44:28.045+0000",
"status" : 403,
"error" : "Forbidden",
"message" : "Forbidden",
"path" : "/api/v1/users/enterprise-sign-up"
}]
2019-03-20 10:44:28 DEBUG [UsersCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZDlhODk0OGEtYTRiOS00ZjA1LTllMzQtNjY3ZWM2YzJkZGY4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:27 GMT]}]
2019-03-20 10:44:28 DEBUG [UsersCreateUserBInitHijack1] : StatusCode [403]
2019-03-20 10:44:28 DEBUG [UsersCreateUserBInitHijack1] : Time [544]
2019-03-20 10:44:28 DEBUG [UsersCreateUserBInitHijack1] : Size [141]
2019-03-20 10:44:28 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed]
2019-03-20 10:44:28 DEBUG [UsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZDlhODk0OGEtYTRiOS00ZjA1LTllMzQtNjY3ZWM2YzJkZGY4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:27 GMT]}]
2019-03-20 10:44:28 DEBUG [UsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZDlhODk0OGEtYTRiOS00ZjA1LTllMzQtNjY3ZWM2YzJkZGY4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:27 GMT]}]
2019-03-20 10:44:28 DEBUG [UsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZDlhODk0OGEtYTRiOS00ZjA1LTllMzQtNjY3ZWM2YzJkZGY4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:27 GMT]}]
2019-03-20 10:44:28 DEBUG [UsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZDlhODk0OGEtYTRiOS00ZjA1LTllMzQtNjY3ZWM2YzJkZGY4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:27 GMT]}]
2019-03-20 10:44:28 DEBUG [OrgCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/orgs]
2019-03-20 10:44:28 DEBUG [OrgCreateUserBInitHijack1] : Method [POST]
2019-03-20 10:44:28 DEBUG [OrgCreateUserBInitHijack1] : Request [{
"billingEmail" : "OcgdUSFJ",
"company" : "Rowe-Rowe",
"createdBy" : "",
"createdDate" : "",
"description" : "OcgdUSFJ",
"id" : "",
"inactive" : false,
"location" : "OcgdUSFJ",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "OcgdUSFJ",
"orgPlan" : "TEAM",
"orgType" : "ENTERPRISE",
"version" : ""
}]
2019-03-20 10:44:28 DEBUG [OrgCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:44:28 DEBUG [OrgCreateUserBInitHijack1] : Response [{
"timestamp" : "2019-03-20T10:44:28.563+0000",
"status" : 403,
"error" : "Forbidden",
"message" : "Forbidden",
"path" : "/api/v1/orgs"
}]
2019-03-20 10:44:28 DEBUG [OrgCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NDg2MmRkMjktZjNkYy00NzIxLThjYjUtMzgxZWU5YWI3NWQx; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:27 GMT]}]
2019-03-20 10:44:28 DEBUG [OrgCreateUserBInitHijack1] : StatusCode [403]
2019-03-20 10:44:28 DEBUG [OrgCreateUserBInitHijack1] : Time [460]
2019-03-20 10:44:28 DEBUG [OrgCreateUserBInitHijack1] : Size [121]
2019-03-20 10:44:28 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed]
2019-03-20 10:44:28 DEBUG [OrgCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NDg2MmRkMjktZjNkYy00NzIxLThjYjUtMzgxZWU5YWI3NWQx; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:27 GMT]}]
2019-03-20 10:44:28 DEBUG [OrgCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NDg2MmRkMjktZjNkYy00NzIxLThjYjUtMzgxZWU5YWI3NWQx; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:27 GMT]}]
2019-03-20 10:44:28 DEBUG [OrgCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NDg2MmRkMjktZjNkYy00NzIxLThjYjUtMzgxZWU5YWI3NWQx; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:27 GMT]}]
2019-03-20 10:44:28 DEBUG [OrgCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NDg2MmRkMjktZjNkYy00NzIxLThjYjUtMzgxZWU5YWI3NWQx; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:27 GMT]}]
2019-03-20 10:44:28 DEBUG [OrgUsersCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/users/addUserToOrg]
2019-03-20 10:44:28 DEBUG [OrgUsersCreateUserBInitHijack1] : Method [POST]
2019-03-20 10:44:28 DEBUG [OrgUsersCreateUserBInitHijack1] : Request [{
"createdBy" : "",
"createdDate" : "",
"forceResetPwd" : false,
"id" : "",
"inactive" : false,
"modifiedBy" : "",
"modifiedDate" : "",
"org" : "",
"orgRole" : "ADMIN",
"status" : "INACTIVE",
"userType" : "MANAGED",
"users" : "",
"version" : ""
}]
2019-03-20 10:44:28 DEBUG [OrgUsersCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:44:28 DEBUG [OrgUsersCreateUserBInitHijack1] : Response [{
"timestamp" : "2019-03-20T10:44:28.958+0000",
"status" : 400,
"error" : "Bad Request",
"message" : "JSON parse error: Cannot construct instance of com.fxlabs.fxt.dto.base.NameDto
(although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value (''); nested exception is com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot construct instance of com.fxlabs.fxt.dto.base.NameDto
(although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value ('')\n at [Source: (PushbackInputStream); line: 9, column: 11] (through reference chain: com.fxlabs.fxt.dto.users.OrgUsers[\"org\"])",
"path" : "/api/v1/users/addUserToOrg"
}]
2019-03-20 10:44:28 DEBUG [OrgUsersCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZjZjMjZlZWUtY2JiNS00ZmRhLWE3ZTctZmFhMDVjNGE2M2E4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:28 GMT]}]
2019-03-20 10:44:28 DEBUG [OrgUsersCreateUserBInitHijack1] : StatusCode [400]
2019-03-20 10:44:28 DEBUG [OrgUsersCreateUserBInitHijack1] : Time [403]
2019-03-20 10:44:28 DEBUG [OrgUsersCreateUserBInitHijack1] : Size [729]
2019-03-20 10:44:28 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [400 == 200 OR 400 == 201] result [Failed]
2019-03-20 10:44:28 DEBUG [OrgUsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZjZjMjZlZWUtY2JiNS00ZmRhLWE3ZTctZmFhMDVjNGE2M2E4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:28 GMT]}]
2019-03-20 10:44:28 DEBUG [OrgUsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZjZjMjZlZWUtY2JiNS00ZmRhLWE3ZTctZmFhMDVjNGE2M2E4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:28 GMT]}]
2019-03-20 10:44:28 DEBUG [OrgUsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZjZjMjZlZWUtY2JiNS00ZmRhLWE3ZTctZmFhMDVjNGE2M2E4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:28 GMT]}]
2019-03-20 10:44:28 DEBUG [OrgUsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZjZjMjZlZWUtY2JiNS00ZmRhLWE3ZTctZmFhMDVjNGE2M2E4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:28 GMT]}]
2019-03-20 10:44:29 DEBUG [OrgCreateUserAInitHijack1] : URL [http://13.56.210.25/api/v1/orgs]
2019-03-20 10:44:29 DEBUG [OrgCreateUserAInitHijack1] : Method [POST]
2019-03-20 10:44:29 DEBUG [OrgCreateUserAInitHijack1] : Request [{
"billingEmail" : "aJgB9A2f",
"company" : "Kertzmann Inc",
"createdBy" : "",
"createdDate" : "",
"description" : "aJgB9A2f",
"id" : "",
"inactive" : false,
"location" : "aJgB9A2f",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "aJgB9A2f",
"orgPlan" : "TEAM",
"orgType" : "ENTERPRISE",
"version" : ""
}]
2019-03-20 10:44:29 DEBUG [OrgCreateUserAInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:44:29 DEBUG [OrgCreateUserAInitHijack1] : Response [{
"timestamp" : "2019-03-20T10:44:29.735+0000",
"status" : 403,
"error" : "Forbidden",
"message" : "Forbidden",
"path" : "/api/v1/orgs"
}]
2019-03-20 10:44:29 DEBUG [OrgCreateUserAInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZTRhYmE1YjEtZWEyZC00OWY3LWIzNjMtZTY0M2E0ZjNjMjM4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:28 GMT]}]
2019-03-20 10:44:29 DEBUG [OrgCreateUserAInitHijack1] : StatusCode [403]
2019-03-20 10:44:29 DEBUG [OrgCreateUserAInitHijack1] : Time [706]
2019-03-20 10:44:29 DEBUG [OrgCreateUserAInitHijack1] : Size [121]
2019-03-20 10:44:29 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed]
2019-03-20 10:44:29 DEBUG [OrgCreateUserAInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZTRhYmE1YjEtZWEyZC00OWY3LWIzNjMtZTY0M2E0ZjNjMjM4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:28 GMT]}]
2019-03-20 10:44:29 DEBUG [OrgCreateUserAInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZTRhYmE1YjEtZWEyZC00OWY3LWIzNjMtZTY0M2E0ZjNjMjM4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:28 GMT]}]
2019-03-20 10:44:29 DEBUG [OrgCreateUserAInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZTRhYmE1YjEtZWEyZC00OWY3LWIzNjMtZTY0M2E0ZjNjMjM4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:28 GMT]}]
2019-03-20 10:44:29 DEBUG [OrgCreateUserAInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZTRhYmE1YjEtZWEyZC00OWY3LWIzNjMtZTY0M2E0ZjNjMjM4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:28 GMT]}]
2019-03-20 10:44:30 DEBUG [UsersCreateUserAInitHijack1] : URL [http://13.56.210.25/api/v1/users/enterprise-sign-up]
2019-03-20 10:44:30 DEBUG [UsersCreateUserAInitHijack1] : Method [POST]
2019-03-20 10:44:30 DEBUG [UsersCreateUserAInitHijack1] : Request [{
"accountNonExpired" : false,
"accountNonLocked" : false,
"company" : "Glover LLC",
"createdBy" : "",
"createdDate" : "",
"credentialsNonExpired" : false,
"email" : "santos.lynch@gmail.com",
"enabled" : false,
"id" : "",
"inactive" : false,
"jobTitle" : "IT Manager",
"location" : "z6oTy3ZW",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "z6oTy3ZW",
"password" : "z6oTy3ZW",
"username" : "arely.von",
"version" : ""
}]
2019-03-20 10:44:30 DEBUG [UsersCreateUserAInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:44:30 DEBUG [UsersCreateUserAInitHijack1] : Response [{
"timestamp" : "2019-03-20T10:44:30.921+0000",
"status" : 403,
"error" : "Forbidden",
"message" : "Forbidden",
"path" : "/api/v1/users/enterprise-sign-up"
}]
2019-03-20 10:44:30 DEBUG [UsersCreateUserAInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NWU5NGRiNjUtYmY5NS00MDY4LWJiN2UtZWFjOGY5ODZlOWNk; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:30 GMT]}]
2019-03-20 10:44:30 DEBUG [UsersCreateUserAInitHijack1] : StatusCode [403]
2019-03-20 10:44:30 DEBUG [UsersCreateUserAInitHijack1] : Time [870]
2019-03-20 10:44:30 DEBUG [UsersCreateUserAInitHijack1] : Size [141]
2019-03-20 10:44:30 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed]
2019-03-20 10:44:30 DEBUG [UsersCreateUserAInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NWU5NGRiNjUtYmY5NS00MDY4LWJiN2UtZWFjOGY5ODZlOWNk; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:30 GMT]}]
2019-03-20 10:44:30 DEBUG [UsersCreateUserAInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NWU5NGRiNjUtYmY5NS00MDY4LWJiN2UtZWFjOGY5ODZlOWNk; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:30 GMT]}]
2019-03-20 10:44:30 DEBUG [UsersCreateUserAInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NWU5NGRiNjUtYmY5NS00MDY4LWJiN2UtZWFjOGY5ODZlOWNk; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:30 GMT]}]
2019-03-20 10:44:30 DEBUG [UsersCreateUserAInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NWU5NGRiNjUtYmY5NS00MDY4LWJiN2UtZWFjOGY5ODZlOWNk; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:30 GMT]}]
2019-03-20 10:44:30 DEBUG [NullPutOrgusersuserbDisallowHijack1] : URL [http://13.56.210.25null]
2019-03-20 10:44:30 DEBUG [NullPutOrgusersuserbDisallowHijack1] : Method [PUT]
2019-03-20 10:44:30 DEBUG [NullPutOrgusersuserbDisallowHijack1] : Request [{
"createdBy" : "",
"createdDate" : "",
"forceResetPwd" : false,
"id" : "",
"inactive" : false,
"modifiedBy" : "",
"modifiedDate" : "",
"org" : "",
"orgRole" : "WRITE",
"status" : "ACTIVE",
"userType" : "DEFAULT",
"users" : "",
"version" : ""
}]
2019-03-20 10:44:30 DEBUG [NullPutOrgusersuserbDisallowHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:44:30 DEBUG [NullPutOrgusersuserbDisallowHijack1] : Response [I/O error on PUT request for "http://13.56.210.25null": 13.56.210.25null; nested exception is java.net.UnknownHostException: 13.56.210.25null]
2019-03-20 10:44:30 DEBUG [NullPutOrgusersuserbDisallowHijack1] : Response-Headers [{}]
2019-03-20 10:44:30 DEBUG [NullPutOrgusersuserbDisallowHijack1] : StatusCode [500]
2019-03-20 10:44:30 DEBUG [NullPutOrgusersuserbDisallowHijack1] : Time [19]
2019-03-20 10:44:30 DEBUG [NullPutOrgusersuserbDisallowHijack1] : Size [141]
2019-03-20 10:44:30 ERROR [NullPutOrgusersuserbDisallowHijack1] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [500 == 401 OR 500 == 403] result [Failed]
2019-03-20 10:44:31 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : URL [http://13.56.210.25/api/v1/orgs/]
2019-03-20 10:44:31 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Method [DELETE]
2019-03-20 10:44:31 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Request [null]
2019-03-20 10:44:31 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:44:31 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Response [{
"timestamp" : "2019-03-20T10:44:31.420+0000",
"status" : 405,
"error" : "Method Not Allowed",
"message" : "Request method 'DELETE' not supported",
"path" : "/api/v1/orgs/"
}]
2019-03-20 10:44:31 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Response-Headers [{Allow=[GET, POST], X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZGI3NGNhN2UtMTNjZS00YTVhLWI5MDEtNWQxMzY5MTE0NjM2; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:30 GMT]}]
2019-03-20 10:44:31 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : StatusCode [405]
2019-03-20 10:44:31 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Time [475]
2019-03-20 10:44:31 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Size [159]
2019-03-20 10:44:31 ERROR [null] : Assertion [@StatusCode == 200] resolved-to [405 == 200] result [Failed]
--- FX Bot ---
Project : FXABAC TEST
Template : NullPutOrgusersuserbDisallowHijack1
Run Id : 8a808011699a990101699ab3901a2277
Job : Default
Env : Default
Category : Hijack_Level1
Tags : [FX Top 10 - API Vulnerability, Data_Access_Control]
Severity : Major
Region : FXLabs/US_WEST_1
Result : fail
Status Code : 500
Headers : {}
Endpoint : http://13.56.210.25null
Request :
{
"createdBy" : "",
"createdDate" : "",
"forceResetPwd" : false,
"id" : "",
"inactive" : false,
"modifiedBy" : "",
"modifiedDate" : "",
"org" : "",
"orgRole" : "WRITE",
"status" : "ACTIVE",
"userType" : "DEFAULT",
"users" : "",
"version" : ""
}
Response :
I/O error on PUT request for "http://13.56.210.25null": 13.56.210.25null: Name or service not known; nested exception is java.net.UnknownHostException: 13.56.210.25null: Name or service not known
Logs :
2019-03-20 10:45:20 DEBUG [UsersCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/users/enterprise-sign-up]
2019-03-20 10:45:20 DEBUG [UsersCreateUserBInitHijack1] : Method [POST]
2019-03-20 10:45:20 DEBUG [UsersCreateUserBInitHijack1] : Request [{
"accountNonExpired" : false,
"accountNonLocked" : false,
"company" : "Dooley LLC",
"createdBy" : "",
"createdDate" : "",
"credentialsNonExpired" : false,
"email" : "andrew.kling@gmail.com",
"enabled" : false,
"id" : "",
"inactive" : false,
"jobTitle" : "Internal Administration Consultant",
"location" : "CX5TvTg7",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "CX5TvTg7",
"password" : "CX5TvTg7",
"username" : "nickolas.rath",
"version" : ""
}]
2019-03-20 10:45:20 DEBUG [UsersCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:45:20 DEBUG [UsersCreateUserBInitHijack1] : Response [{
"timestamp" : "2019-03-20T10:45:20.789+0000",
"status" : 403,
"error" : "Forbidden",
"message" : "Forbidden",
"path" : "/api/v1/users/enterprise-sign-up"
}]
2019-03-20 10:45:20 DEBUG [UsersCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZTc2NmIzOGYtZjcwYS00YTg3LWI2MjgtYTQzYjk2YmEyMGRh; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:20 GMT]}]
2019-03-20 10:45:20 DEBUG [UsersCreateUserBInitHijack1] : StatusCode [403]
2019-03-20 10:45:20 DEBUG [UsersCreateUserBInitHijack1] : Time [1208]
2019-03-20 10:45:20 DEBUG [UsersCreateUserBInitHijack1] : Size [141]
2019-03-20 10:45:20 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed]
2019-03-20 10:45:20 DEBUG [UsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZTc2NmIzOGYtZjcwYS00YTg3LWI2MjgtYTQzYjk2YmEyMGRh; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:20 GMT]}]
2019-03-20 10:45:20 DEBUG [UsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZTc2NmIzOGYtZjcwYS00YTg3LWI2MjgtYTQzYjk2YmEyMGRh; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:20 GMT]}]
2019-03-20 10:45:20 DEBUG [UsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZTc2NmIzOGYtZjcwYS00YTg3LWI2MjgtYTQzYjk2YmEyMGRh; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:20 GMT]}]
2019-03-20 10:45:20 DEBUG [UsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZTc2NmIzOGYtZjcwYS00YTg3LWI2MjgtYTQzYjk2YmEyMGRh; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:20 GMT]}]
2019-03-20 10:45:22 DEBUG [OrgCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/orgs]
2019-03-20 10:45:22 DEBUG [OrgCreateUserBInitHijack1] : Method [POST]
2019-03-20 10:45:22 DEBUG [OrgCreateUserBInitHijack1] : Request [{
"billingEmail" : "oWo5gAUt",
"company" : "Robel, Robel and Robel",
"createdBy" : "",
"createdDate" : "",
"description" : "oWo5gAUt",
"id" : "",
"inactive" : false,
"location" : "oWo5gAUt",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "oWo5gAUt",
"orgPlan" : "TEAM",
"orgType" : "ENTERPRISE",
"version" : ""
}]
2019-03-20 10:45:22 DEBUG [OrgCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:45:22 DEBUG [OrgCreateUserBInitHijack1] : Response [{
"timestamp" : "2019-03-20T10:45:22.228+0000",
"status" : 403,
"error" : "Forbidden",
"message" : "Forbidden",
"path" : "/api/v1/orgs"
}]
2019-03-20 10:45:22 DEBUG [OrgCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MmFhMjI5MWYtMGE0OC00ZGYzLWE0ZTQtNWUxZWUwMjc0YjVk; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:21 GMT]}]
2019-03-20 10:45:22 DEBUG [OrgCreateUserBInitHijack1] : StatusCode [403]
2019-03-20 10:45:22 DEBUG [OrgCreateUserBInitHijack1] : Time [1350]
2019-03-20 10:45:22 DEBUG [OrgCreateUserBInitHijack1] : Size [121]
2019-03-20 10:45:22 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed]
2019-03-20 10:45:22 DEBUG [OrgCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MmFhMjI5MWYtMGE0OC00ZGYzLWE0ZTQtNWUxZWUwMjc0YjVk; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:21 GMT]}]
2019-03-20 10:45:22 DEBUG [OrgCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MmFhMjI5MWYtMGE0OC00ZGYzLWE0ZTQtNWUxZWUwMjc0YjVk; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:21 GMT]}]
2019-03-20 10:45:22 DEBUG [OrgCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MmFhMjI5MWYtMGE0OC00ZGYzLWE0ZTQtNWUxZWUwMjc0YjVk; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:21 GMT]}]
2019-03-20 10:45:22 DEBUG [OrgCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MmFhMjI5MWYtMGE0OC00ZGYzLWE0ZTQtNWUxZWUwMjc0YjVk; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:21 GMT]}]
2019-03-20 10:45:23 DEBUG [OrgUsersCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/users/addUserToOrg]
2019-03-20 10:45:23 DEBUG [OrgUsersCreateUserBInitHijack1] : Method [POST]
2019-03-20 10:45:23 DEBUG [OrgUsersCreateUserBInitHijack1] : Request [{
"createdBy" : "",
"createdDate" : "",
"forceResetPwd" : false,
"id" : "",
"inactive" : false,
"modifiedBy" : "",
"modifiedDate" : "",
"org" : "",
"orgRole" : "ADMIN",
"status" : "INACTIVE",
"userType" : "MANAGED",
"users" : "",
"version" : ""
}]
2019-03-20 10:45:23 DEBUG [OrgUsersCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:45:23 DEBUG [OrgUsersCreateUserBInitHijack1] : Response [{
"timestamp" : "2019-03-20T10:45:23.748+0000",
"status" : 400,
"error" : "Bad Request",
"message" : "JSON parse error: Cannot construct instance of com.fxlabs.fxt.dto.base.NameDto
(although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value (''); nested exception is com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot construct instance of com.fxlabs.fxt.dto.base.NameDto
(although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value ('')\n at [Source: (PushbackInputStream); line: 9, column: 11] (through reference chain: com.fxlabs.fxt.dto.users.OrgUsers[\"org\"])",
"path" : "/api/v1/users/addUserToOrg"
}]
2019-03-20 10:45:23 DEBUG [OrgUsersCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZWE5NzkxOWQtNDdmOS00NDFjLWIyMTUtNGVhMTA5MzVhMGJl; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:23 GMT]}]
2019-03-20 10:45:23 DEBUG [OrgUsersCreateUserBInitHijack1] : StatusCode [400]
2019-03-20 10:45:23 DEBUG [OrgUsersCreateUserBInitHijack1] : Time [1517]
2019-03-20 10:45:23 DEBUG [OrgUsersCreateUserBInitHijack1] : Size [729]
2019-03-20 10:45:23 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [400 == 200 OR 400 == 201] result [Failed]
2019-03-20 10:45:23 DEBUG [OrgUsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZWE5NzkxOWQtNDdmOS00NDFjLWIyMTUtNGVhMTA5MzVhMGJl; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:23 GMT]}]
2019-03-20 10:45:23 DEBUG [OrgUsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZWE5NzkxOWQtNDdmOS00NDFjLWIyMTUtNGVhMTA5MzVhMGJl; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:23 GMT]}]
2019-03-20 10:45:23 DEBUG [OrgUsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZWE5NzkxOWQtNDdmOS00NDFjLWIyMTUtNGVhMTA5MzVhMGJl; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:23 GMT]}]
2019-03-20 10:45:23 DEBUG [OrgUsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZWE5NzkxOWQtNDdmOS00NDFjLWIyMTUtNGVhMTA5MzVhMGJl; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:23 GMT]}]
2019-03-20 10:45:25 DEBUG [OrgCreateUserAInitHijack1] : URL [http://13.56.210.25/api/v1/orgs]
2019-03-20 10:45:25 DEBUG [OrgCreateUserAInitHijack1] : Method [POST]
2019-03-20 10:45:25 DEBUG [OrgCreateUserAInitHijack1] : Request [{
"billingEmail" : "49bPUJG4",
"company" : "Konopelski, Konopelski and Konopelski",
"createdBy" : "",
"createdDate" : "",
"description" : "49bPUJG4",
"id" : "",
"inactive" : false,
"location" : "49bPUJG4",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "49bPUJG4",
"orgPlan" : "TEAM",
"orgType" : "ENTERPRISE",
"version" : ""
}]
2019-03-20 10:45:25 DEBUG [OrgCreateUserAInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:45:25 DEBUG [OrgCreateUserAInitHijack1] : Response [{
"timestamp" : "2019-03-20T10:45:25.027+0000",
"status" : 403,
"error" : "Forbidden",
"message" : "Forbidden",
"path" : "/api/v1/orgs"
}]
2019-03-20 10:45:25 DEBUG [OrgCreateUserAInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZWRjMTU1ODMtNGZjNy00NDE0LWFjMDEtMGY4Y2VjNDU5YmVj; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:24 GMT]}]
2019-03-20 10:45:25 DEBUG [OrgCreateUserAInitHijack1] : StatusCode [403]
2019-03-20 10:45:25 DEBUG [OrgCreateUserAInitHijack1] : Time [1226]
2019-03-20 10:45:25 DEBUG [OrgCreateUserAInitHijack1] : Size [121]
2019-03-20 10:45:25 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed]
2019-03-20 10:45:25 DEBUG [OrgCreateUserAInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZWRjMTU1ODMtNGZjNy00NDE0LWFjMDEtMGY4Y2VjNDU5YmVj; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:24 GMT]}]
2019-03-20 10:45:25 DEBUG [OrgCreateUserAInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZWRjMTU1ODMtNGZjNy00NDE0LWFjMDEtMGY4Y2VjNDU5YmVj; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:24 GMT]}]
2019-03-20 10:45:25 DEBUG [OrgCreateUserAInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZWRjMTU1ODMtNGZjNy00NDE0LWFjMDEtMGY4Y2VjNDU5YmVj; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:24 GMT]}]
2019-03-20 10:45:25 DEBUG [OrgCreateUserAInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZWRjMTU1ODMtNGZjNy00NDE0LWFjMDEtMGY4Y2VjNDU5YmVj; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:24 GMT]}]
2019-03-20 10:45:26 DEBUG [UsersCreateUserAInitHijack1] : URL [http://13.56.210.25/api/v1/users/enterprise-sign-up]
2019-03-20 10:45:26 DEBUG [UsersCreateUserAInitHijack1] : Method [POST]
2019-03-20 10:45:26 DEBUG [UsersCreateUserAInitHijack1] : Request [{
"accountNonExpired" : false,
"accountNonLocked" : false,
"company" : "Jakubowski, Jakubowski and Jakubowski",
"createdBy" : "",
"createdDate" : "",
"credentialsNonExpired" : false,
"email" : "chaim.wisozk@gmail.com",
"enabled" : false,
"id" : "",
"inactive" : false,
"jobTitle" : "Lead Banking Designer",
"location" : "doyDRvyU",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "doyDRvyU",
"password" : "doyDRvyU",
"username" : "keenan.kris",
"version" : ""
}]
2019-03-20 10:45:26 DEBUG [UsersCreateUserAInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:45:26 DEBUG [UsersCreateUserAInitHijack1] : Response [{
"timestamp" : "2019-03-20T10:45:26.530+0000",
"status" : 403,
"error" : "Forbidden",
"message" : "Forbidden",
"path" : "/api/v1/users/enterprise-sign-up"
}]
2019-03-20 10:45:26 DEBUG [UsersCreateUserAInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NTQyZDM4YjEtODI3MC00MTM0LThkMjMtZTAzY2U2YzM4ZWYw; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:26 GMT]}]
2019-03-20 10:45:26 DEBUG [UsersCreateUserAInitHijack1] : StatusCode [403]
2019-03-20 10:45:26 DEBUG [UsersCreateUserAInitHijack1] : Time [1151]
2019-03-20 10:45:26 DEBUG [UsersCreateUserAInitHijack1] : Size [141]
2019-03-20 10:45:26 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed]
2019-03-20 10:45:26 DEBUG [UsersCreateUserAInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NTQyZDM4YjEtODI3MC00MTM0LThkMjMtZTAzY2U2YzM4ZWYw; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:26 GMT]}]
2019-03-20 10:45:26 DEBUG [UsersCreateUserAInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NTQyZDM4YjEtODI3MC00MTM0LThkMjMtZTAzY2U2YzM4ZWYw; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:26 GMT]}]
2019-03-20 10:45:26 DEBUG [UsersCreateUserAInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NTQyZDM4YjEtODI3MC00MTM0LThkMjMtZTAzY2U2YzM4ZWYw; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:26 GMT]}]
2019-03-20 10:45:26 DEBUG [UsersCreateUserAInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NTQyZDM4YjEtODI3MC00MTM0LThkMjMtZTAzY2U2YzM4ZWYw; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:26 GMT]}]
2019-03-20 10:45:26 DEBUG [NullPutOrgusersuserbDisallowHijack1] : URL [http://13.56.210.25null]
2019-03-20 10:45:26 DEBUG [NullPutOrgusersuserbDisallowHijack1] : Method [PUT]
2019-03-20 10:45:26 DEBUG [NullPutOrgusersuserbDisallowHijack1] : Request [{
"createdBy" : "",
"createdDate" : "",
"forceResetPwd" : false,
"id" : "",
"inactive" : false,
"modifiedBy" : "",
"modifiedDate" : "",
"org" : "",
"orgRole" : "WRITE",
"status" : "ACTIVE",
"userType" : "DEFAULT",
"users" : "",
"version" : ""
}]
2019-03-20 10:45:26 DEBUG [NullPutOrgusersuserbDisallowHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:45:26 DEBUG [NullPutOrgusersuserbDisallowHijack1] : Response [I/O error on PUT request for "http://13.56.210.25null": 13.56.210.25null: Name or service not known; nested exception is java.net.UnknownHostException: 13.56.210.25null: Name or service not known]
2019-03-20 10:45:26 DEBUG [NullPutOrgusersuserbDisallowHijack1] : Response-Headers [{}]
2019-03-20 10:45:26 DEBUG [NullPutOrgusersuserbDisallowHijack1] : StatusCode [500]
2019-03-20 10:45:26 DEBUG [NullPutOrgusersuserbDisallowHijack1] : Time [8]
2019-03-20 10:45:26 DEBUG [NullPutOrgusersuserbDisallowHijack1] : Size [195]
2019-03-20 10:45:26 ERROR [NullPutOrgusersuserbDisallowHijack1] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [500 == 401 OR 500 == 403] result [Failed]
2019-03-20 10:45:27 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : URL [http://13.56.210.25/api/v1/orgs/]
2019-03-20 10:45:27 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Method [DELETE]
2019-03-20 10:45:27 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Request [null]
2019-03-20 10:45:27 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:45:27 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Response [{
"timestamp" : "2019-03-20T10:45:27.773+0000",
"status" : 405,
"error" : "Method Not Allowed",
"message" : "Request method 'DELETE' not supported",
"path" : "/api/v1/orgs/"
}]
2019-03-20 10:45:27 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Response-Headers [{Allow=[GET, POST], X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MDVhMTI1YWUtNDkwMS00NzBiLWI0NTQtYTY3MmM1OTU4YzNj; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:27 GMT]}]
2019-03-20 10:45:27 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : StatusCode [405]
2019-03-20 10:45:27 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Time [1232]
2019-03-20 10:45:27 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Size [159]
2019-03-20 10:45:27 ERROR [null] : Assertion [@StatusCode == 200] resolved-to [405 == 200] result [Failed]
--- FX Bot ---
Project : FXABAC TEST
Template : NullPutOrgusersuserbDisallowHijack1
Run Id : 8a808011699a990101699ab0f9761b20
Job : Default
Env : Default
Category : Hijack_Level1
Tags : [FX Top 10 - API Vulnerability, Data_Access_Control]
Severity : Major
Region : FXLabs/US_WEST_1
Result : fail
Status Code : 500
Headers : {}
Endpoint : http://13.56.210.25null
Request :
{ "createdBy" : "", "createdDate" : "", "forceResetPwd" : false, "id" : "", "inactive" : false, "modifiedBy" : "", "modifiedDate" : "", "org" : "", "orgRole" : "WRITE", "status" : "ACTIVE", "userType" : "DEFAULT", "users" : "", "version" : "" }
Response :
I/O error on PUT request for "http://13.56.210.25null": 13.56.210.25null; nested exception is java.net.UnknownHostException: 13.56.210.25null
Logs :
2019-03-20 10:41:37 DEBUG [UsersCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/users/enterprise-sign-up] 2019-03-20 10:41:37 DEBUG [UsersCreateUserBInitHijack1] : Method [POST] 2019-03-20 10:41:37 DEBUG [UsersCreateUserBInitHijack1] : Request [{ "accountNonExpired" : false, "accountNonLocked" : false, "company" : "Steuber, Steuber and Steuber", "createdBy" : "", "createdDate" : "", "credentialsNonExpired" : false, "email" : "rubie.jenkins@hotmail.com", "enabled" : false, "id" : "", "inactive" : false, "jobTitle" : "Mining Consultant", "location" : "6cmD98qR", "modifiedBy" : "", "modifiedDate" : "", "name" : "6cmD98qR", "password" : "6cmD98qR", "username" : "melany.weber", "version" : "" }] 2019-03-20 10:41:37 DEBUG [UsersCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:41:37 DEBUG [UsersCreateUserBInitHijack1] : Response [{ "timestamp" : "2019-03-20T10:41:37.923+0000", "status" : 403, "error" : "Forbidden", "message" : "Forbidden", "path" : "/api/v1/users/enterprise-sign-up" }] 2019-03-20 10:41:37 DEBUG [UsersCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YzhhOGM4ZTgtYjA1NS00ZTY5LWE2MGUtMmVjMzg0OGM5MmMw; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:37 GMT]}] 2019-03-20 10:41:37 DEBUG [UsersCreateUserBInitHijack1] : StatusCode [403] 2019-03-20 10:41:37 DEBUG [UsersCreateUserBInitHijack1] : Time [544] 2019-03-20 10:41:37 DEBUG [UsersCreateUserBInitHijack1] : Size [141] 2019-03-20 10:41:37 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed] 2019-03-20 10:41:37 DEBUG [UsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YzhhOGM4ZTgtYjA1NS00ZTY5LWE2MGUtMmVjMzg0OGM5MmMw; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:37 GMT]}] 2019-03-20 10:41:37 DEBUG [UsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YzhhOGM4ZTgtYjA1NS00ZTY5LWE2MGUtMmVjMzg0OGM5MmMw; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:37 GMT]}] 2019-03-20 10:41:37 DEBUG [UsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YzhhOGM4ZTgtYjA1NS00ZTY5LWE2MGUtMmVjMzg0OGM5MmMw; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:37 GMT]}] 2019-03-20 10:41:37 DEBUG [UsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YzhhOGM4ZTgtYjA1NS00ZTY5LWE2MGUtMmVjMzg0OGM5MmMw; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:37 GMT]}] 2019-03-20 10:41:38 DEBUG [OrgCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/orgs] 2019-03-20 10:41:38 DEBUG [OrgCreateUserBInitHijack1] : Method [POST] 2019-03-20 10:41:38 DEBUG [OrgCreateUserBInitHijack1] : Request [{ "billingEmail" : "w70culXy", "company" : "Frami, Frami and Frami", "createdBy" : "", "createdDate" : "", "description" : "w70culXy", "id" : "", "inactive" : false, "location" : "w70culXy", "modifiedBy" : "", "modifiedDate" : "", "name" : "w70culXy", "orgPlan" : "TEAM", "orgType" : "ENTERPRISE", "version" : "" }] 2019-03-20 10:41:38 DEBUG [OrgCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:41:38 DEBUG [OrgCreateUserBInitHijack1] : Response [{ "timestamp" : "2019-03-20T10:41:38.531+0000", "status" : 403, "error" : "Forbidden", "message" : "Forbidden", "path" : "/api/v1/orgs" }] 2019-03-20 10:41:38 DEBUG [OrgCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NDk1MGMwN2ItOGIzYy00ZDhmLWFjNWQtZmQxZmI3ZTIxYTQ4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:38 GMT]}] 2019-03-20 10:41:38 DEBUG [OrgCreateUserBInitHijack1] : StatusCode [403] 2019-03-20 10:41:38 DEBUG [OrgCreateUserBInitHijack1] : Time [539] 2019-03-20 10:41:38 DEBUG [OrgCreateUserBInitHijack1] : Size [121] 2019-03-20 10:41:38 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed] 2019-03-20 10:41:38 DEBUG [OrgCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NDk1MGMwN2ItOGIzYy00ZDhmLWFjNWQtZmQxZmI3ZTIxYTQ4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:38 GMT]}] 2019-03-20 10:41:38 DEBUG [OrgCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NDk1MGMwN2ItOGIzYy00ZDhmLWFjNWQtZmQxZmI3ZTIxYTQ4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:38 GMT]}] 2019-03-20 10:41:38 DEBUG [OrgCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NDk1MGMwN2ItOGIzYy00ZDhmLWFjNWQtZmQxZmI3ZTIxYTQ4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:38 GMT]}] 2019-03-20 10:41:38 DEBUG [OrgCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NDk1MGMwN2ItOGIzYy00ZDhmLWFjNWQtZmQxZmI3ZTIxYTQ4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:38 GMT]}] 2019-03-20 10:41:39 DEBUG [OrgUsersCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/users/addUserToOrg] 2019-03-20 10:41:39 DEBUG [OrgUsersCreateUserBInitHijack1] : Method [POST] 2019-03-20 10:41:39 DEBUG [OrgUsersCreateUserBInitHijack1] : Request [{ "createdBy" : "", "createdDate" : "", "forceResetPwd" : false, "id" : "", "inactive" : false, "modifiedBy" : "", "modifiedDate" : "", "org" : "", "orgRole" : "ADMIN", "status" : "INACTIVE", "userType" : "MANAGED", "users" : "", "version" : "" }] 2019-03-20 10:41:39 DEBUG [OrgUsersCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:41:39 DEBUG [OrgUsersCreateUserBInitHijack1] : Response [{ "timestamp" : "2019-03-20T10:41:39.037+0000", "status" : 400, "error" : "Bad Request", "message" : "JSON parse error: Cannot construct instance of
com.fxlabs.fxt.dto.base.NameDto
(although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value (''); nested exception is com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot construct instance ofcom.fxlabs.fxt.dto.base.NameDto
(although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value ('')\n at [Source: (PushbackInputStream); line: 9, column: 11] (through reference chain: com.fxlabs.fxt.dto.users.OrgUsers[\"org\"])", "path" : "/api/v1/users/addUserToOrg" }] 2019-03-20 10:41:39 DEBUG [OrgUsersCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NTUxMmRjNmMtOTA5ZS00YjVkLWE5MDYtNGJmMzg0MzliM2Qz; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:38 GMT]}] 2019-03-20 10:41:39 DEBUG [OrgUsersCreateUserBInitHijack1] : StatusCode [400] 2019-03-20 10:41:39 DEBUG [OrgUsersCreateUserBInitHijack1] : Time [504] 2019-03-20 10:41:39 DEBUG [OrgUsersCreateUserBInitHijack1] : Size [729] 2019-03-20 10:41:39 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [400 == 200 OR 400 == 201] result [Failed] 2019-03-20 10:41:39 DEBUG [OrgUsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NTUxMmRjNmMtOTA5ZS00YjVkLWE5MDYtNGJmMzg0MzliM2Qz; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:38 GMT]}] 2019-03-20 10:41:39 DEBUG [OrgUsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NTUxMmRjNmMtOTA5ZS00YjVkLWE5MDYtNGJmMzg0MzliM2Qz; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:38 GMT]}] 2019-03-20 10:41:39 DEBUG [OrgUsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NTUxMmRjNmMtOTA5ZS00YjVkLWE5MDYtNGJmMzg0MzliM2Qz; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:38 GMT]}] 2019-03-20 10:41:39 DEBUG [OrgUsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NTUxMmRjNmMtOTA5ZS00YjVkLWE5MDYtNGJmMzg0MzliM2Qz; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:38 GMT]}] 2019-03-20 10:41:39 DEBUG [OrgCreateUserAInitHijack1] : URL [http://13.56.210.25/api/v1/orgs] 2019-03-20 10:41:39 DEBUG [OrgCreateUserAInitHijack1] : Method [POST] 2019-03-20 10:41:39 DEBUG [OrgCreateUserAInitHijack1] : Request [{ "billingEmail" : "I4U9J6ov", "company" : "Wintheiser Inc", "createdBy" : "", "createdDate" : "", "description" : "I4U9J6ov", "id" : "", "inactive" : false, "location" : "I4U9J6ov", "modifiedBy" : "", "modifiedDate" : "", "name" : "I4U9J6ov", "orgPlan" : "TEAM", "orgType" : "ENTERPRISE", "version" : "" }] 2019-03-20 10:41:39 DEBUG [OrgCreateUserAInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:41:39 DEBUG [OrgCreateUserAInitHijack1] : Response [{ "timestamp" : "2019-03-20T10:41:39.784+0000", "status" : 403, "error" : "Forbidden", "message" : "Forbidden", "path" : "/api/v1/orgs" }] 2019-03-20 10:41:39 DEBUG [OrgCreateUserAInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=OTFmYmEzZDAtOTQyZS00ODkxLWFlNDktMDU2YzI0YjE1YmE1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:39 GMT]}] 2019-03-20 10:41:39 DEBUG [OrgCreateUserAInitHijack1] : StatusCode [403] 2019-03-20 10:41:39 DEBUG [OrgCreateUserAInitHijack1] : Time [685] 2019-03-20 10:41:39 DEBUG [OrgCreateUserAInitHijack1] : Size [121] 2019-03-20 10:41:39 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed] 2019-03-20 10:41:39 DEBUG [OrgCreateUserAInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=OTFmYmEzZDAtOTQyZS00ODkxLWFlNDktMDU2YzI0YjE1YmE1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:39 GMT]}] 2019-03-20 10:41:39 DEBUG [OrgCreateUserAInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=OTFmYmEzZDAtOTQyZS00ODkxLWFlNDktMDU2YzI0YjE1YmE1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:39 GMT]}] 2019-03-20 10:41:39 DEBUG [OrgCreateUserAInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=OTFmYmEzZDAtOTQyZS00ODkxLWFlNDktMDU2YzI0YjE1YmE1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:39 GMT]}] 2019-03-20 10:41:39 DEBUG [OrgCreateUserAInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=OTFmYmEzZDAtOTQyZS00ODkxLWFlNDktMDU2YzI0YjE1YmE1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:39 GMT]}] 2019-03-20 10:41:40 DEBUG [UsersCreateUserAInitHijack1] : URL [http://13.56.210.25/api/v1/users/enterprise-sign-up] 2019-03-20 10:41:40 DEBUG [UsersCreateUserAInitHijack1] : Method [POST] 2019-03-20 10:41:40 DEBUG [UsersCreateUserAInitHijack1] : Request [{ "accountNonExpired" : false, "accountNonLocked" : false, "company" : "Sporer, Sporer and Sporer", "createdBy" : "", "createdDate" : "", "credentialsNonExpired" : false, "email" : "marilyne.rempel@hotmail.com", "enabled" : false, "id" : "", "inactive" : false, "jobTitle" : "Sales Associate", "location" : "coEE9OSu", "modifiedBy" : "", "modifiedDate" : "", "name" : "coEE9OSu", "password" : "coEE9OSu", "username" : "haskell.bayer", "version" : "" }] 2019-03-20 10:41:40 DEBUG [UsersCreateUserAInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:41:40 DEBUG [UsersCreateUserAInitHijack1] : Response [{ "timestamp" : "2019-03-20T10:41:40.891+0000", "status" : 403, "error" : "Forbidden", "message" : "Forbidden", "path" : "/api/v1/users/enterprise-sign-up" }] 2019-03-20 10:41:40 DEBUG [UsersCreateUserAInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NmFmYTBkZGMtNjFjYy00NGY4LWE2ZDQtNmY1OTA0MDM4NTg3; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:40 GMT]}] 2019-03-20 10:41:40 DEBUG [UsersCreateUserAInitHijack1] : StatusCode [403] 2019-03-20 10:41:40 DEBUG [UsersCreateUserAInitHijack1] : Time [729] 2019-03-20 10:41:40 DEBUG [UsersCreateUserAInitHijack1] : Size [141] 2019-03-20 10:41:40 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed] 2019-03-20 10:41:40 DEBUG [UsersCreateUserAInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NmFmYTBkZGMtNjFjYy00NGY4LWE2ZDQtNmY1OTA0MDM4NTg3; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:40 GMT]}] 2019-03-20 10:41:40 DEBUG [UsersCreateUserAInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NmFmYTBkZGMtNjFjYy00NGY4LWE2ZDQtNmY1OTA0MDM4NTg3; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:40 GMT]}] 2019-03-20 10:41:40 DEBUG [UsersCreateUserAInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NmFmYTBkZGMtNjFjYy00NGY4LWE2ZDQtNmY1OTA0MDM4NTg3; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:40 GMT]}] 2019-03-20 10:41:40 DEBUG [UsersCreateUserAInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NmFmYTBkZGMtNjFjYy00NGY4LWE2ZDQtNmY1OTA0MDM4NTg3; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:40 GMT]}] 2019-03-20 10:41:40 DEBUG [NullPutOrgusersuserbDisallowHijack1] : URL [http://13.56.210.25null] 2019-03-20 10:41:40 DEBUG [NullPutOrgusersuserbDisallowHijack1] : Method [PUT] 2019-03-20 10:41:40 DEBUG [NullPutOrgusersuserbDisallowHijack1] : Request [{ "createdBy" : "", "createdDate" : "", "forceResetPwd" : false, "id" : "", "inactive" : false, "modifiedBy" : "", "modifiedDate" : "", "org" : "", "orgRole" : "WRITE", "status" : "ACTIVE", "userType" : "DEFAULT", "users" : "", "version" : "" }] 2019-03-20 10:41:40 DEBUG [NullPutOrgusersuserbDisallowHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:41:40 DEBUG [NullPutOrgusersuserbDisallowHijack1] : Response [I/O error on PUT request for "http://13.56.210.25null": 13.56.210.25null; nested exception is java.net.UnknownHostException: 13.56.210.25null] 2019-03-20 10:41:40 DEBUG [NullPutOrgusersuserbDisallowHijack1] : Response-Headers [{}] 2019-03-20 10:41:40 DEBUG [NullPutOrgusersuserbDisallowHijack1] : StatusCode [500] 2019-03-20 10:41:40 DEBUG [NullPutOrgusersuserbDisallowHijack1] : Time [3] 2019-03-20 10:41:40 DEBUG [NullPutOrgusersuserbDisallowHijack1] : Size [141] 2019-03-20 10:41:40 ERROR [NullPutOrgusersuserbDisallowHijack1] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [500 == 401 OR 500 == 403] result [Failed] 2019-03-20 10:41:41 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : URL [http://13.56.210.25/api/v1/orgs/] 2019-03-20 10:41:41 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Method [DELETE] 2019-03-20 10:41:41 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Request [null] 2019-03-20 10:41:41 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:41:41 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Response [{ "timestamp" : "2019-03-20T10:41:41.719+0000", "status" : 405, "error" : "Method Not Allowed", "message" : "Request method 'DELETE' not supported", "path" : "/api/v1/orgs/" }] 2019-03-20 10:41:41 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Response-Headers [{Allow=[GET, POST], X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MzRlODk3YmMtZTQ0Yy00ZGQ4LTk5Y2YtMTc0ZmQwOGUwOGEz; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:41 GMT]}] 2019-03-20 10:41:41 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : StatusCode [405] 2019-03-20 10:41:41 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Time [822] 2019-03-20 10:41:41 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Size [159] 2019-03-20 10:41:41 ERROR [null] : Assertion [@StatusCode == 200] resolved-to [405 == 200] result [Failed]--- FX Bot ---