Vulnerability [Hijack_Level1] : PUT:/api/v1/abac

[asriz7777]

Project : FXABAC TEST

Template : ApiV1AbacPutAbacresourceuserbDisallowHijack1

Run Id : 8a808011699a990101699ab0f9761b20

Job : Default

Env : Default

Category : Hijack_Level1

Tags : [FX Top 10 - API Vulnerability, Data_Access_Control]

Severity : Major

Region : FXLabs/US_WEST_1

Result : fail

Status Code : 200

Headers : {X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NjA2OWNkMjktZDBjNy00NTY4LTkyZjAtYmE1NzBiN2MxMWQ0; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:45 GMT]}

Endpoint : http://13.56.210.25/api/v1/abac

Request :
{ "createBody" : "sHwUAYBO", "createEndpoint" : "sHwUAYBO", "createUserAuth" : "sHwUAYBO", "createdBy" : "", "createdDate" : "", "deleteEndpoint" : "sHwUAYBO", "enumValues" : "sHwUAYBO", "generatorId" : "sHwUAYBO", "id" : "", "inactive" : false, "initScriptName" : "sHwUAYBO", "lock" : false, "modifiedBy" : "", "modifiedDate" : "", "resourceName" : "sHwUAYBO", "scripts" : [ { "body" : "sHwUAYBO", "deleteEndPoint" : "sHwUAYBO", "endpoint" : "sHwUAYBO", "resourceName" : "sHwUAYBO", "scriptName" : "sHwUAYBO", "scriptType" : "sHwUAYBO", "sequence" : "1623719473", "userAuth" : "sHwUAYBO", "validationScript" : false } ], "typeThreeCreateEndpoint" : "sHwUAYBO", "validations" : [ { "body" : "sHwUAYBO", "endpoint" : "sHwUAYBO", "inactive" : false, "lock" : false, "path" : "sHwUAYBO", "userAuth" : "sHwUAYBO", "validationType" : "sHwUAYBO" } ], "version" : "" }

Response :
{ "requestId" : "None", "requestTime" : "2019-03-20T10:41:46.195+0000", "errors" : true, "messages" : [ { "type" : "ERROR", "key" : "", "value" : "Resource name or key already exists." } ], "data" : null, "totalPages" : 0, "totalElements" : 0 }

Logs :
2019-03-20 10:41:45 DEBUG [AbacResourceCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/abac] 2019-03-20 10:41:45 DEBUG [AbacResourceCreateUserBInitHijack1] : Method [POST] 2019-03-20 10:41:45 DEBUG [AbacResourceCreateUserBInitHijack1] : Request [{ "createBody" : "5U8KNUz9", "createEndpoint" : "5U8KNUz9", "createUserAuth" : "5U8KNUz9", "createdBy" : "", "createdDate" : "", "deleteEndpoint" : "5U8KNUz9", "enumValues" : "5U8KNUz9", "generatorId" : "5U8KNUz9", "id" : "", "inactive" : false, "initScriptName" : "5U8KNUz9", "lock" : false, "modifiedBy" : "", "modifiedDate" : "", "resourceName" : "5U8KNUz9", "typeThreeCreateEndpoint" : "5U8KNUz9", "version" : "" }] 2019-03-20 10:41:45 DEBUG [AbacResourceCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:41:45 DEBUG [AbacResourceCreateUserBInitHijack1] : Response [{ "requestId" : "None", "requestTime" : "2019-03-20T10:41:45.627+0000", "errors" : true, "messages" : [ { "type" : "ERROR", "key" : "", "value" : "Resource name or key already exists." } ], "data" : null, "totalPages" : 0, "totalElements" : 0 }] 2019-03-20 10:41:45 DEBUG [AbacResourceCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NGFhY2I0YzktYTFkYi00MmZkLWIwODQtYzQzZGMwMTAyZjAx; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:44 GMT]}] 2019-03-20 10:41:45 DEBUG [AbacResourceCreateUserBInitHijack1] : StatusCode [200] 2019-03-20 10:41:45 DEBUG [AbacResourceCreateUserBInitHijack1] : Time [544] 2019-03-20 10:41:45 DEBUG [AbacResourceCreateUserBInitHijack1] : Size [210] 2019-03-20 10:41:45 INFO [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [200 == 200 OR 200 == 201] result [Passed] 2019-03-20 10:41:45 DEBUG [AbacResourceCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NGFhY2I0YzktYTFkYi00MmZkLWIwODQtYzQzZGMwMTAyZjAx; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:44 GMT]}] 2019-03-20 10:41:45 DEBUG [AbacResourceCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NGFhY2I0YzktYTFkYi00MmZkLWIwODQtYzQzZGMwMTAyZjAx; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:44 GMT]}] 2019-03-20 10:41:45 DEBUG [AbacResourceCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NGFhY2I0YzktYTFkYi00MmZkLWIwODQtYzQzZGMwMTAyZjAx; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:44 GMT]}] 2019-03-20 10:41:45 DEBUG [AbacResourceCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NGFhY2I0YzktYTFkYi00MmZkLWIwODQtYzQzZGMwMTAyZjAx; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:44 GMT]}] 2019-03-20 10:41:46 DEBUG [ApiV1AbacPutAbacresourceuserbDisallowHijack1] : URL [http://13.56.210.25/api/v1/abac] 2019-03-20 10:41:46 DEBUG [ApiV1AbacPutAbacresourceuserbDisallowHijack1] : Method [PUT] 2019-03-20 10:41:46 DEBUG [ApiV1AbacPutAbacresourceuserbDisallowHijack1] : Request [{ "createBody" : "sHwUAYBO", "createEndpoint" : "sHwUAYBO", "createUserAuth" : "sHwUAYBO", "createdBy" : "", "createdDate" : "", "deleteEndpoint" : "sHwUAYBO", "enumValues" : "sHwUAYBO", "generatorId" : "sHwUAYBO", "id" : "", "inactive" : false, "initScriptName" : "sHwUAYBO", "lock" : false, "modifiedBy" : "", "modifiedDate" : "", "resourceName" : "sHwUAYBO", "scripts" : [ { "body" : "sHwUAYBO", "deleteEndPoint" : "sHwUAYBO", "endpoint" : "sHwUAYBO", "resourceName" : "sHwUAYBO", "scriptName" : "sHwUAYBO", "scriptType" : "sHwUAYBO", "sequence" : "1623719473", "userAuth" : "sHwUAYBO", "validationScript" : false } ], "typeThreeCreateEndpoint" : "sHwUAYBO", "validations" : [ { "body" : "sHwUAYBO", "endpoint" : "sHwUAYBO", "inactive" : false, "lock" : false, "path" : "sHwUAYBO", "userAuth" : "sHwUAYBO", "validationType" : "sHwUAYBO" } ], "version" : "" }] 2019-03-20 10:41:46 DEBUG [ApiV1AbacPutAbacresourceuserbDisallowHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:41:46 DEBUG [ApiV1AbacPutAbacresourceuserbDisallowHijack1] : Response [{ "requestId" : "None", "requestTime" : "2019-03-20T10:41:46.195+0000", "errors" : true, "messages" : [ { "type" : "ERROR", "key" : "", "value" : "Resource name or key already exists." } ], "data" : null, "totalPages" : 0, "totalElements" : 0 }] 2019-03-20 10:41:46 DEBUG [ApiV1AbacPutAbacresourceuserbDisallowHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NjA2OWNkMjktZDBjNy00NTY4LTkyZjAtYmE1NzBiN2MxMWQ0; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:45 GMT]}] 2019-03-20 10:41:46 DEBUG [ApiV1AbacPutAbacresourceuserbDisallowHijack1] : StatusCode [200] 2019-03-20 10:41:46 DEBUG [ApiV1AbacPutAbacresourceuserbDisallowHijack1] : Time [551] 2019-03-20 10:41:46 DEBUG [ApiV1AbacPutAbacresourceuserbDisallowHijack1] : Size [210] 2019-03-20 10:41:46 ERROR [ApiV1AbacPutAbacresourceuserbDisallowHijack1] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [200 == 401 OR 200 == 403] result [Failed] 2019-03-20 10:41:46 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : URL [http://13.56.210.25/api/v1/abac/] 2019-03-20 10:41:46 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : Method [DELETE] 2019-03-20 10:41:46 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : Request [null] 2019-03-20 10:41:46 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:41:46 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : Response [{ "timestamp" : "2019-03-20T10:41:46.764+0000", "status" : 405, "error" : "Method Not Allowed", "message" : "Request method 'DELETE' not supported", "path" : "/api/v1/abac/" }] 2019-03-20 10:41:46 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : Response-Headers [{Allow=[GET, PUT, POST], X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZjEyNWQ2NDItN2JlMi00YzZkLTg3MGYtOTJhYTE0Zjk4MzQ0; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:45 GMT]}] 2019-03-20 10:41:46 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : StatusCode [405] 2019-03-20 10:41:46 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : Time [555] 2019-03-20 10:41:46 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : Size [159] 2019-03-20 10:41:46 ERROR [null] : Assertion [@StatusCode == 200] resolved-to [405 == 200] result [Failed]

--- FX Bot ---

[asriz7777]

Project : FXABAC TEST

Template : ApiV1AbacPutAbacresourceuserbDisallowHijack1

Run Id : 8a808011699a990101699ab3901a2277

Job : Default

Env : Default

Category : Hijack_Level1

Tags : [FX Top 10 - API Vulnerability, Data_Access_Control]

Severity : Major

Region : FXLabs/US_WEST_1

Result : fail

Status Code : 200

Headers : {X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZjU0YjczOWYtM2VlMy00ZDAxLWEzODktY2ZiZmFkZWMwMDAy; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:38 GMT]}

Endpoint : http://13.56.210.25/api/v1/abac

Request :
{ "createBody" : "YwnrWFGd", "createEndpoint" : "YwnrWFGd", "createUserAuth" : "YwnrWFGd", "createdBy" : "", "createdDate" : "", "deleteEndpoint" : "YwnrWFGd", "enumValues" : "YwnrWFGd", "generatorId" : "YwnrWFGd", "id" : "", "inactive" : false, "initScriptName" : "YwnrWFGd", "lock" : false, "modifiedBy" : "", "modifiedDate" : "", "resourceName" : "YwnrWFGd", "scripts" : [ { "body" : "YwnrWFGd", "deleteEndPoint" : "YwnrWFGd", "endpoint" : "YwnrWFGd", "resourceName" : "YwnrWFGd", "scriptName" : "YwnrWFGd", "scriptType" : "YwnrWFGd", "sequence" : "696242437", "userAuth" : "YwnrWFGd", "validationScript" : false } ], "typeThreeCreateEndpoint" : "YwnrWFGd", "validations" : [ { "body" : "YwnrWFGd", "endpoint" : "YwnrWFGd", "inactive" : false, "lock" : false, "path" : "YwnrWFGd", "userAuth" : "YwnrWFGd", "validationType" : "YwnrWFGd" } ], "version" : "" }

Response :
{ "requestId" : "None", "requestTime" : "2019-03-20T10:44:38.303+0000", "errors" : true, "messages" : [ { "type" : "ERROR", "key" : "", "value" : "Resource name or key already exists." } ], "data" : null, "totalPages" : 0, "totalElements" : 0 }

Logs :
2019-03-20 10:44:37 DEBUG [AbacResourceCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/abac] 2019-03-20 10:44:37 DEBUG [AbacResourceCreateUserBInitHijack1] : Method [POST] 2019-03-20 10:44:37 DEBUG [AbacResourceCreateUserBInitHijack1] : Request [{ "createBody" : "47mvRnhF", "createEndpoint" : "47mvRnhF", "createUserAuth" : "47mvRnhF", "createdBy" : "", "createdDate" : "", "deleteEndpoint" : "47mvRnhF", "enumValues" : "47mvRnhF", "generatorId" : "47mvRnhF", "id" : "", "inactive" : false, "initScriptName" : "47mvRnhF", "lock" : false, "modifiedBy" : "", "modifiedDate" : "", "resourceName" : "47mvRnhF", "typeThreeCreateEndpoint" : "47mvRnhF", "version" : "" }] 2019-03-20 10:44:37 DEBUG [AbacResourceCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:44:37 DEBUG [AbacResourceCreateUserBInitHijack1] : Response [{ "requestId" : "None", "requestTime" : "2019-03-20T10:44:37.445+0000", "errors" : true, "messages" : [ { "type" : "ERROR", "key" : "", "value" : "Resource name or key already exists." } ], "data" : null, "totalPages" : 0, "totalElements" : 0 }] 2019-03-20 10:44:37 DEBUG [AbacResourceCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YThmZWJiZjgtYTBhYy00NzQ1LTk4NjUtNTMyNWQ1NWNkYjhh; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:37 GMT]}] 2019-03-20 10:44:37 DEBUG [AbacResourceCreateUserBInitHijack1] : StatusCode [200] 2019-03-20 10:44:37 DEBUG [AbacResourceCreateUserBInitHijack1] : Time [939] 2019-03-20 10:44:37 DEBUG [AbacResourceCreateUserBInitHijack1] : Size [210] 2019-03-20 10:44:37 INFO [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [200 == 200 OR 200 == 201] result [Passed] 2019-03-20 10:44:37 DEBUG [AbacResourceCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YThmZWJiZjgtYTBhYy00NzQ1LTk4NjUtNTMyNWQ1NWNkYjhh; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:37 GMT]}] 2019-03-20 10:44:37 DEBUG [AbacResourceCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YThmZWJiZjgtYTBhYy00NzQ1LTk4NjUtNTMyNWQ1NWNkYjhh; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:37 GMT]}] 2019-03-20 10:44:37 DEBUG [AbacResourceCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YThmZWJiZjgtYTBhYy00NzQ1LTk4NjUtNTMyNWQ1NWNkYjhh; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:37 GMT]}] 2019-03-20 10:44:37 DEBUG [AbacResourceCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YThmZWJiZjgtYTBhYy00NzQ1LTk4NjUtNTMyNWQ1NWNkYjhh; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:37 GMT]}] 2019-03-20 10:44:38 DEBUG [ApiV1AbacPutAbacresourceuserbDisallowHijack1] : URL [http://13.56.210.25/api/v1/abac] 2019-03-20 10:44:38 DEBUG [ApiV1AbacPutAbacresourceuserbDisallowHijack1] : Method [PUT] 2019-03-20 10:44:38 DEBUG [ApiV1AbacPutAbacresourceuserbDisallowHijack1] : Request [{ "createBody" : "YwnrWFGd", "createEndpoint" : "YwnrWFGd", "createUserAuth" : "YwnrWFGd", "createdBy" : "", "createdDate" : "", "deleteEndpoint" : "YwnrWFGd", "enumValues" : "YwnrWFGd", "generatorId" : "YwnrWFGd", "id" : "", "inactive" : false, "initScriptName" : "YwnrWFGd", "lock" : false, "modifiedBy" : "", "modifiedDate" : "", "resourceName" : "YwnrWFGd", "scripts" : [ { "body" : "YwnrWFGd", "deleteEndPoint" : "YwnrWFGd", "endpoint" : "YwnrWFGd", "resourceName" : "YwnrWFGd", "scriptName" : "YwnrWFGd", "scriptType" : "YwnrWFGd", "sequence" : "696242437", "userAuth" : "YwnrWFGd", "validationScript" : false } ], "typeThreeCreateEndpoint" : "YwnrWFGd", "validations" : [ { "body" : "YwnrWFGd", "endpoint" : "YwnrWFGd", "inactive" : false, "lock" : false, "path" : "YwnrWFGd", "userAuth" : "YwnrWFGd", "validationType" : "YwnrWFGd" } ], "version" : "" }] 2019-03-20 10:44:38 DEBUG [ApiV1AbacPutAbacresourceuserbDisallowHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:44:38 DEBUG [ApiV1AbacPutAbacresourceuserbDisallowHijack1] : Response [{ "requestId" : "None", "requestTime" : "2019-03-20T10:44:38.303+0000", "errors" : true, "messages" : [ { "type" : "ERROR", "key" : "", "value" : "Resource name or key already exists." } ], "data" : null, "totalPages" : 0, "totalElements" : 0 }] 2019-03-20 10:44:38 DEBUG [ApiV1AbacPutAbacresourceuserbDisallowHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZjU0YjczOWYtM2VlMy00ZDAxLWEzODktY2ZiZmFkZWMwMDAy; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:38 GMT]}] 2019-03-20 10:44:38 DEBUG [ApiV1AbacPutAbacresourceuserbDisallowHijack1] : StatusCode [200] 2019-03-20 10:44:38 DEBUG [ApiV1AbacPutAbacresourceuserbDisallowHijack1] : Time [857] 2019-03-20 10:44:38 DEBUG [ApiV1AbacPutAbacresourceuserbDisallowHijack1] : Size [210] 2019-03-20 10:44:38 ERROR [ApiV1AbacPutAbacresourceuserbDisallowHijack1] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [200 == 401 OR 200 == 403] result [Failed] 2019-03-20 10:44:39 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : URL [http://13.56.210.25/api/v1/abac/] 2019-03-20 10:44:39 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : Method [DELETE] 2019-03-20 10:44:39 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : Request [null] 2019-03-20 10:44:39 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:44:39 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : Response [{ "timestamp" : "2019-03-20T10:44:39.068+0000", "status" : 405, "error" : "Method Not Allowed", "message" : "Request method 'DELETE' not supported", "path" : "/api/v1/abac/" }] 2019-03-20 10:44:39 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : Response-Headers [{Allow=[GET, PUT, POST], X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YjA1YzIzZGQtNDBlNy00ZmRjLWE4NmUtZTVhMDE4OWUzNWJm; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:38 GMT]}] 2019-03-20 10:44:39 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : StatusCode [405] 2019-03-20 10:44:39 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : Time [759] 2019-03-20 10:44:39 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : Size [159] 2019-03-20 10:44:39 ERROR [null] : Assertion [@StatusCode == 200] resolved-to [405 == 200] result [Failed]

--- FX Bot ---

[asriz7777]

Project : FXABAC TEST

Template : ApiV1AbacPutAbacresourceuserbDisallowHijack1

Run Id : 8a808011699a990101699ab3901a2277

Job : Default

Env : Default

Category : Hijack_Level1

Tags : [FX Top 10 - API Vulnerability, Data_Access_Control]

Severity : Major

Region : FXLabs/US_WEST_1

Result : fail

Status Code : 200

Headers : {X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NWZkMWMxMDgtNTg3MC00OTFlLTllMjktZmEzYmU1MzgxMjFl; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:42 GMT]}

Endpoint : http://13.56.210.25/api/v1/abac

Request :
{ "createBody" : "XPvXr0BU", "createEndpoint" : "XPvXr0BU", "createUserAuth" : "XPvXr0BU", "createdBy" : "", "createdDate" : "", "deleteEndpoint" : "XPvXr0BU", "enumValues" : "XPvXr0BU", "generatorId" : "XPvXr0BU", "id" : "", "inactive" : false, "initScriptName" : "XPvXr0BU", "lock" : false, "modifiedBy" : "", "modifiedDate" : "", "resourceName" : "XPvXr0BU", "scripts" : [ { "body" : "XPvXr0BU", "deleteEndPoint" : "XPvXr0BU", "endpoint" : "XPvXr0BU", "resourceName" : "XPvXr0BU", "scriptName" : "XPvXr0BU", "scriptType" : "XPvXr0BU", "sequence" : "1795724958", "userAuth" : "XPvXr0BU", "validationScript" : false } ], "typeThreeCreateEndpoint" : "XPvXr0BU", "validations" : [ { "body" : "XPvXr0BU", "endpoint" : "XPvXr0BU", "inactive" : false, "lock" : false, "path" : "XPvXr0BU", "userAuth" : "XPvXr0BU", "validationType" : "XPvXr0BU" } ], "version" : "" }

Response :
{ "requestId" : "None", "requestTime" : "2019-03-20T10:45:43.606+0000", "errors" : true, "messages" : [ { "type" : "ERROR", "key" : "", "value" : "Resource name or key already exists." } ], "data" : null, "totalPages" : 0, "totalElements" : 0 }

Logs :
2019-03-20 10:45:41 DEBUG [AbacResourceCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/abac] 2019-03-20 10:45:41 DEBUG [AbacResourceCreateUserBInitHijack1] : Method [POST] 2019-03-20 10:45:41 DEBUG [AbacResourceCreateUserBInitHijack1] : Request [{ "createBody" : "le6Q4iK6", "createEndpoint" : "le6Q4iK6", "createUserAuth" : "le6Q4iK6", "createdBy" : "", "createdDate" : "", "deleteEndpoint" : "le6Q4iK6", "enumValues" : "le6Q4iK6", "generatorId" : "le6Q4iK6", "id" : "", "inactive" : false, "initScriptName" : "le6Q4iK6", "lock" : false, "modifiedBy" : "", "modifiedDate" : "", "resourceName" : "le6Q4iK6", "typeThreeCreateEndpoint" : "le6Q4iK6", "version" : "" }] 2019-03-20 10:45:41 DEBUG [AbacResourceCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:45:41 DEBUG [AbacResourceCreateUserBInitHijack1] : Response [{ "requestId" : "None", "requestTime" : "2019-03-20T10:45:41.959+0000", "errors" : true, "messages" : [ { "type" : "ERROR", "key" : "", "value" : "Resource name or key already exists." } ], "data" : null, "totalPages" : 0, "totalElements" : 0 }] 2019-03-20 10:45:41 DEBUG [AbacResourceCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZmE4YTcyNTMtNDhlZC00OWE1LTg3MmQtNzlmMDA4MDIxMzZi; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:41 GMT]}] 2019-03-20 10:45:41 DEBUG [AbacResourceCreateUserBInitHijack1] : StatusCode [200] 2019-03-20 10:45:41 DEBUG [AbacResourceCreateUserBInitHijack1] : Time [1575] 2019-03-20 10:45:41 DEBUG [AbacResourceCreateUserBInitHijack1] : Size [210] 2019-03-20 10:45:41 INFO [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [200 == 200 OR 200 == 201] result [Passed] 2019-03-20 10:45:41 DEBUG [AbacResourceCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZmE4YTcyNTMtNDhlZC00OWE1LTg3MmQtNzlmMDA4MDIxMzZi; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:41 GMT]}] 2019-03-20 10:45:41 DEBUG [AbacResourceCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZmE4YTcyNTMtNDhlZC00OWE1LTg3MmQtNzlmMDA4MDIxMzZi; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:41 GMT]}] 2019-03-20 10:45:41 DEBUG [AbacResourceCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZmE4YTcyNTMtNDhlZC00OWE1LTg3MmQtNzlmMDA4MDIxMzZi; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:41 GMT]}] 2019-03-20 10:45:41 DEBUG [AbacResourceCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZmE4YTcyNTMtNDhlZC00OWE1LTg3MmQtNzlmMDA4MDIxMzZi; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:41 GMT]}] 2019-03-20 10:45:43 DEBUG [ApiV1AbacPutAbacresourceuserbDisallowHijack1] : URL [http://13.56.210.25/api/v1/abac] 2019-03-20 10:45:43 DEBUG [ApiV1AbacPutAbacresourceuserbDisallowHijack1] : Method [PUT] 2019-03-20 10:45:43 DEBUG [ApiV1AbacPutAbacresourceuserbDisallowHijack1] : Request [{ "createBody" : "XPvXr0BU", "createEndpoint" : "XPvXr0BU", "createUserAuth" : "XPvXr0BU", "createdBy" : "", "createdDate" : "", "deleteEndpoint" : "XPvXr0BU", "enumValues" : "XPvXr0BU", "generatorId" : "XPvXr0BU", "id" : "", "inactive" : false, "initScriptName" : "XPvXr0BU", "lock" : false, "modifiedBy" : "", "modifiedDate" : "", "resourceName" : "XPvXr0BU", "scripts" : [ { "body" : "XPvXr0BU", "deleteEndPoint" : "XPvXr0BU", "endpoint" : "XPvXr0BU", "resourceName" : "XPvXr0BU", "scriptName" : "XPvXr0BU", "scriptType" : "XPvXr0BU", "sequence" : "1795724958", "userAuth" : "XPvXr0BU", "validationScript" : false } ], "typeThreeCreateEndpoint" : "XPvXr0BU", "validations" : [ { "body" : "XPvXr0BU", "endpoint" : "XPvXr0BU", "inactive" : false, "lock" : false, "path" : "XPvXr0BU", "userAuth" : "XPvXr0BU", "validationType" : "XPvXr0BU" } ], "version" : "" }] 2019-03-20 10:45:43 DEBUG [ApiV1AbacPutAbacresourceuserbDisallowHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:45:43 DEBUG [ApiV1AbacPutAbacresourceuserbDisallowHijack1] : Response [{ "requestId" : "None", "requestTime" : "2019-03-20T10:45:43.606+0000", "errors" : true, "messages" : [ { "type" : "ERROR", "key" : "", "value" : "Resource name or key already exists." } ], "data" : null, "totalPages" : 0, "totalElements" : 0 }] 2019-03-20 10:45:43 DEBUG [ApiV1AbacPutAbacresourceuserbDisallowHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NWZkMWMxMDgtNTg3MC00OTFlLTllMjktZmEzYmU1MzgxMjFl; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:42 GMT]}] 2019-03-20 10:45:43 DEBUG [ApiV1AbacPutAbacresourceuserbDisallowHijack1] : StatusCode [200] 2019-03-20 10:45:43 DEBUG [ApiV1AbacPutAbacresourceuserbDisallowHijack1] : Time [1647] 2019-03-20 10:45:43 DEBUG [ApiV1AbacPutAbacresourceuserbDisallowHijack1] : Size [210] 2019-03-20 10:45:43 ERROR [ApiV1AbacPutAbacresourceuserbDisallowHijack1] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [200 == 401 OR 200 == 403] result [Failed] 2019-03-20 10:45:45 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : URL [http://13.56.210.25/api/v1/abac/] 2019-03-20 10:45:45 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : Method [DELETE] 2019-03-20 10:45:45 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : Request [null] 2019-03-20 10:45:45 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:45:45 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : Response [{ "timestamp" : "2019-03-20T10:45:45.374+0000", "status" : 405, "error" : "Method Not Allowed", "message" : "Request method 'DELETE' not supported", "path" : "/api/v1/abac/" }] 2019-03-20 10:45:45 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : Response-Headers [{Allow=[GET, PUT, POST], X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NmYzNmNkZGQtZGEzZC00NDlkLTkwNDQtYjEyZWVhYWEwYWNl; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:44 GMT]}] 2019-03-20 10:45:45 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : StatusCode [405] 2019-03-20 10:45:45 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : Time [1763] 2019-03-20 10:45:45 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : Size [159] 2019-03-20 10:45:45 ERROR [null] : Assertion [@StatusCode == 200] resolved-to [405 == 200] result [Failed]

--- FX Bot ---

[asriz7777]

Project : FXABAC TEST

Template : ApiV1AbacPutAbacresourceuserbDisallowHijack1

Run Id : 8a808011699a990101699ab3901a2277

Job : Default

Env : Default

Category : Hijack_Level1

Tags : [FX Top 10 - API Vulnerability, Data_Access_Control]

Severity : Major

Region : FXLabs/US_WEST_1

Result : fail

Status Code : 200

Headers : {X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=Y2Q4MDBmMTYtYjNlYS00YjdiLTk4ZGItZDlkMTIwMjk2NDNi; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:47:05 GMT]}

Endpoint : http://13.56.210.25/api/v1/abac

Request :
{ "createBody" : "yL374Tdg", "createEndpoint" : "yL374Tdg", "createUserAuth" : "yL374Tdg", "createdBy" : "", "createdDate" : "", "deleteEndpoint" : "yL374Tdg", "enumValues" : "yL374Tdg", "generatorId" : "yL374Tdg", "id" : "", "inactive" : false, "initScriptName" : "yL374Tdg", "lock" : false, "modifiedBy" : "", "modifiedDate" : "", "resourceName" : "yL374Tdg", "scripts" : [ { "body" : "yL374Tdg", "deleteEndPoint" : "yL374Tdg", "endpoint" : "yL374Tdg", "resourceName" : "yL374Tdg", "scriptName" : "yL374Tdg", "scriptType" : "yL374Tdg", "sequence" : "1381751740", "userAuth" : "yL374Tdg", "validationScript" : false } ], "typeThreeCreateEndpoint" : "yL374Tdg", "validations" : [ { "body" : "yL374Tdg", "endpoint" : "yL374Tdg", "inactive" : false, "lock" : false, "path" : "yL374Tdg", "userAuth" : "yL374Tdg", "validationType" : "yL374Tdg" } ], "version" : "" }

Response :
{ "requestId" : "None", "requestTime" : "2019-03-20T10:47:05.798+0000", "errors" : true, "messages" : [ { "type" : "ERROR", "key" : "", "value" : "Resource name or key already exists." } ], "data" : null, "totalPages" : 0, "totalElements" : 0 }

Logs :
2019-03-20 10:47:04 DEBUG [AbacResourceCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/abac] 2019-03-20 10:47:04 DEBUG [AbacResourceCreateUserBInitHijack1] : Method [POST] 2019-03-20 10:47:04 DEBUG [AbacResourceCreateUserBInitHijack1] : Request [{ "createBody" : "yX8ouIsa", "createEndpoint" : "yX8ouIsa", "createUserAuth" : "yX8ouIsa", "createdBy" : "", "createdDate" : "", "deleteEndpoint" : "yX8ouIsa", "enumValues" : "yX8ouIsa", "generatorId" : "yX8ouIsa", "id" : "", "inactive" : false, "initScriptName" : "yX8ouIsa", "lock" : false, "modifiedBy" : "", "modifiedDate" : "", "resourceName" : "yX8ouIsa", "typeThreeCreateEndpoint" : "yX8ouIsa", "version" : "" }] 2019-03-20 10:47:04 DEBUG [AbacResourceCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:47:04 DEBUG [AbacResourceCreateUserBInitHijack1] : Response [{ "requestId" : "None", "requestTime" : "2019-03-20T10:47:04.124+0000", "errors" : true, "messages" : [ { "type" : "ERROR", "key" : "", "value" : "Resource name or key already exists." } ], "data" : null, "totalPages" : 0, "totalElements" : 0 }] 2019-03-20 10:47:04 DEBUG [AbacResourceCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZmZjMzRhNTYtYTlmMy00YTM0LWE4NmQtNzQxMDA3MTMzOWIx; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:47:03 GMT]}] 2019-03-20 10:47:04 DEBUG [AbacResourceCreateUserBInitHijack1] : StatusCode [200] 2019-03-20 10:47:04 DEBUG [AbacResourceCreateUserBInitHijack1] : Time [1615] 2019-03-20 10:47:04 DEBUG [AbacResourceCreateUserBInitHijack1] : Size [210] 2019-03-20 10:47:04 INFO [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [200 == 200 OR 200 == 201] result [Passed] 2019-03-20 10:47:04 DEBUG [AbacResourceCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZmZjMzRhNTYtYTlmMy00YTM0LWE4NmQtNzQxMDA3MTMzOWIx; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:47:03 GMT]}] 2019-03-20 10:47:04 DEBUG [AbacResourceCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZmZjMzRhNTYtYTlmMy00YTM0LWE4NmQtNzQxMDA3MTMzOWIx; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:47:03 GMT]}] 2019-03-20 10:47:04 DEBUG [AbacResourceCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZmZjMzRhNTYtYTlmMy00YTM0LWE4NmQtNzQxMDA3MTMzOWIx; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:47:03 GMT]}] 2019-03-20 10:47:04 DEBUG [AbacResourceCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZmZjMzRhNTYtYTlmMy00YTM0LWE4NmQtNzQxMDA3MTMzOWIx; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:47:03 GMT]}] 2019-03-20 10:47:05 DEBUG [ApiV1AbacPutAbacresourceuserbDisallowHijack1] : URL [http://13.56.210.25/api/v1/abac] 2019-03-20 10:47:05 DEBUG [ApiV1AbacPutAbacresourceuserbDisallowHijack1] : Method [PUT] 2019-03-20 10:47:05 DEBUG [ApiV1AbacPutAbacresourceuserbDisallowHijack1] : Request [{ "createBody" : "yL374Tdg", "createEndpoint" : "yL374Tdg", "createUserAuth" : "yL374Tdg", "createdBy" : "", "createdDate" : "", "deleteEndpoint" : "yL374Tdg", "enumValues" : "yL374Tdg", "generatorId" : "yL374Tdg", "id" : "", "inactive" : false, "initScriptName" : "yL374Tdg", "lock" : false, "modifiedBy" : "", "modifiedDate" : "", "resourceName" : "yL374Tdg", "scripts" : [ { "body" : "yL374Tdg", "deleteEndPoint" : "yL374Tdg", "endpoint" : "yL374Tdg", "resourceName" : "yL374Tdg", "scriptName" : "yL374Tdg", "scriptType" : "yL374Tdg", "sequence" : "1381751740", "userAuth" : "yL374Tdg", "validationScript" : false } ], "typeThreeCreateEndpoint" : "yL374Tdg", "validations" : [ { "body" : "yL374Tdg", "endpoint" : "yL374Tdg", "inactive" : false, "lock" : false, "path" : "yL374Tdg", "userAuth" : "yL374Tdg", "validationType" : "yL374Tdg" } ], "version" : "" }] 2019-03-20 10:47:05 DEBUG [ApiV1AbacPutAbacresourceuserbDisallowHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:47:05 DEBUG [ApiV1AbacPutAbacresourceuserbDisallowHijack1] : Response [{ "requestId" : "None", "requestTime" : "2019-03-20T10:47:05.798+0000", "errors" : true, "messages" : [ { "type" : "ERROR", "key" : "", "value" : "Resource name or key already exists." } ], "data" : null, "totalPages" : 0, "totalElements" : 0 }] 2019-03-20 10:47:05 DEBUG [ApiV1AbacPutAbacresourceuserbDisallowHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=Y2Q4MDBmMTYtYjNlYS00YjdiLTk4ZGItZDlkMTIwMjk2NDNi; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:47:05 GMT]}] 2019-03-20 10:47:05 DEBUG [ApiV1AbacPutAbacresourceuserbDisallowHijack1] : StatusCode [200] 2019-03-20 10:47:05 DEBUG [ApiV1AbacPutAbacresourceuserbDisallowHijack1] : Time [1678] 2019-03-20 10:47:05 DEBUG [ApiV1AbacPutAbacresourceuserbDisallowHijack1] : Size [210] 2019-03-20 10:47:05 ERROR [ApiV1AbacPutAbacresourceuserbDisallowHijack1] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [200 == 401 OR 200 == 403] result [Failed] 2019-03-20 10:47:07 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : URL [http://13.56.210.25/api/v1/abac/] 2019-03-20 10:47:07 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : Method [DELETE] 2019-03-20 10:47:07 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : Request [null] 2019-03-20 10:47:07 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:47:07 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : Response [{ "timestamp" : "2019-03-20T10:47:07.428+0000", "status" : 405, "error" : "Method Not Allowed", "message" : "Request method 'DELETE' not supported", "path" : "/api/v1/abac/" }] 2019-03-20 10:47:07 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : Response-Headers [{Allow=[GET, PUT, POST], X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MDZjNTFjY2UtNzVhNC00MmQxLTkyMjYtZjJmYTM3MmU5MTMx; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:47:07 GMT]}] 2019-03-20 10:47:07 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : StatusCode [405] 2019-03-20 10:47:07 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : Time [1615] 2019-03-20 10:47:07 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : Size [159] 2019-03-20 10:47:07 ERROR [null] : Assertion [@StatusCode == 200] resolved-to [405 == 200] result [Failed]

--- FX Bot ---