Vulnerability [Hijack_Level1] : POST:/api/v1/abac

[asriz7777]

Project : FXABAC TEST

Template : ApiV1AbacPostAbacresourceuserbDisallowHijack1

Run Id : 8a808011699a990101699ab0f9761b20

Job : Default

Env : Default

Category : Hijack_Level1

Tags : [FX Top 10 - API Vulnerability, Data_Access_Control]

Severity : Major

Region : FXLabs/US_WEST_1

Result : fail

Status Code : 200

Headers : {X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NTBlNjdhOWYtOGU2Ni00ODVlLWIyMjUtNzRhNzhmMmQwYmMy; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:46 GMT]}

Endpoint : http://13.56.210.25/api/v1/abac

Request :
{ "createBody" : "9MLD26nF", "createEndpoint" : "9MLD26nF", "createUserAuth" : "9MLD26nF", "createdBy" : "", "createdDate" : "", "deleteEndpoint" : "9MLD26nF", "enumValues" : "9MLD26nF", "generatorId" : "9MLD26nF", "id" : "", "inactive" : false, "initScriptName" : "9MLD26nF", "lock" : false, "modifiedBy" : "", "modifiedDate" : "", "resourceName" : "9MLD26nF", "scripts" : [ { "body" : "9MLD26nF", "deleteEndPoint" : "9MLD26nF", "endpoint" : "9MLD26nF", "resourceName" : "9MLD26nF", "scriptName" : "9MLD26nF", "scriptType" : "9MLD26nF", "sequence" : "742320460", "userAuth" : "9MLD26nF", "validationScript" : false } ], "typeThreeCreateEndpoint" : "9MLD26nF", "validations" : [ { "body" : "9MLD26nF", "endpoint" : "9MLD26nF", "inactive" : false, "lock" : false, "path" : "9MLD26nF", "userAuth" : "9MLD26nF", "validationType" : "9MLD26nF" } ], "version" : "" }

Response :
{ "requestId" : "None", "requestTime" : "2019-03-20T10:41:47.837+0000", "errors" : true, "messages" : [ { "type" : "ERROR", "key" : "", "value" : "Resource name or key already exists." } ], "data" : null, "totalPages" : 0, "totalElements" : 0 }

Logs :
2019-03-20 10:41:47 DEBUG [AbacResourceCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/abac] 2019-03-20 10:41:47 DEBUG [AbacResourceCreateUserBInitHijack1] : Method [POST] 2019-03-20 10:41:47 DEBUG [AbacResourceCreateUserBInitHijack1] : Request [{ "createBody" : "577oMBpF", "createEndpoint" : "577oMBpF", "createUserAuth" : "577oMBpF", "createdBy" : "", "createdDate" : "", "deleteEndpoint" : "577oMBpF", "enumValues" : "577oMBpF", "generatorId" : "577oMBpF", "id" : "", "inactive" : false, "initScriptName" : "577oMBpF", "lock" : false, "modifiedBy" : "", "modifiedDate" : "", "resourceName" : "577oMBpF", "typeThreeCreateEndpoint" : "577oMBpF", "version" : "" }] 2019-03-20 10:41:47 DEBUG [AbacResourceCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:41:47 DEBUG [AbacResourceCreateUserBInitHijack1] : Response [{ "requestId" : "None", "requestTime" : "2019-03-20T10:41:47.201+0000", "errors" : true, "messages" : [ { "type" : "ERROR", "key" : "", "value" : "Resource name or key already exists." } ], "data" : null, "totalPages" : 0, "totalElements" : 0 }] 2019-03-20 10:41:47 DEBUG [AbacResourceCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZTgxYzA0ZWUtYjZmOC00NzgxLWI4MTItNzRmYjJiOTdlZTky; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:46 GMT]}] 2019-03-20 10:41:47 DEBUG [AbacResourceCreateUserBInitHijack1] : StatusCode [200] 2019-03-20 10:41:47 DEBUG [AbacResourceCreateUserBInitHijack1] : Time [498] 2019-03-20 10:41:47 DEBUG [AbacResourceCreateUserBInitHijack1] : Size [210] 2019-03-20 10:41:47 INFO [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [200 == 200 OR 200 == 201] result [Passed] 2019-03-20 10:41:47 DEBUG [AbacResourceCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZTgxYzA0ZWUtYjZmOC00NzgxLWI4MTItNzRmYjJiOTdlZTky; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:46 GMT]}] 2019-03-20 10:41:47 DEBUG [AbacResourceCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZTgxYzA0ZWUtYjZmOC00NzgxLWI4MTItNzRmYjJiOTdlZTky; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:46 GMT]}] 2019-03-20 10:41:47 DEBUG [AbacResourceCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZTgxYzA0ZWUtYjZmOC00NzgxLWI4MTItNzRmYjJiOTdlZTky; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:46 GMT]}] 2019-03-20 10:41:47 DEBUG [AbacResourceCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZTgxYzA0ZWUtYjZmOC00NzgxLWI4MTItNzRmYjJiOTdlZTky; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:46 GMT]}] 2019-03-20 10:41:47 DEBUG [ApiV1AbacPostAbacresourceuserbDisallowHijack1] : URL [http://13.56.210.25/api/v1/abac] 2019-03-20 10:41:47 DEBUG [ApiV1AbacPostAbacresourceuserbDisallowHijack1] : Method [POST] 2019-03-20 10:41:47 DEBUG [ApiV1AbacPostAbacresourceuserbDisallowHijack1] : Request [{ "createBody" : "9MLD26nF", "createEndpoint" : "9MLD26nF", "createUserAuth" : "9MLD26nF", "createdBy" : "", "createdDate" : "", "deleteEndpoint" : "9MLD26nF", "enumValues" : "9MLD26nF", "generatorId" : "9MLD26nF", "id" : "", "inactive" : false, "initScriptName" : "9MLD26nF", "lock" : false, "modifiedBy" : "", "modifiedDate" : "", "resourceName" : "9MLD26nF", "scripts" : [ { "body" : "9MLD26nF", "deleteEndPoint" : "9MLD26nF", "endpoint" : "9MLD26nF", "resourceName" : "9MLD26nF", "scriptName" : "9MLD26nF", "scriptType" : "9MLD26nF", "sequence" : "742320460", "userAuth" : "9MLD26nF", "validationScript" : false } ], "typeThreeCreateEndpoint" : "9MLD26nF", "validations" : [ { "body" : "9MLD26nF", "endpoint" : "9MLD26nF", "inactive" : false, "lock" : false, "path" : "9MLD26nF", "userAuth" : "9MLD26nF", "validationType" : "9MLD26nF" } ], "version" : "" }] 2019-03-20 10:41:47 DEBUG [ApiV1AbacPostAbacresourceuserbDisallowHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:41:47 DEBUG [ApiV1AbacPostAbacresourceuserbDisallowHijack1] : Response [{ "requestId" : "None", "requestTime" : "2019-03-20T10:41:47.837+0000", "errors" : true, "messages" : [ { "type" : "ERROR", "key" : "", "value" : "Resource name or key already exists." } ], "data" : null, "totalPages" : 0, "totalElements" : 0 }] 2019-03-20 10:41:47 DEBUG [ApiV1AbacPostAbacresourceuserbDisallowHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NTBlNjdhOWYtOGU2Ni00ODVlLWIyMjUtNzRhNzhmMmQwYmMy; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:46 GMT]}] 2019-03-20 10:41:47 DEBUG [ApiV1AbacPostAbacresourceuserbDisallowHijack1] : StatusCode [200] 2019-03-20 10:41:47 DEBUG [ApiV1AbacPostAbacresourceuserbDisallowHijack1] : Time [571] 2019-03-20 10:41:47 DEBUG [ApiV1AbacPostAbacresourceuserbDisallowHijack1] : Size [210] 2019-03-20 10:41:47 ERROR [ApiV1AbacPostAbacresourceuserbDisallowHijack1] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [200 == 401 OR 200 == 403] result [Failed] 2019-03-20 10:41:48 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : URL [http://13.56.210.25/api/v1/abac/] 2019-03-20 10:41:48 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : Method [DELETE] 2019-03-20 10:41:48 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : Request [null] 2019-03-20 10:41:48 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:41:48 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : Response [{ "timestamp" : "2019-03-20T10:41:48.312+0000", "status" : 405, "error" : "Method Not Allowed", "message" : "Request method 'DELETE' not supported", "path" : "/api/v1/abac/" }] 2019-03-20 10:41:48 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : Response-Headers [{Allow=[GET, PUT, POST], X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MDU4NWM1NzMtNjYyOC00ZmU4LWEwNjktMTg5OTZlNmYzMTIy; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:47 GMT]}] 2019-03-20 10:41:48 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : StatusCode [405] 2019-03-20 10:41:48 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : Time [485] 2019-03-20 10:41:48 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : Size [159] 2019-03-20 10:41:48 ERROR [null] : Assertion [@StatusCode == 200] resolved-to [405 == 200] result [Failed]

--- FX Bot ---

[asriz7777]

Project : FXABAC TEST

Template : ApiV1AbacPostAbacresourceuserbDisallowHijack1

Run Id : 8a808011699a990101699ab3901a2277

Job : Default

Env : Default

Category : Hijack_Level1

Tags : [FX Top 10 - API Vulnerability, Data_Access_Control]

Severity : Major

Region : FXLabs/US_WEST_1

Result : fail

Status Code : 200

Headers : {X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=OWJlNjk3Y2YtNTgzZS00NjQ2LTgxY2UtNzU4MjdhNzczMGVm; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:39 GMT]}

Endpoint : http://13.56.210.25/api/v1/abac

Request :
{ "createBody" : "vs8tr2yl", "createEndpoint" : "vs8tr2yl", "createUserAuth" : "vs8tr2yl", "createdBy" : "", "createdDate" : "", "deleteEndpoint" : "vs8tr2yl", "enumValues" : "vs8tr2yl", "generatorId" : "vs8tr2yl", "id" : "", "inactive" : false, "initScriptName" : "vs8tr2yl", "lock" : false, "modifiedBy" : "", "modifiedDate" : "", "resourceName" : "vs8tr2yl", "scripts" : [ { "body" : "vs8tr2yl", "deleteEndPoint" : "vs8tr2yl", "endpoint" : "vs8tr2yl", "resourceName" : "vs8tr2yl", "scriptName" : "vs8tr2yl", "scriptType" : "vs8tr2yl", "sequence" : "1416818981", "userAuth" : "vs8tr2yl", "validationScript" : false } ], "typeThreeCreateEndpoint" : "vs8tr2yl", "validations" : [ { "body" : "vs8tr2yl", "endpoint" : "vs8tr2yl", "inactive" : false, "lock" : false, "path" : "vs8tr2yl", "userAuth" : "vs8tr2yl", "validationType" : "vs8tr2yl" } ], "version" : "" }

Response :
{ "requestId" : "None", "requestTime" : "2019-03-20T10:44:40.129+0000", "errors" : true, "messages" : [ { "type" : "ERROR", "key" : "", "value" : "Resource name or key already exists." } ], "data" : null, "totalPages" : 0, "totalElements" : 0 }

Logs :
2019-03-20 10:44:39 DEBUG [AbacResourceCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/abac] 2019-03-20 10:44:39 DEBUG [AbacResourceCreateUserBInitHijack1] : Method [POST] 2019-03-20 10:44:39 DEBUG [AbacResourceCreateUserBInitHijack1] : Request [{ "createBody" : "Ri1BSrxo", "createEndpoint" : "Ri1BSrxo", "createUserAuth" : "Ri1BSrxo", "createdBy" : "", "createdDate" : "", "deleteEndpoint" : "Ri1BSrxo", "enumValues" : "Ri1BSrxo", "generatorId" : "Ri1BSrxo", "id" : "", "inactive" : false, "initScriptName" : "Ri1BSrxo", "lock" : false, "modifiedBy" : "", "modifiedDate" : "", "resourceName" : "Ri1BSrxo", "typeThreeCreateEndpoint" : "Ri1BSrxo", "version" : "" }] 2019-03-20 10:44:39 DEBUG [AbacResourceCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:44:39 DEBUG [AbacResourceCreateUserBInitHijack1] : Response [{ "requestId" : "None", "requestTime" : "2019-03-20T10:44:39.638+0000", "errors" : true, "messages" : [ { "type" : "ERROR", "key" : "", "value" : "Resource name or key already exists." } ], "data" : null, "totalPages" : 0, "totalElements" : 0 }] 2019-03-20 10:44:39 DEBUG [AbacResourceCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZGEyZTJkNjktZTU2ZS00ODk1LTgzOWItYzYxZTNjOGJkY2Y4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:39 GMT]}] 2019-03-20 10:44:39 DEBUG [AbacResourceCreateUserBInitHijack1] : StatusCode [200] 2019-03-20 10:44:39 DEBUG [AbacResourceCreateUserBInitHijack1] : Time [571] 2019-03-20 10:44:39 DEBUG [AbacResourceCreateUserBInitHijack1] : Size [210] 2019-03-20 10:44:39 INFO [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [200 == 200 OR 200 == 201] result [Passed] 2019-03-20 10:44:39 DEBUG [AbacResourceCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZGEyZTJkNjktZTU2ZS00ODk1LTgzOWItYzYxZTNjOGJkY2Y4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:39 GMT]}] 2019-03-20 10:44:39 DEBUG [AbacResourceCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZGEyZTJkNjktZTU2ZS00ODk1LTgzOWItYzYxZTNjOGJkY2Y4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:39 GMT]}] 2019-03-20 10:44:39 DEBUG [AbacResourceCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZGEyZTJkNjktZTU2ZS00ODk1LTgzOWItYzYxZTNjOGJkY2Y4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:39 GMT]}] 2019-03-20 10:44:39 DEBUG [AbacResourceCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZGEyZTJkNjktZTU2ZS00ODk1LTgzOWItYzYxZTNjOGJkY2Y4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:39 GMT]}] 2019-03-20 10:44:40 DEBUG [ApiV1AbacPostAbacresourceuserbDisallowHijack1] : URL [http://13.56.210.25/api/v1/abac] 2019-03-20 10:44:40 DEBUG [ApiV1AbacPostAbacresourceuserbDisallowHijack1] : Method [POST] 2019-03-20 10:44:40 DEBUG [ApiV1AbacPostAbacresourceuserbDisallowHijack1] : Request [{ "createBody" : "vs8tr2yl", "createEndpoint" : "vs8tr2yl", "createUserAuth" : "vs8tr2yl", "createdBy" : "", "createdDate" : "", "deleteEndpoint" : "vs8tr2yl", "enumValues" : "vs8tr2yl", "generatorId" : "vs8tr2yl", "id" : "", "inactive" : false, "initScriptName" : "vs8tr2yl", "lock" : false, "modifiedBy" : "", "modifiedDate" : "", "resourceName" : "vs8tr2yl", "scripts" : [ { "body" : "vs8tr2yl", "deleteEndPoint" : "vs8tr2yl", "endpoint" : "vs8tr2yl", "resourceName" : "vs8tr2yl", "scriptName" : "vs8tr2yl", "scriptType" : "vs8tr2yl", "sequence" : "1416818981", "userAuth" : "vs8tr2yl", "validationScript" : false } ], "typeThreeCreateEndpoint" : "vs8tr2yl", "validations" : [ { "body" : "vs8tr2yl", "endpoint" : "vs8tr2yl", "inactive" : false, "lock" : false, "path" : "vs8tr2yl", "userAuth" : "vs8tr2yl", "validationType" : "vs8tr2yl" } ], "version" : "" }] 2019-03-20 10:44:40 DEBUG [ApiV1AbacPostAbacresourceuserbDisallowHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:44:40 DEBUG [ApiV1AbacPostAbacresourceuserbDisallowHijack1] : Response [{ "requestId" : "None", "requestTime" : "2019-03-20T10:44:40.129+0000", "errors" : true, "messages" : [ { "type" : "ERROR", "key" : "", "value" : "Resource name or key already exists." } ], "data" : null, "totalPages" : 0, "totalElements" : 0 }] 2019-03-20 10:44:40 DEBUG [ApiV1AbacPostAbacresourceuserbDisallowHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=OWJlNjk3Y2YtNTgzZS00NjQ2LTgxY2UtNzU4MjdhNzczMGVm; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:39 GMT]}] 2019-03-20 10:44:40 DEBUG [ApiV1AbacPostAbacresourceuserbDisallowHijack1] : StatusCode [200] 2019-03-20 10:44:40 DEBUG [ApiV1AbacPostAbacresourceuserbDisallowHijack1] : Time [504] 2019-03-20 10:44:40 DEBUG [ApiV1AbacPostAbacresourceuserbDisallowHijack1] : Size [210] 2019-03-20 10:44:40 ERROR [ApiV1AbacPostAbacresourceuserbDisallowHijack1] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [200 == 401 OR 200 == 403] result [Failed] 2019-03-20 10:44:41 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : URL [http://13.56.210.25/api/v1/abac/] 2019-03-20 10:44:41 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : Method [DELETE] 2019-03-20 10:44:41 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : Request [null] 2019-03-20 10:44:41 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:44:41 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : Response [{ "timestamp" : "2019-03-20T10:44:41.088+0000", "status" : 405, "error" : "Method Not Allowed", "message" : "Request method 'DELETE' not supported", "path" : "/api/v1/abac/" }] 2019-03-20 10:44:41 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : Response-Headers [{Allow=[GET, PUT, POST], X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MzYxMDcyM2MtNTk3MC00MzI3LTg4NzgtNWM1MjBmNjRjOTdl; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:40 GMT]}] 2019-03-20 10:44:41 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : StatusCode [405] 2019-03-20 10:44:41 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : Time [941] 2019-03-20 10:44:41 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : Size [159] 2019-03-20 10:44:41 ERROR [null] : Assertion [@StatusCode == 200] resolved-to [405 == 200] result [Failed]

--- FX Bot ---

[asriz7777]

Project : FXABAC TEST

Template : ApiV1AbacPostAbacresourceuserbDisallowHijack1

Run Id : 8a808011699a990101699ab3901a2277

Job : Default

Env : Default

Category : Hijack_Level1

Tags : [FX Top 10 - API Vulnerability, Data_Access_Control]

Severity : Major

Region : FXLabs/US_WEST_1

Result : fail

Status Code : 200

Headers : {X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NTcwNTYyZmUtNTg5My00OWU5LTgwN2EtNzc5Y2E3NDNmMjZl; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:47 GMT]}

Endpoint : http://13.56.210.25/api/v1/abac

Request :
{ "createBody" : "DyffBW3n", "createEndpoint" : "DyffBW3n", "createUserAuth" : "DyffBW3n", "createdBy" : "", "createdDate" : "", "deleteEndpoint" : "DyffBW3n", "enumValues" : "DyffBW3n", "generatorId" : "DyffBW3n", "id" : "", "inactive" : false, "initScriptName" : "DyffBW3n", "lock" : false, "modifiedBy" : "", "modifiedDate" : "", "resourceName" : "DyffBW3n", "scripts" : [ { "body" : "DyffBW3n", "deleteEndPoint" : "DyffBW3n", "endpoint" : "DyffBW3n", "resourceName" : "DyffBW3n", "scriptName" : "DyffBW3n", "scriptType" : "DyffBW3n", "sequence" : "1962101575", "userAuth" : "DyffBW3n", "validationScript" : false } ], "typeThreeCreateEndpoint" : "DyffBW3n", "validations" : [ { "body" : "DyffBW3n", "endpoint" : "DyffBW3n", "inactive" : false, "lock" : false, "path" : "DyffBW3n", "userAuth" : "DyffBW3n", "validationType" : "DyffBW3n" } ], "version" : "" }

Response :
{ "requestId" : "None", "requestTime" : "2019-03-20T10:45:48.402+0000", "errors" : true, "messages" : [ { "type" : "ERROR", "key" : "", "value" : "Resource name or key already exists." } ], "data" : null, "totalPages" : 0, "totalElements" : 0 }

Logs :
2019-03-20 10:45:46 DEBUG [AbacResourceCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/abac] 2019-03-20 10:45:46 DEBUG [AbacResourceCreateUserBInitHijack1] : Method [POST] 2019-03-20 10:45:46 DEBUG [AbacResourceCreateUserBInitHijack1] : Request [{ "createBody" : "mSsVxBST", "createEndpoint" : "mSsVxBST", "createUserAuth" : "mSsVxBST", "createdBy" : "", "createdDate" : "", "deleteEndpoint" : "mSsVxBST", "enumValues" : "mSsVxBST", "generatorId" : "mSsVxBST", "id" : "", "inactive" : false, "initScriptName" : "mSsVxBST", "lock" : false, "modifiedBy" : "", "modifiedDate" : "", "resourceName" : "mSsVxBST", "typeThreeCreateEndpoint" : "mSsVxBST", "version" : "" }] 2019-03-20 10:45:46 DEBUG [AbacResourceCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:45:46 DEBUG [AbacResourceCreateUserBInitHijack1] : Response [{ "requestId" : "None", "requestTime" : "2019-03-20T10:45:46.733+0000", "errors" : true, "messages" : [ { "type" : "ERROR", "key" : "", "value" : "Resource name or key already exists." } ], "data" : null, "totalPages" : 0, "totalElements" : 0 }] 2019-03-20 10:45:46 DEBUG [AbacResourceCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MjljZjQ5Y2ItOTAwMC00YTc3LTk3OWUtYTljODNhYjAxOGU5; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:46 GMT]}] 2019-03-20 10:45:46 DEBUG [AbacResourceCreateUserBInitHijack1] : StatusCode [200] 2019-03-20 10:45:46 DEBUG [AbacResourceCreateUserBInitHijack1] : Time [1365] 2019-03-20 10:45:46 DEBUG [AbacResourceCreateUserBInitHijack1] : Size [210] 2019-03-20 10:45:46 INFO [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [200 == 200 OR 200 == 201] result [Passed] 2019-03-20 10:45:46 DEBUG [AbacResourceCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MjljZjQ5Y2ItOTAwMC00YTc3LTk3OWUtYTljODNhYjAxOGU5; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:46 GMT]}] 2019-03-20 10:45:46 DEBUG [AbacResourceCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MjljZjQ5Y2ItOTAwMC00YTc3LTk3OWUtYTljODNhYjAxOGU5; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:46 GMT]}] 2019-03-20 10:45:46 DEBUG [AbacResourceCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MjljZjQ5Y2ItOTAwMC00YTc3LTk3OWUtYTljODNhYjAxOGU5; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:46 GMT]}] 2019-03-20 10:45:46 DEBUG [AbacResourceCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MjljZjQ5Y2ItOTAwMC00YTc3LTk3OWUtYTljODNhYjAxOGU5; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:46 GMT]}] 2019-03-20 10:45:48 DEBUG [ApiV1AbacPostAbacresourceuserbDisallowHijack1] : URL [http://13.56.210.25/api/v1/abac] 2019-03-20 10:45:48 DEBUG [ApiV1AbacPostAbacresourceuserbDisallowHijack1] : Method [POST] 2019-03-20 10:45:48 DEBUG [ApiV1AbacPostAbacresourceuserbDisallowHijack1] : Request [{ "createBody" : "DyffBW3n", "createEndpoint" : "DyffBW3n", "createUserAuth" : "DyffBW3n", "createdBy" : "", "createdDate" : "", "deleteEndpoint" : "DyffBW3n", "enumValues" : "DyffBW3n", "generatorId" : "DyffBW3n", "id" : "", "inactive" : false, "initScriptName" : "DyffBW3n", "lock" : false, "modifiedBy" : "", "modifiedDate" : "", "resourceName" : "DyffBW3n", "scripts" : [ { "body" : "DyffBW3n", "deleteEndPoint" : "DyffBW3n", "endpoint" : "DyffBW3n", "resourceName" : "DyffBW3n", "scriptName" : "DyffBW3n", "scriptType" : "DyffBW3n", "sequence" : "1962101575", "userAuth" : "DyffBW3n", "validationScript" : false } ], "typeThreeCreateEndpoint" : "DyffBW3n", "validations" : [ { "body" : "DyffBW3n", "endpoint" : "DyffBW3n", "inactive" : false, "lock" : false, "path" : "DyffBW3n", "userAuth" : "DyffBW3n", "validationType" : "DyffBW3n" } ], "version" : "" }] 2019-03-20 10:45:48 DEBUG [ApiV1AbacPostAbacresourceuserbDisallowHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:45:48 DEBUG [ApiV1AbacPostAbacresourceuserbDisallowHijack1] : Response [{ "requestId" : "None", "requestTime" : "2019-03-20T10:45:48.402+0000", "errors" : true, "messages" : [ { "type" : "ERROR", "key" : "", "value" : "Resource name or key already exists." } ], "data" : null, "totalPages" : 0, "totalElements" : 0 }] 2019-03-20 10:45:48 DEBUG [ApiV1AbacPostAbacresourceuserbDisallowHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NTcwNTYyZmUtNTg5My00OWU5LTgwN2EtNzc5Y2E3NDNmMjZl; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:47 GMT]}] 2019-03-20 10:45:48 DEBUG [ApiV1AbacPostAbacresourceuserbDisallowHijack1] : StatusCode [200] 2019-03-20 10:45:48 DEBUG [ApiV1AbacPostAbacresourceuserbDisallowHijack1] : Time [1661] 2019-03-20 10:45:48 DEBUG [ApiV1AbacPostAbacresourceuserbDisallowHijack1] : Size [210] 2019-03-20 10:45:48 ERROR [ApiV1AbacPostAbacresourceuserbDisallowHijack1] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [200 == 401 OR 200 == 403] result [Failed] 2019-03-20 10:45:49 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : URL [http://13.56.210.25/api/v1/abac/] 2019-03-20 10:45:49 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : Method [DELETE] 2019-03-20 10:45:49 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : Request [null] 2019-03-20 10:45:49 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:45:49 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : Response [{ "timestamp" : "2019-03-20T10:45:49.714+0000", "status" : 405, "error" : "Method Not Allowed", "message" : "Request method 'DELETE' not supported", "path" : "/api/v1/abac/" }] 2019-03-20 10:45:49 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : Response-Headers [{Allow=[GET, PUT, POST], X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YWU1Njk0YTUtNDZmNC00ZTNhLTg4ZGQtMThiNmQ5MjNkNjM3; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:48 GMT]}] 2019-03-20 10:45:49 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : StatusCode [405] 2019-03-20 10:45:49 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : Time [1308] 2019-03-20 10:45:49 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : Size [159] 2019-03-20 10:45:49 ERROR [null] : Assertion [@StatusCode == 200] resolved-to [405 == 200] result [Failed]

--- FX Bot ---

[asriz7777]

Project : FXABAC TEST

Template : ApiV1AbacPostAbacresourceuserbDisallowHijack1

Run Id : 8a808011699a990101699ab3901a2277

Job : Default

Env : Default

Category : Hijack_Level1

Tags : [FX Top 10 - API Vulnerability, Data_Access_Control]

Severity : Major

Region : FXLabs/US_WEST_1

Result : fail

Status Code : 200

Headers : {X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZWZmMDRlNjEtNzk1MS00ZmUxLTlmZGYtMGNhMjJlYjc4MmM5; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:47:10 GMT]}

Endpoint : http://13.56.210.25/api/v1/abac

Request :
{ "createBody" : "w5Ni7G41", "createEndpoint" : "w5Ni7G41", "createUserAuth" : "w5Ni7G41", "createdBy" : "", "createdDate" : "", "deleteEndpoint" : "w5Ni7G41", "enumValues" : "w5Ni7G41", "generatorId" : "w5Ni7G41", "id" : "", "inactive" : false, "initScriptName" : "w5Ni7G41", "lock" : false, "modifiedBy" : "", "modifiedDate" : "", "resourceName" : "w5Ni7G41", "scripts" : [ { "body" : "w5Ni7G41", "deleteEndPoint" : "w5Ni7G41", "endpoint" : "w5Ni7G41", "resourceName" : "w5Ni7G41", "scriptName" : "w5Ni7G41", "scriptType" : "w5Ni7G41", "sequence" : "2073214577", "userAuth" : "w5Ni7G41", "validationScript" : false } ], "typeThreeCreateEndpoint" : "w5Ni7G41", "validations" : [ { "body" : "w5Ni7G41", "endpoint" : "w5Ni7G41", "inactive" : false, "lock" : false, "path" : "w5Ni7G41", "userAuth" : "w5Ni7G41", "validationType" : "w5Ni7G41" } ], "version" : "" }

Response :
{ "requestId" : "None", "requestTime" : "2019-03-20T10:47:10.569+0000", "errors" : true, "messages" : [ { "type" : "ERROR", "key" : "", "value" : "Resource name or key already exists." } ], "data" : null, "totalPages" : 0, "totalElements" : 0 }

Logs :
2019-03-20 10:47:09 DEBUG [AbacResourceCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/abac] 2019-03-20 10:47:09 DEBUG [AbacResourceCreateUserBInitHijack1] : Method [POST] 2019-03-20 10:47:09 DEBUG [AbacResourceCreateUserBInitHijack1] : Request [{ "createBody" : "mxarE1n4", "createEndpoint" : "mxarE1n4", "createUserAuth" : "mxarE1n4", "createdBy" : "", "createdDate" : "", "deleteEndpoint" : "mxarE1n4", "enumValues" : "mxarE1n4", "generatorId" : "mxarE1n4", "id" : "", "inactive" : false, "initScriptName" : "mxarE1n4", "lock" : false, "modifiedBy" : "", "modifiedDate" : "", "resourceName" : "mxarE1n4", "typeThreeCreateEndpoint" : "mxarE1n4", "version" : "" }] 2019-03-20 10:47:09 DEBUG [AbacResourceCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:47:09 DEBUG [AbacResourceCreateUserBInitHijack1] : Response [{ "requestId" : "None", "requestTime" : "2019-03-20T10:47:08.995+0000", "errors" : true, "messages" : [ { "type" : "ERROR", "key" : "", "value" : "Resource name or key already exists." } ], "data" : null, "totalPages" : 0, "totalElements" : 0 }] 2019-03-20 10:47:09 DEBUG [AbacResourceCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NmNmZWVlZjUtYTg3Ny00NWUyLWI3ZjYtNWQ0OTRmMTg5NmUw; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:47:08 GMT]}] 2019-03-20 10:47:09 DEBUG [AbacResourceCreateUserBInitHijack1] : StatusCode [200] 2019-03-20 10:47:09 DEBUG [AbacResourceCreateUserBInitHijack1] : Time [1568] 2019-03-20 10:47:09 DEBUG [AbacResourceCreateUserBInitHijack1] : Size [210] 2019-03-20 10:47:09 INFO [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [200 == 200 OR 200 == 201] result [Passed] 2019-03-20 10:47:09 DEBUG [AbacResourceCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NmNmZWVlZjUtYTg3Ny00NWUyLWI3ZjYtNWQ0OTRmMTg5NmUw; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:47:08 GMT]}] 2019-03-20 10:47:09 DEBUG [AbacResourceCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NmNmZWVlZjUtYTg3Ny00NWUyLWI3ZjYtNWQ0OTRmMTg5NmUw; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:47:08 GMT]}] 2019-03-20 10:47:09 DEBUG [AbacResourceCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NmNmZWVlZjUtYTg3Ny00NWUyLWI3ZjYtNWQ0OTRmMTg5NmUw; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:47:08 GMT]}] 2019-03-20 10:47:09 DEBUG [AbacResourceCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NmNmZWVlZjUtYTg3Ny00NWUyLWI3ZjYtNWQ0OTRmMTg5NmUw; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:47:08 GMT]}] 2019-03-20 10:47:10 DEBUG [ApiV1AbacPostAbacresourceuserbDisallowHijack1] : URL [http://13.56.210.25/api/v1/abac] 2019-03-20 10:47:10 DEBUG [ApiV1AbacPostAbacresourceuserbDisallowHijack1] : Method [POST] 2019-03-20 10:47:10 DEBUG [ApiV1AbacPostAbacresourceuserbDisallowHijack1] : Request [{ "createBody" : "w5Ni7G41", "createEndpoint" : "w5Ni7G41", "createUserAuth" : "w5Ni7G41", "createdBy" : "", "createdDate" : "", "deleteEndpoint" : "w5Ni7G41", "enumValues" : "w5Ni7G41", "generatorId" : "w5Ni7G41", "id" : "", "inactive" : false, "initScriptName" : "w5Ni7G41", "lock" : false, "modifiedBy" : "", "modifiedDate" : "", "resourceName" : "w5Ni7G41", "scripts" : [ { "body" : "w5Ni7G41", "deleteEndPoint" : "w5Ni7G41", "endpoint" : "w5Ni7G41", "resourceName" : "w5Ni7G41", "scriptName" : "w5Ni7G41", "scriptType" : "w5Ni7G41", "sequence" : "2073214577", "userAuth" : "w5Ni7G41", "validationScript" : false } ], "typeThreeCreateEndpoint" : "w5Ni7G41", "validations" : [ { "body" : "w5Ni7G41", "endpoint" : "w5Ni7G41", "inactive" : false, "lock" : false, "path" : "w5Ni7G41", "userAuth" : "w5Ni7G41", "validationType" : "w5Ni7G41" } ], "version" : "" }] 2019-03-20 10:47:10 DEBUG [ApiV1AbacPostAbacresourceuserbDisallowHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:47:10 DEBUG [ApiV1AbacPostAbacresourceuserbDisallowHijack1] : Response [{ "requestId" : "None", "requestTime" : "2019-03-20T10:47:10.569+0000", "errors" : true, "messages" : [ { "type" : "ERROR", "key" : "", "value" : "Resource name or key already exists." } ], "data" : null, "totalPages" : 0, "totalElements" : 0 }] 2019-03-20 10:47:10 DEBUG [ApiV1AbacPostAbacresourceuserbDisallowHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZWZmMDRlNjEtNzk1MS00ZmUxLTlmZGYtMGNhMjJlYjc4MmM5; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:47:10 GMT]}] 2019-03-20 10:47:10 DEBUG [ApiV1AbacPostAbacresourceuserbDisallowHijack1] : StatusCode [200] 2019-03-20 10:47:10 DEBUG [ApiV1AbacPostAbacresourceuserbDisallowHijack1] : Time [1582] 2019-03-20 10:47:10 DEBUG [ApiV1AbacPostAbacresourceuserbDisallowHijack1] : Size [210] 2019-03-20 10:47:10 ERROR [ApiV1AbacPostAbacresourceuserbDisallowHijack1] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [200 == 401 OR 200 == 403] result [Failed] 2019-03-20 10:47:12 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : URL [http://13.56.210.25/api/v1/abac/] 2019-03-20 10:47:12 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : Method [DELETE] 2019-03-20 10:47:12 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : Request [null] 2019-03-20 10:47:12 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:47:12 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : Response [{ "timestamp" : "2019-03-20T10:47:12.025+0000", "status" : 405, "error" : "Method Not Allowed", "message" : "Request method 'DELETE' not supported", "path" : "/api/v1/abac/" }] 2019-03-20 10:47:12 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : Response-Headers [{Allow=[GET, PUT, POST], X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MWI5ZGUxZWUtNDRlMi00ZTA4LWJiOGYtMzMyNmViZmYxMTQ3; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:47:11 GMT]}] 2019-03-20 10:47:12 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : StatusCode [405] 2019-03-20 10:47:12 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : Time [1442] 2019-03-20 10:47:12 DEBUG [ApiV1AbacIdDeleteAbacresourcehijack1] : Size [159] 2019-03-20 10:47:12 ERROR [null] : Assertion [@StatusCode == 200] resolved-to [405 == 200] result [Failed]

--- FX Bot ---