Open asriz7777 opened 5 years ago
Project : FXABAC TEST
Template : ApiV1SkillsPostSkilluserbDisallowHijack1
Run Id : 8a808011699a990101699ab3901a2277
Job : Default
Env : Default
Category : Hijack_Level1
Tags : [FX Top 10 - API Vulnerability, Data_Access_Control]
Severity : Major
Region : FXLabs/US_WEST_1
Result : fail
Status Code : 400
Headers : {X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NGZlM2U5MTktMjY3NC00Njg5LWJkZDgtY2I5MTA4ZDcxMGQ0; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:44 GMT]}
Endpoint : http://13.56.210.25/api/v1/skills
Request :
{
"accessKey" : "fkx3RYL3",
"createdBy" : "",
"createdDate" : "",
"description" : "fkx3RYL3",
"host" : "fkx3RYL3",
"id" : "",
"inactive" : false,
"key" : "fkx3RYL3",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "fkx3RYL3",
"opts" : [ {
"id" : "",
"label" : "fkx3RYL3",
"mandatory" : false,
"value" : "fkx3RYL3"
} ],
"org" : "",
"prop1" : "fkx3RYL3",
"prop2" : "fkx3RYL3",
"prop3" : "fkx3RYL3",
"prop4" : "fkx3RYL3",
"prop5" : "fkx3RYL3",
"secretKey" : "fkx3RYL3",
"skillType" : "VERSION_CONTROL",
"version" : ""
}
Response :
{
"timestamp" : "2019-03-20T10:44:44.543+0000",
"status" : 400,
"error" : "Bad Request",
"message" : "JSON parse error: Cannot construct instance of com.fxlabs.fxt.dto.base.NameDto
(although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value (''); nested exception is com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot construct instance of com.fxlabs.fxt.dto.base.NameDto
(although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value ('')\n at [Source: (PushbackInputStream); line: 19, column: 11] (through reference chain: com.fxlabs.fxt.dto.skills.Skill[\"org\"])",
"path" : "/api/v1/skills"
}
Logs :
2019-03-20 10:44:41 DEBUG [OrgCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/orgs]
2019-03-20 10:44:41 DEBUG [OrgCreateUserBInitHijack1] : Method [POST]
2019-03-20 10:44:41 DEBUG [OrgCreateUserBInitHijack1] : Request [{
"billingEmail" : "DDWdy3zM",
"company" : "Gislason, Gislason and Gislason",
"createdBy" : "",
"createdDate" : "",
"description" : "DDWdy3zM",
"id" : "",
"inactive" : false,
"location" : "DDWdy3zM",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "DDWdy3zM",
"orgPlan" : "TEAM",
"orgType" : "ENTERPRISE",
"version" : ""
}]
2019-03-20 10:44:41 DEBUG [OrgCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:44:41 DEBUG [OrgCreateUserBInitHijack1] : Response [{
"timestamp" : "2019-03-20T10:44:41.723+0000",
"status" : 403,
"error" : "Forbidden",
"message" : "Forbidden",
"path" : "/api/v1/orgs"
}]
2019-03-20 10:44:41 DEBUG [OrgCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=OGIxNDNiZGUtYzllYS00MTlmLTlkMjktNDI0YTc1MjQ4NWI1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:41 GMT]}]
2019-03-20 10:44:41 DEBUG [OrgCreateUserBInitHijack1] : StatusCode [403]
2019-03-20 10:44:41 DEBUG [OrgCreateUserBInitHijack1] : Time [823]
2019-03-20 10:44:41 DEBUG [OrgCreateUserBInitHijack1] : Size [121]
2019-03-20 10:44:41 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed]
2019-03-20 10:44:41 DEBUG [OrgCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=OGIxNDNiZGUtYzllYS00MTlmLTlkMjktNDI0YTc1MjQ4NWI1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:41 GMT]}]
2019-03-20 10:44:41 DEBUG [OrgCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=OGIxNDNiZGUtYzllYS00MTlmLTlkMjktNDI0YTc1MjQ4NWI1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:41 GMT]}]
2019-03-20 10:44:41 DEBUG [OrgCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=OGIxNDNiZGUtYzllYS00MTlmLTlkMjktNDI0YTc1MjQ4NWI1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:41 GMT]}]
2019-03-20 10:44:41 DEBUG [OrgCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=OGIxNDNiZGUtYzllYS00MTlmLTlkMjktNDI0YTc1MjQ4NWI1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:41 GMT]}]
2019-03-20 10:44:42 DEBUG [SkillCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/skills]
2019-03-20 10:44:42 DEBUG [SkillCreateUserBInitHijack1] : Method [POST]
2019-03-20 10:44:42 DEBUG [SkillCreateUserBInitHijack1] : Request [{
"accessKey" : "BoFlfvMX",
"createdBy" : "",
"createdDate" : "",
"description" : "BoFlfvMX",
"host" : "BoFlfvMX",
"id" : "",
"inactive" : false,
"key" : "BoFlfvMX",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "BoFlfvMX",
"org" : "",
"prop1" : "BoFlfvMX",
"prop2" : "BoFlfvMX",
"prop3" : "BoFlfvMX",
"prop4" : "BoFlfvMX",
"prop5" : "BoFlfvMX",
"secretKey" : "BoFlfvMX",
"skillType" : "BOT_DEPLOYMENT",
"version" : ""
}]
2019-03-20 10:44:42 DEBUG [SkillCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:44:42 DEBUG [SkillCreateUserBInitHijack1] : Response [{
"timestamp" : "2019-03-20T10:44:42.688+0000",
"status" : 400,
"error" : "Bad Request",
"message" : "JSON parse error: Cannot construct instance of com.fxlabs.fxt.dto.base.NameDto
(although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value (''); nested exception is com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot construct instance of com.fxlabs.fxt.dto.base.NameDto
(although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value ('')\n at [Source: (PushbackInputStream); line: 13, column: 11] (through reference chain: com.fxlabs.fxt.dto.skills.Skill[\"org\"])",
"path" : "/api/v1/skills"
}]
2019-03-20 10:44:42 DEBUG [SkillCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MjhlZmQ4ZmQtYTg3NS00ZjVkLWFjMjEtN2Q3MDQ1NDViYmU3; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:42 GMT]}]
2019-03-20 10:44:42 DEBUG [SkillCreateUserBInitHijack1] : StatusCode [400]
2019-03-20 10:44:42 DEBUG [SkillCreateUserBInitHijack1] : Time [958]
2019-03-20 10:44:42 DEBUG [SkillCreateUserBInitHijack1] : Size [716]
2019-03-20 10:44:42 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [400 == 200 OR 400 == 201] result [Failed]
2019-03-20 10:44:42 DEBUG [SkillCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MjhlZmQ4ZmQtYTg3NS00ZjVkLWFjMjEtN2Q3MDQ1NDViYmU3; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:42 GMT]}]
2019-03-20 10:44:42 DEBUG [SkillCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MjhlZmQ4ZmQtYTg3NS00ZjVkLWFjMjEtN2Q3MDQ1NDViYmU3; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:42 GMT]}]
2019-03-20 10:44:42 DEBUG [SkillCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MjhlZmQ4ZmQtYTg3NS00ZjVkLWFjMjEtN2Q3MDQ1NDViYmU3; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:42 GMT]}]
2019-03-20 10:44:42 DEBUG [SkillCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MjhlZmQ4ZmQtYTg3NS00ZjVkLWFjMjEtN2Q3MDQ1NDViYmU3; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:42 GMT]}]
2019-03-20 10:44:43 DEBUG [OrgCreateUserAInitHijack1] : URL [http://13.56.210.25/api/v1/orgs]
2019-03-20 10:44:43 DEBUG [OrgCreateUserAInitHijack1] : Method [POST]
2019-03-20 10:44:43 DEBUG [OrgCreateUserAInitHijack1] : Request [{
"billingEmail" : "ppt5UXVy",
"company" : "Marquardt-Marquardt",
"createdBy" : "",
"createdDate" : "",
"description" : "ppt5UXVy",
"id" : "",
"inactive" : false,
"location" : "ppt5UXVy",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "ppt5UXVy",
"orgPlan" : "TEAM",
"orgType" : "ENTERPRISE",
"version" : ""
}]
2019-03-20 10:44:43 DEBUG [OrgCreateUserAInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:44:43 DEBUG [OrgCreateUserAInitHijack1] : Response [{
"timestamp" : "2019-03-20T10:44:43.450+0000",
"status" : 403,
"error" : "Forbidden",
"message" : "Forbidden",
"path" : "/api/v1/orgs"
}]
2019-03-20 10:44:43 DEBUG [OrgCreateUserAInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NTczZTc5NzUtMDg3NC00NGQ5LWFkZWItMTY1Nzc1OTczZTA5; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:43 GMT]}]
2019-03-20 10:44:43 DEBUG [OrgCreateUserAInitHijack1] : StatusCode [403]
2019-03-20 10:44:43 DEBUG [OrgCreateUserAInitHijack1] : Time [700]
2019-03-20 10:44:43 DEBUG [OrgCreateUserAInitHijack1] : Size [121]
2019-03-20 10:44:43 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed]
2019-03-20 10:44:43 DEBUG [OrgCreateUserAInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NTczZTc5NzUtMDg3NC00NGQ5LWFkZWItMTY1Nzc1OTczZTA5; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:43 GMT]}]
2019-03-20 10:44:43 DEBUG [OrgCreateUserAInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NTczZTc5NzUtMDg3NC00NGQ5LWFkZWItMTY1Nzc1OTczZTA5; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:43 GMT]}]
2019-03-20 10:44:43 DEBUG [OrgCreateUserAInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NTczZTc5NzUtMDg3NC00NGQ5LWFkZWItMTY1Nzc1OTczZTA5; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:43 GMT]}]
2019-03-20 10:44:43 DEBUG [OrgCreateUserAInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NTczZTc5NzUtMDg3NC00NGQ5LWFkZWItMTY1Nzc1OTczZTA5; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:43 GMT]}]
2019-03-20 10:44:44 DEBUG [ApiV1SkillsPostSkilluserbDisallowHijack1] : URL [http://13.56.210.25/api/v1/skills]
2019-03-20 10:44:44 DEBUG [ApiV1SkillsPostSkilluserbDisallowHijack1] : Method [POST]
2019-03-20 10:44:44 DEBUG [ApiV1SkillsPostSkilluserbDisallowHijack1] : Request [{
"accessKey" : "fkx3RYL3",
"createdBy" : "",
"createdDate" : "",
"description" : "fkx3RYL3",
"host" : "fkx3RYL3",
"id" : "",
"inactive" : false,
"key" : "fkx3RYL3",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "fkx3RYL3",
"opts" : [ {
"id" : "",
"label" : "fkx3RYL3",
"mandatory" : false,
"value" : "fkx3RYL3"
} ],
"org" : "",
"prop1" : "fkx3RYL3",
"prop2" : "fkx3RYL3",
"prop3" : "fkx3RYL3",
"prop4" : "fkx3RYL3",
"prop5" : "fkx3RYL3",
"secretKey" : "fkx3RYL3",
"skillType" : "VERSION_CONTROL",
"version" : ""
}]
2019-03-20 10:44:44 DEBUG [ApiV1SkillsPostSkilluserbDisallowHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:44:44 DEBUG [ApiV1SkillsPostSkilluserbDisallowHijack1] : Response [{
"timestamp" : "2019-03-20T10:44:44.543+0000",
"status" : 400,
"error" : "Bad Request",
"message" : "JSON parse error: Cannot construct instance of com.fxlabs.fxt.dto.base.NameDto
(although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value (''); nested exception is com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot construct instance of com.fxlabs.fxt.dto.base.NameDto
(although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value ('')\n at [Source: (PushbackInputStream); line: 19, column: 11] (through reference chain: com.fxlabs.fxt.dto.skills.Skill[\"org\"])",
"path" : "/api/v1/skills"
}]
2019-03-20 10:44:44 DEBUG [ApiV1SkillsPostSkilluserbDisallowHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NGZlM2U5MTktMjY3NC00Njg5LWJkZDgtY2I5MTA4ZDcxMGQ0; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:44 GMT]}]
2019-03-20 10:44:44 DEBUG [ApiV1SkillsPostSkilluserbDisallowHijack1] : StatusCode [400]
2019-03-20 10:44:44 DEBUG [ApiV1SkillsPostSkilluserbDisallowHijack1] : Time [1090]
2019-03-20 10:44:44 DEBUG [ApiV1SkillsPostSkilluserbDisallowHijack1] : Size [716]
2019-03-20 10:44:44 ERROR [ApiV1SkillsPostSkilluserbDisallowHijack1] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [400 == 401 OR 400 == 403] result [Failed]
2019-03-20 10:44:45 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : URL [http://13.56.210.25/api/v1/skills/]
2019-03-20 10:44:45 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : Method [DELETE]
2019-03-20 10:44:45 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : Request [null]
2019-03-20 10:44:45 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:44:45 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : Response [{
"timestamp" : "2019-03-20T10:44:45.606+0000",
"status" : 405,
"error" : "Method Not Allowed",
"message" : "Request method 'DELETE' not supported",
"path" : "/api/v1/skills/"
}]
2019-03-20 10:44:45 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : Response-Headers [{Allow=[GET, POST, PUT], X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=Y2U4NWY2YTktZjZhMC00YjVhLWJkZWYtOGRhZGM2NzMwOGRk; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:45 GMT]}]
2019-03-20 10:44:45 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : StatusCode [405]
2019-03-20 10:44:45 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : Time [1069]
2019-03-20 10:44:45 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : Size [161]
2019-03-20 10:44:45 ERROR [null] : Assertion [@StatusCode == 200] resolved-to [405 == 200] result [Failed]
2019-03-20 10:44:46 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : URL [http://13.56.210.25/api/v1/orgs/]
2019-03-20 10:44:46 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Method [DELETE]
2019-03-20 10:44:46 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Request [null]
2019-03-20 10:44:46 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:44:46 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Response [{
"timestamp" : "2019-03-20T10:44:46.736+0000",
"status" : 405,
"error" : "Method Not Allowed",
"message" : "Request method 'DELETE' not supported",
"path" : "/api/v1/orgs/"
}]
2019-03-20 10:44:46 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Response-Headers [{Allow=[GET, POST], X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YjIxYWFjOGUtOTc0Ni00OTQ0LTkyZWYtYjc1NGZhNjRkMDRi; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:46 GMT]}]
2019-03-20 10:44:46 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : StatusCode [405]
2019-03-20 10:44:46 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Time [1123]
2019-03-20 10:44:46 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Size [159]
2019-03-20 10:44:46 ERROR [null] : Assertion [@StatusCode == 200] resolved-to [405 == 200] result [Failed]
--- FX Bot ---
Project : FXABAC TEST
Template : ApiV1SkillsPostSkilluserbDisallowHijack1
Run Id : 8a808011699a990101699ab3901a2277
Job : Default
Env : Default
Category : Hijack_Level1
Tags : [FX Top 10 - API Vulnerability, Data_Access_Control]
Severity : Major
Region : FXLabs/US_WEST_1
Result : fail
Status Code : 400
Headers : {X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YmQ3NDlhZjItZTQ2Yi00NGVkLWFiNzQtNzI3ZGI4MGJlZGRi; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:49 GMT]}
Endpoint : http://13.56.210.25/api/v1/skills
Request :
{
"accessKey" : "oFUer9Yr",
"createdBy" : "",
"createdDate" : "",
"description" : "oFUer9Yr",
"host" : "oFUer9Yr",
"id" : "",
"inactive" : false,
"key" : "oFUer9Yr",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "oFUer9Yr",
"opts" : [ {
"id" : "",
"label" : "oFUer9Yr",
"mandatory" : false,
"value" : "oFUer9Yr"
} ],
"org" : "",
"prop1" : "oFUer9Yr",
"prop2" : "oFUer9Yr",
"prop3" : "oFUer9Yr",
"prop4" : "oFUer9Yr",
"prop5" : "oFUer9Yr",
"secretKey" : "oFUer9Yr",
"skillType" : "VERSION_CONTROL",
"version" : ""
}
Response :
{
"timestamp" : "2019-03-20T10:45:50.642+0000",
"status" : 400,
"error" : "Bad Request",
"message" : "JSON parse error: Cannot construct instance of com.fxlabs.fxt.dto.base.NameDto
(although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value (''); nested exception is com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot construct instance of com.fxlabs.fxt.dto.base.NameDto
(although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value ('')\n at [Source: (PushbackInputStream); line: 19, column: 11] (through reference chain: com.fxlabs.fxt.dto.skills.Skill[\"org\"])",
"path" : "/api/v1/skills"
}
Logs :
2019-03-20 10:45:45 DEBUG [OrgCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/orgs]
2019-03-20 10:45:45 DEBUG [OrgCreateUserBInitHijack1] : Method [POST]
2019-03-20 10:45:45 DEBUG [OrgCreateUserBInitHijack1] : Request [{
"billingEmail" : "sBt3ZFrk",
"company" : "Casper-Casper",
"createdBy" : "",
"createdDate" : "",
"description" : "sBt3ZFrk",
"id" : "",
"inactive" : false,
"location" : "sBt3ZFrk",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "sBt3ZFrk",
"orgPlan" : "TEAM",
"orgType" : "ENTERPRISE",
"version" : ""
}]
2019-03-20 10:45:45 DEBUG [OrgCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:45:45 DEBUG [OrgCreateUserBInitHijack1] : Response [{
"timestamp" : "2019-03-20T10:45:45.735+0000",
"status" : 403,
"error" : "Forbidden",
"message" : "Forbidden",
"path" : "/api/v1/orgs"
}]
2019-03-20 10:45:45 DEBUG [OrgCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=OTYyMDlhYjUtZWY3NC00NzM3LWE2YzgtZTFkYTYyMTE2Yzk1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:45 GMT]}]
2019-03-20 10:45:45 DEBUG [OrgCreateUserBInitHijack1] : StatusCode [403]
2019-03-20 10:45:45 DEBUG [OrgCreateUserBInitHijack1] : Time [1593]
2019-03-20 10:45:45 DEBUG [OrgCreateUserBInitHijack1] : Size [121]
2019-03-20 10:45:45 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed]
2019-03-20 10:45:45 DEBUG [OrgCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=OTYyMDlhYjUtZWY3NC00NzM3LWE2YzgtZTFkYTYyMTE2Yzk1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:45 GMT]}]
2019-03-20 10:45:45 DEBUG [OrgCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=OTYyMDlhYjUtZWY3NC00NzM3LWE2YzgtZTFkYTYyMTE2Yzk1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:45 GMT]}]
2019-03-20 10:45:45 DEBUG [OrgCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=OTYyMDlhYjUtZWY3NC00NzM3LWE2YzgtZTFkYTYyMTE2Yzk1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:45 GMT]}]
2019-03-20 10:45:45 DEBUG [OrgCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=OTYyMDlhYjUtZWY3NC00NzM3LWE2YzgtZTFkYTYyMTE2Yzk1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:45 GMT]}]
2019-03-20 10:45:47 DEBUG [SkillCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/skills]
2019-03-20 10:45:47 DEBUG [SkillCreateUserBInitHijack1] : Method [POST]
2019-03-20 10:45:47 DEBUG [SkillCreateUserBInitHijack1] : Request [{
"accessKey" : "pMFKMuHl",
"createdBy" : "",
"createdDate" : "",
"description" : "pMFKMuHl",
"host" : "pMFKMuHl",
"id" : "",
"inactive" : false,
"key" : "pMFKMuHl",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "pMFKMuHl",
"org" : "",
"prop1" : "pMFKMuHl",
"prop2" : "pMFKMuHl",
"prop3" : "pMFKMuHl",
"prop4" : "pMFKMuHl",
"prop5" : "pMFKMuHl",
"secretKey" : "pMFKMuHl",
"skillType" : "BOT_DEPLOYMENT",
"version" : ""
}]
2019-03-20 10:45:47 DEBUG [SkillCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:45:47 DEBUG [SkillCreateUserBInitHijack1] : Response [{
"timestamp" : "2019-03-20T10:45:47.230+0000",
"status" : 400,
"error" : "Bad Request",
"message" : "JSON parse error: Cannot construct instance of com.fxlabs.fxt.dto.base.NameDto
(although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value (''); nested exception is com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot construct instance of com.fxlabs.fxt.dto.base.NameDto
(although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value ('')\n at [Source: (PushbackInputStream); line: 13, column: 11] (through reference chain: com.fxlabs.fxt.dto.skills.Skill[\"org\"])",
"path" : "/api/v1/skills"
}]
2019-03-20 10:45:47 DEBUG [SkillCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=Y2EyOThmM2ItNTY3Yy00NWRmLTlmMjgtOTE5ZWQzYzEyMTRk; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:46 GMT]}]
2019-03-20 10:45:47 DEBUG [SkillCreateUserBInitHijack1] : StatusCode [400]
2019-03-20 10:45:47 DEBUG [SkillCreateUserBInitHijack1] : Time [1494]
2019-03-20 10:45:47 DEBUG [SkillCreateUserBInitHijack1] : Size [716]
2019-03-20 10:45:47 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [400 == 200 OR 400 == 201] result [Failed]
2019-03-20 10:45:47 DEBUG [SkillCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=Y2EyOThmM2ItNTY3Yy00NWRmLTlmMjgtOTE5ZWQzYzEyMTRk; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:46 GMT]}]
2019-03-20 10:45:47 DEBUG [SkillCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=Y2EyOThmM2ItNTY3Yy00NWRmLTlmMjgtOTE5ZWQzYzEyMTRk; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:46 GMT]}]
2019-03-20 10:45:47 DEBUG [SkillCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=Y2EyOThmM2ItNTY3Yy00NWRmLTlmMjgtOTE5ZWQzYzEyMTRk; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:46 GMT]}]
2019-03-20 10:45:47 DEBUG [SkillCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=Y2EyOThmM2ItNTY3Yy00NWRmLTlmMjgtOTE5ZWQzYzEyMTRk; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:46 GMT]}]
2019-03-20 10:45:48 DEBUG [OrgCreateUserAInitHijack1] : URL [http://13.56.210.25/api/v1/orgs]
2019-03-20 10:45:48 DEBUG [OrgCreateUserAInitHijack1] : Method [POST]
2019-03-20 10:45:48 DEBUG [OrgCreateUserAInitHijack1] : Request [{
"billingEmail" : "mCoU59Up",
"company" : "Kunze-Kunze",
"createdBy" : "",
"createdDate" : "",
"description" : "mCoU59Up",
"id" : "",
"inactive" : false,
"location" : "mCoU59Up",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "mCoU59Up",
"orgPlan" : "TEAM",
"orgType" : "ENTERPRISE",
"version" : ""
}]
2019-03-20 10:45:48 DEBUG [OrgCreateUserAInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:45:48 DEBUG [OrgCreateUserAInitHijack1] : Response [{
"timestamp" : "2019-03-20T10:45:48.946+0000",
"status" : 403,
"error" : "Forbidden",
"message" : "Forbidden",
"path" : "/api/v1/orgs"
}]
2019-03-20 10:45:48 DEBUG [OrgCreateUserAInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MjgxMjZhNzAtNjQ2Yi00MjdlLThhMzEtMWM1MjAyNDI2YmE1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:48 GMT]}]
2019-03-20 10:45:48 DEBUG [OrgCreateUserAInitHijack1] : StatusCode [403]
2019-03-20 10:45:48 DEBUG [OrgCreateUserAInitHijack1] : Time [1655]
2019-03-20 10:45:48 DEBUG [OrgCreateUserAInitHijack1] : Size [121]
2019-03-20 10:45:48 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed]
2019-03-20 10:45:48 DEBUG [OrgCreateUserAInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MjgxMjZhNzAtNjQ2Yi00MjdlLThhMzEtMWM1MjAyNDI2YmE1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:48 GMT]}]
2019-03-20 10:45:48 DEBUG [OrgCreateUserAInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MjgxMjZhNzAtNjQ2Yi00MjdlLThhMzEtMWM1MjAyNDI2YmE1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:48 GMT]}]
2019-03-20 10:45:48 DEBUG [OrgCreateUserAInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MjgxMjZhNzAtNjQ2Yi00MjdlLThhMzEtMWM1MjAyNDI2YmE1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:48 GMT]}]
2019-03-20 10:45:48 DEBUG [OrgCreateUserAInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MjgxMjZhNzAtNjQ2Yi00MjdlLThhMzEtMWM1MjAyNDI2YmE1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:48 GMT]}]
2019-03-20 10:45:50 DEBUG [ApiV1SkillsPostSkilluserbDisallowHijack1] : URL [http://13.56.210.25/api/v1/skills]
2019-03-20 10:45:50 DEBUG [ApiV1SkillsPostSkilluserbDisallowHijack1] : Method [POST]
2019-03-20 10:45:50 DEBUG [ApiV1SkillsPostSkilluserbDisallowHijack1] : Request [{
"accessKey" : "oFUer9Yr",
"createdBy" : "",
"createdDate" : "",
"description" : "oFUer9Yr",
"host" : "oFUer9Yr",
"id" : "",
"inactive" : false,
"key" : "oFUer9Yr",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "oFUer9Yr",
"opts" : [ {
"id" : "",
"label" : "oFUer9Yr",
"mandatory" : false,
"value" : "oFUer9Yr"
} ],
"org" : "",
"prop1" : "oFUer9Yr",
"prop2" : "oFUer9Yr",
"prop3" : "oFUer9Yr",
"prop4" : "oFUer9Yr",
"prop5" : "oFUer9Yr",
"secretKey" : "oFUer9Yr",
"skillType" : "VERSION_CONTROL",
"version" : ""
}]
2019-03-20 10:45:50 DEBUG [ApiV1SkillsPostSkilluserbDisallowHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:45:50 DEBUG [ApiV1SkillsPostSkilluserbDisallowHijack1] : Response [{
"timestamp" : "2019-03-20T10:45:50.642+0000",
"status" : 400,
"error" : "Bad Request",
"message" : "JSON parse error: Cannot construct instance of com.fxlabs.fxt.dto.base.NameDto
(although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value (''); nested exception is com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot construct instance of com.fxlabs.fxt.dto.base.NameDto
(although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value ('')\n at [Source: (PushbackInputStream); line: 19, column: 11] (through reference chain: com.fxlabs.fxt.dto.skills.Skill[\"org\"])",
"path" : "/api/v1/skills"
}]
2019-03-20 10:45:50 DEBUG [ApiV1SkillsPostSkilluserbDisallowHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YmQ3NDlhZjItZTQ2Yi00NGVkLWFiNzQtNzI3ZGI4MGJlZGRi; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:49 GMT]}]
2019-03-20 10:45:50 DEBUG [ApiV1SkillsPostSkilluserbDisallowHijack1] : StatusCode [400]
2019-03-20 10:45:50 DEBUG [ApiV1SkillsPostSkilluserbDisallowHijack1] : Time [1697]
2019-03-20 10:45:50 DEBUG [ApiV1SkillsPostSkilluserbDisallowHijack1] : Size [716]
2019-03-20 10:45:50 ERROR [ApiV1SkillsPostSkilluserbDisallowHijack1] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [400 == 401 OR 400 == 403] result [Failed]
2019-03-20 10:45:51 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : URL [http://13.56.210.25/api/v1/skills/]
2019-03-20 10:45:51 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : Method [DELETE]
2019-03-20 10:45:51 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : Request [null]
2019-03-20 10:45:51 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:45:51 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : Response [{
"timestamp" : "2019-03-20T10:45:51.577+0000",
"status" : 405,
"error" : "Method Not Allowed",
"message" : "Request method 'DELETE' not supported",
"path" : "/api/v1/skills/"
}]
2019-03-20 10:45:51 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : Response-Headers [{Allow=[GET, POST, PUT], X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MzMxNmQ0NWYtOWRkYS00ZDEyLWI5MDMtMTNjNmMxZTQ3Mjlj; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:50 GMT]}]
2019-03-20 10:45:51 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : StatusCode [405]
2019-03-20 10:45:51 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : Time [933]
2019-03-20 10:45:51 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : Size [161]
2019-03-20 10:45:51 ERROR [null] : Assertion [@StatusCode == 200] resolved-to [405 == 200] result [Failed]
2019-03-20 10:45:52 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : URL [http://13.56.210.25/api/v1/orgs/]
2019-03-20 10:45:52 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Method [DELETE]
2019-03-20 10:45:52 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Request [null]
2019-03-20 10:45:52 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:45:52 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Response [{
"timestamp" : "2019-03-20T10:45:52.774+0000",
"status" : 405,
"error" : "Method Not Allowed",
"message" : "Request method 'DELETE' not supported",
"path" : "/api/v1/orgs/"
}]
2019-03-20 10:45:52 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Response-Headers [{Allow=[GET, POST], X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZTI1OTdhYmYtOTIyZC00NDMwLWJmYTktZjY0MGI5NzhjZmVl; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:52 GMT]}]
2019-03-20 10:45:52 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : StatusCode [405]
2019-03-20 10:45:52 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Time [1195]
2019-03-20 10:45:52 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Size [159]
2019-03-20 10:45:52 ERROR [null] : Assertion [@StatusCode == 200] resolved-to [405 == 200] result [Failed]
--- FX Bot ---
Project : FXABAC TEST
Template : ApiV1SkillsPostSkilluserbDisallowHijack1
Run Id : 8a808011699a990101699ab3901a2277
Job : Default
Env : Default
Category : Hijack_Level1
Tags : [FX Top 10 - API Vulnerability, Data_Access_Control]
Severity : Major
Region : FXLabs/US_WEST_1
Result : fail
Status Code : 400
Headers : {X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ODA0ZjE1YTctZWY5NC00NGFiLThmODQtNTZmN2ExZjRlMTU0; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:46:53 GMT]}
Endpoint : http://13.56.210.25/api/v1/skills
Request :
{
"accessKey" : "FT8Ff0Qc",
"createdBy" : "",
"createdDate" : "",
"description" : "FT8Ff0Qc",
"host" : "FT8Ff0Qc",
"id" : "",
"inactive" : false,
"key" : "FT8Ff0Qc",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "FT8Ff0Qc",
"opts" : [ {
"id" : "",
"label" : "FT8Ff0Qc",
"mandatory" : false,
"value" : "FT8Ff0Qc"
} ],
"org" : "",
"prop1" : "FT8Ff0Qc",
"prop2" : "FT8Ff0Qc",
"prop3" : "FT8Ff0Qc",
"prop4" : "FT8Ff0Qc",
"prop5" : "FT8Ff0Qc",
"secretKey" : "FT8Ff0Qc",
"skillType" : "VERSION_CONTROL",
"version" : ""
}
Response :
{
"timestamp" : "2019-03-20T10:46:54.040+0000",
"status" : 400,
"error" : "Bad Request",
"message" : "JSON parse error: Cannot construct instance of com.fxlabs.fxt.dto.base.NameDto
(although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value (''); nested exception is com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot construct instance of com.fxlabs.fxt.dto.base.NameDto
(although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value ('')\n at [Source: (PushbackInputStream); line: 19, column: 11] (through reference chain: com.fxlabs.fxt.dto.skills.Skill[\"org\"])",
"path" : "/api/v1/skills"
}
Logs :
2019-03-20 10:46:49 DEBUG [OrgCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/orgs]
2019-03-20 10:46:49 DEBUG [OrgCreateUserBInitHijack1] : Method [POST]
2019-03-20 10:46:49 DEBUG [OrgCreateUserBInitHijack1] : Request [{
"billingEmail" : "x0cpvaop",
"company" : "Kuphal, Kuphal and Kuphal",
"createdBy" : "",
"createdDate" : "",
"description" : "x0cpvaop",
"id" : "",
"inactive" : false,
"location" : "x0cpvaop",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "x0cpvaop",
"orgPlan" : "TEAM",
"orgType" : "ENTERPRISE",
"version" : ""
}]
2019-03-20 10:46:49 DEBUG [OrgCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:46:49 DEBUG [OrgCreateUserBInitHijack1] : Response [{
"timestamp" : "2019-03-20T10:46:49.046+0000",
"status" : 403,
"error" : "Forbidden",
"message" : "Forbidden",
"path" : "/api/v1/orgs"
}]
2019-03-20 10:46:49 DEBUG [OrgCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NzhlYWM0NDEtZmQ5ZS00NGFiLTkyMDgtYjIzNDU0NTIxYTA0; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:46:49 GMT]}]
2019-03-20 10:46:49 DEBUG [OrgCreateUserBInitHijack1] : StatusCode [403]
2019-03-20 10:46:49 DEBUG [OrgCreateUserBInitHijack1] : Time [1328]
2019-03-20 10:46:49 DEBUG [OrgCreateUserBInitHijack1] : Size [121]
2019-03-20 10:46:49 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed]
2019-03-20 10:46:49 DEBUG [OrgCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NzhlYWM0NDEtZmQ5ZS00NGFiLTkyMDgtYjIzNDU0NTIxYTA0; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:46:49 GMT]}]
2019-03-20 10:46:49 DEBUG [OrgCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NzhlYWM0NDEtZmQ5ZS00NGFiLTkyMDgtYjIzNDU0NTIxYTA0; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:46:49 GMT]}]
2019-03-20 10:46:49 DEBUG [OrgCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NzhlYWM0NDEtZmQ5ZS00NGFiLTkyMDgtYjIzNDU0NTIxYTA0; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:46:49 GMT]}]
2019-03-20 10:46:49 DEBUG [OrgCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NzhlYWM0NDEtZmQ5ZS00NGFiLTkyMDgtYjIzNDU0NTIxYTA0; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:46:49 GMT]}]
2019-03-20 10:46:50 DEBUG [SkillCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/skills]
2019-03-20 10:46:50 DEBUG [SkillCreateUserBInitHijack1] : Method [POST]
2019-03-20 10:46:50 DEBUG [SkillCreateUserBInitHijack1] : Request [{
"accessKey" : "U0rFPcVP",
"createdBy" : "",
"createdDate" : "",
"description" : "U0rFPcVP",
"host" : "U0rFPcVP",
"id" : "",
"inactive" : false,
"key" : "U0rFPcVP",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "U0rFPcVP",
"org" : "",
"prop1" : "U0rFPcVP",
"prop2" : "U0rFPcVP",
"prop3" : "U0rFPcVP",
"prop4" : "U0rFPcVP",
"prop5" : "U0rFPcVP",
"secretKey" : "U0rFPcVP",
"skillType" : "BOT_DEPLOYMENT",
"version" : ""
}]
2019-03-20 10:46:50 DEBUG [SkillCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:46:50 DEBUG [SkillCreateUserBInitHijack1] : Response [{
"timestamp" : "2019-03-20T10:46:50.623+0000",
"status" : 400,
"error" : "Bad Request",
"message" : "JSON parse error: Cannot construct instance of com.fxlabs.fxt.dto.base.NameDto
(although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value (''); nested exception is com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot construct instance of com.fxlabs.fxt.dto.base.NameDto
(although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value ('')\n at [Source: (PushbackInputStream); line: 13, column: 11] (through reference chain: com.fxlabs.fxt.dto.skills.Skill[\"org\"])",
"path" : "/api/v1/skills"
}]
2019-03-20 10:46:50 DEBUG [SkillCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=M2I0ZmFkZTMtY2IzYS00YTM1LTk4YTktMDhkNjc3Njg1ZjA0; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:46:50 GMT]}]
2019-03-20 10:46:50 DEBUG [SkillCreateUserBInitHijack1] : StatusCode [400]
2019-03-20 10:46:50 DEBUG [SkillCreateUserBInitHijack1] : Time [1576]
2019-03-20 10:46:50 DEBUG [SkillCreateUserBInitHijack1] : Size [716]
2019-03-20 10:46:50 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [400 == 200 OR 400 == 201] result [Failed]
2019-03-20 10:46:50 DEBUG [SkillCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=M2I0ZmFkZTMtY2IzYS00YTM1LTk4YTktMDhkNjc3Njg1ZjA0; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:46:50 GMT]}]
2019-03-20 10:46:50 DEBUG [SkillCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=M2I0ZmFkZTMtY2IzYS00YTM1LTk4YTktMDhkNjc3Njg1ZjA0; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:46:50 GMT]}]
2019-03-20 10:46:50 DEBUG [SkillCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=M2I0ZmFkZTMtY2IzYS00YTM1LTk4YTktMDhkNjc3Njg1ZjA0; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:46:50 GMT]}]
2019-03-20 10:46:50 DEBUG [SkillCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=M2I0ZmFkZTMtY2IzYS00YTM1LTk4YTktMDhkNjc3Njg1ZjA0; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:46:50 GMT]}]
2019-03-20 10:46:52 DEBUG [OrgCreateUserAInitHijack1] : URL [http://13.56.210.25/api/v1/orgs]
2019-03-20 10:46:52 DEBUG [OrgCreateUserAInitHijack1] : Method [POST]
2019-03-20 10:46:52 DEBUG [OrgCreateUserAInitHijack1] : Request [{
"billingEmail" : "7zLvXVdu",
"company" : "Bartell, Bartell and Bartell",
"createdBy" : "",
"createdDate" : "",
"description" : "7zLvXVdu",
"id" : "",
"inactive" : false,
"location" : "7zLvXVdu",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "7zLvXVdu",
"orgPlan" : "TEAM",
"orgType" : "ENTERPRISE",
"version" : ""
}]
2019-03-20 10:46:52 DEBUG [OrgCreateUserAInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:46:52 DEBUG [OrgCreateUserAInitHijack1] : Response [{
"timestamp" : "2019-03-20T10:46:52.169+0000",
"status" : 403,
"error" : "Forbidden",
"message" : "Forbidden",
"path" : "/api/v1/orgs"
}]
2019-03-20 10:46:52 DEBUG [OrgCreateUserAInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YTM5ZTllZGEtYzBiMC00MGQ5LWFmNTYtY2U0ZmZjNTc5MzEx; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:46:52 GMT]}]
2019-03-20 10:46:52 DEBUG [OrgCreateUserAInitHijack1] : StatusCode [403]
2019-03-20 10:46:52 DEBUG [OrgCreateUserAInitHijack1] : Time [1490]
2019-03-20 10:46:52 DEBUG [OrgCreateUserAInitHijack1] : Size [121]
2019-03-20 10:46:52 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed]
2019-03-20 10:46:52 DEBUG [OrgCreateUserAInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YTM5ZTllZGEtYzBiMC00MGQ5LWFmNTYtY2U0ZmZjNTc5MzEx; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:46:52 GMT]}]
2019-03-20 10:46:52 DEBUG [OrgCreateUserAInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YTM5ZTllZGEtYzBiMC00MGQ5LWFmNTYtY2U0ZmZjNTc5MzEx; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:46:52 GMT]}]
2019-03-20 10:46:52 DEBUG [OrgCreateUserAInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YTM5ZTllZGEtYzBiMC00MGQ5LWFmNTYtY2U0ZmZjNTc5MzEx; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:46:52 GMT]}]
2019-03-20 10:46:52 DEBUG [OrgCreateUserAInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YTM5ZTllZGEtYzBiMC00MGQ5LWFmNTYtY2U0ZmZjNTc5MzEx; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:46:52 GMT]}]
2019-03-20 10:46:54 DEBUG [ApiV1SkillsPostSkilluserbDisallowHijack1] : URL [http://13.56.210.25/api/v1/skills]
2019-03-20 10:46:54 DEBUG [ApiV1SkillsPostSkilluserbDisallowHijack1] : Method [POST]
2019-03-20 10:46:54 DEBUG [ApiV1SkillsPostSkilluserbDisallowHijack1] : Request [{
"accessKey" : "FT8Ff0Qc",
"createdBy" : "",
"createdDate" : "",
"description" : "FT8Ff0Qc",
"host" : "FT8Ff0Qc",
"id" : "",
"inactive" : false,
"key" : "FT8Ff0Qc",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "FT8Ff0Qc",
"opts" : [ {
"id" : "",
"label" : "FT8Ff0Qc",
"mandatory" : false,
"value" : "FT8Ff0Qc"
} ],
"org" : "",
"prop1" : "FT8Ff0Qc",
"prop2" : "FT8Ff0Qc",
"prop3" : "FT8Ff0Qc",
"prop4" : "FT8Ff0Qc",
"prop5" : "FT8Ff0Qc",
"secretKey" : "FT8Ff0Qc",
"skillType" : "VERSION_CONTROL",
"version" : ""
}]
2019-03-20 10:46:54 DEBUG [ApiV1SkillsPostSkilluserbDisallowHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:46:54 DEBUG [ApiV1SkillsPostSkilluserbDisallowHijack1] : Response [{
"timestamp" : "2019-03-20T10:46:54.040+0000",
"status" : 400,
"error" : "Bad Request",
"message" : "JSON parse error: Cannot construct instance of com.fxlabs.fxt.dto.base.NameDto
(although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value (''); nested exception is com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot construct instance of com.fxlabs.fxt.dto.base.NameDto
(although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value ('')\n at [Source: (PushbackInputStream); line: 19, column: 11] (through reference chain: com.fxlabs.fxt.dto.skills.Skill[\"org\"])",
"path" : "/api/v1/skills"
}]
2019-03-20 10:46:54 DEBUG [ApiV1SkillsPostSkilluserbDisallowHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ODA0ZjE1YTctZWY5NC00NGFiLThmODQtNTZmN2ExZjRlMTU0; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:46:53 GMT]}]
2019-03-20 10:46:54 DEBUG [ApiV1SkillsPostSkilluserbDisallowHijack1] : StatusCode [400]
2019-03-20 10:46:54 DEBUG [ApiV1SkillsPostSkilluserbDisallowHijack1] : Time [1869]
2019-03-20 10:46:54 DEBUG [ApiV1SkillsPostSkilluserbDisallowHijack1] : Size [716]
2019-03-20 10:46:54 ERROR [ApiV1SkillsPostSkilluserbDisallowHijack1] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [400 == 401 OR 400 == 403] result [Failed]
2019-03-20 10:46:55 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : URL [http://13.56.210.25/api/v1/skills/]
2019-03-20 10:46:55 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : Method [DELETE]
2019-03-20 10:46:55 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : Request [null]
2019-03-20 10:46:55 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:46:55 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : Response [{
"timestamp" : "2019-03-20T10:46:55.208+0000",
"status" : 405,
"error" : "Method Not Allowed",
"message" : "Request method 'DELETE' not supported",
"path" : "/api/v1/skills/"
}]
2019-03-20 10:46:55 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : Response-Headers [{Allow=[GET, POST, PUT], X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NGVlYmRjOTctZTVhOS00OWRjLTg5YjMtNjM0ZTVmMGEyYTk0; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:46:55 GMT]}]
2019-03-20 10:46:55 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : StatusCode [405]
2019-03-20 10:46:55 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : Time [1168]
2019-03-20 10:46:55 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : Size [161]
2019-03-20 10:46:55 ERROR [null] : Assertion [@StatusCode == 200] resolved-to [405 == 200] result [Failed]
2019-03-20 10:46:56 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : URL [http://13.56.210.25/api/v1/orgs/]
2019-03-20 10:46:56 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Method [DELETE]
2019-03-20 10:46:56 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Request [null]
2019-03-20 10:46:56 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:46:56 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Response [{
"timestamp" : "2019-03-20T10:46:56.572+0000",
"status" : 405,
"error" : "Method Not Allowed",
"message" : "Request method 'DELETE' not supported",
"path" : "/api/v1/orgs/"
}]
2019-03-20 10:46:56 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Response-Headers [{Allow=[GET, POST], X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NGVlNGQxMDktNDFkMC00ZDlmLWE4OGMtYmRmMjljOWMyMmI1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:46:56 GMT]}]
2019-03-20 10:46:56 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : StatusCode [405]
2019-03-20 10:46:56 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Time [1362]
2019-03-20 10:46:56 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Size [159]
2019-03-20 10:46:56 ERROR [null] : Assertion [@StatusCode == 200] resolved-to [405 == 200] result [Failed]
--- FX Bot ---
Project : FXABAC TEST
Template : ApiV1SkillsPostSkilluserbDisallowHijack1
Run Id : 8a808011699a990101699ab0f9761b20
Job : Default
Env : Default
Category : Hijack_Level1
Tags : [FX Top 10 - API Vulnerability, Data_Access_Control]
Severity : Major
Region : FXLabs/US_WEST_1
Result : fail
Status Code : 400
Headers : {X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZTQzNTJiNDYtYWRhNC00MTE5LWIzMDQtZGI2NmUwNzUyZjIy; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:47 GMT]}
Endpoint : http://13.56.210.25/api/v1/skills
Request :
{ "accessKey" : "4CcGtLAv", "createdBy" : "", "createdDate" : "", "description" : "4CcGtLAv", "host" : "4CcGtLAv", "id" : "", "inactive" : false, "key" : "4CcGtLAv", "modifiedBy" : "", "modifiedDate" : "", "name" : "4CcGtLAv", "opts" : [ { "id" : "", "label" : "4CcGtLAv", "mandatory" : false, "value" : "4CcGtLAv" } ], "org" : "", "prop1" : "4CcGtLAv", "prop2" : "4CcGtLAv", "prop3" : "4CcGtLAv", "prop4" : "4CcGtLAv", "prop5" : "4CcGtLAv", "secretKey" : "4CcGtLAv", "skillType" : "VERSION_CONTROL", "version" : "" }
Response :
{ "timestamp" : "2019-03-20T10:41:48.856+0000", "status" : 400, "error" : "Bad Request", "message" : "JSON parse error: Cannot construct instance of
com.fxlabs.fxt.dto.base.NameDto
(although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value (''); nested exception is com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot construct instance ofcom.fxlabs.fxt.dto.base.NameDto
(although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value ('')\n at [Source: (PushbackInputStream); line: 19, column: 11] (through reference chain: com.fxlabs.fxt.dto.skills.Skill[\"org\"])", "path" : "/api/v1/skills" }Logs :
2019-03-20 10:41:47 DEBUG [OrgCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/orgs] 2019-03-20 10:41:47 DEBUG [OrgCreateUserBInitHijack1] : Method [POST] 2019-03-20 10:41:47 DEBUG [OrgCreateUserBInitHijack1] : Request [{ "billingEmail" : "zVgoDO7E", "company" : "McGlynn Inc", "createdBy" : "", "createdDate" : "", "description" : "zVgoDO7E", "id" : "", "inactive" : false, "location" : "zVgoDO7E", "modifiedBy" : "", "modifiedDate" : "", "name" : "zVgoDO7E", "orgPlan" : "TEAM", "orgType" : "ENTERPRISE", "version" : "" }] 2019-03-20 10:41:47 DEBUG [OrgCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:41:47 DEBUG [OrgCreateUserBInitHijack1] : Response [{ "timestamp" : "2019-03-20T10:41:47.228+0000", "status" : 403, "error" : "Forbidden", "message" : "Forbidden", "path" : "/api/v1/orgs" }] 2019-03-20 10:41:47 DEBUG [OrgCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=OTM4MTJmNWYtMjMyZS00OTA2LWI5ZTYtNjkzNDRiNjkxZWQ3; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:46 GMT]}] 2019-03-20 10:41:47 DEBUG [OrgCreateUserBInitHijack1] : StatusCode [403] 2019-03-20 10:41:47 DEBUG [OrgCreateUserBInitHijack1] : Time [608] 2019-03-20 10:41:47 DEBUG [OrgCreateUserBInitHijack1] : Size [121] 2019-03-20 10:41:47 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed] 2019-03-20 10:41:47 DEBUG [OrgCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=OTM4MTJmNWYtMjMyZS00OTA2LWI5ZTYtNjkzNDRiNjkxZWQ3; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:46 GMT]}] 2019-03-20 10:41:47 DEBUG [OrgCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=OTM4MTJmNWYtMjMyZS00OTA2LWI5ZTYtNjkzNDRiNjkxZWQ3; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:46 GMT]}] 2019-03-20 10:41:47 DEBUG [OrgCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=OTM4MTJmNWYtMjMyZS00OTA2LWI5ZTYtNjkzNDRiNjkxZWQ3; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:46 GMT]}] 2019-03-20 10:41:47 DEBUG [OrgCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=OTM4MTJmNWYtMjMyZS00OTA2LWI5ZTYtNjkzNDRiNjkxZWQ3; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:46 GMT]}] 2019-03-20 10:41:47 DEBUG [SkillCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/skills] 2019-03-20 10:41:47 DEBUG [SkillCreateUserBInitHijack1] : Method [POST] 2019-03-20 10:41:47 DEBUG [SkillCreateUserBInitHijack1] : Request [{ "accessKey" : "0IKriyhD", "createdBy" : "", "createdDate" : "", "description" : "0IKriyhD", "host" : "0IKriyhD", "id" : "", "inactive" : false, "key" : "0IKriyhD", "modifiedBy" : "", "modifiedDate" : "", "name" : "0IKriyhD", "org" : "", "prop1" : "0IKriyhD", "prop2" : "0IKriyhD", "prop3" : "0IKriyhD", "prop4" : "0IKriyhD", "prop5" : "0IKriyhD", "secretKey" : "0IKriyhD", "skillType" : "BOT_DEPLOYMENT", "version" : "" }] 2019-03-20 10:41:47 DEBUG [SkillCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:41:47 DEBUG [SkillCreateUserBInitHijack1] : Response [{ "timestamp" : "2019-03-20T10:41:47.816+0000", "status" : 400, "error" : "Bad Request", "message" : "JSON parse error: Cannot construct instance of
com.fxlabs.fxt.dto.base.NameDto
(although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value (''); nested exception is com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot construct instance ofcom.fxlabs.fxt.dto.base.NameDto
(although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value ('')\n at [Source: (PushbackInputStream); line: 13, column: 11] (through reference chain: com.fxlabs.fxt.dto.skills.Skill[\"org\"])", "path" : "/api/v1/skills" }] 2019-03-20 10:41:47 DEBUG [SkillCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MmY3OGVkOGYtOGZhOC00YTY3LWJmOWQtOTI1N2FjMGQxNjI1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:46 GMT]}] 2019-03-20 10:41:47 DEBUG [SkillCreateUserBInitHijack1] : StatusCode [400] 2019-03-20 10:41:47 DEBUG [SkillCreateUserBInitHijack1] : Time [551] 2019-03-20 10:41:47 DEBUG [SkillCreateUserBInitHijack1] : Size [716] 2019-03-20 10:41:47 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [400 == 200 OR 400 == 201] result [Failed] 2019-03-20 10:41:47 DEBUG [SkillCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MmY3OGVkOGYtOGZhOC00YTY3LWJmOWQtOTI1N2FjMGQxNjI1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:46 GMT]}] 2019-03-20 10:41:47 DEBUG [SkillCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MmY3OGVkOGYtOGZhOC00YTY3LWJmOWQtOTI1N2FjMGQxNjI1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:46 GMT]}] 2019-03-20 10:41:47 DEBUG [SkillCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MmY3OGVkOGYtOGZhOC00YTY3LWJmOWQtOTI1N2FjMGQxNjI1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:46 GMT]}] 2019-03-20 10:41:47 DEBUG [SkillCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MmY3OGVkOGYtOGZhOC00YTY3LWJmOWQtOTI1N2FjMGQxNjI1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:46 GMT]}] 2019-03-20 10:41:48 DEBUG [OrgCreateUserAInitHijack1] : URL [http://13.56.210.25/api/v1/orgs] 2019-03-20 10:41:48 DEBUG [OrgCreateUserAInitHijack1] : Method [POST] 2019-03-20 10:41:48 DEBUG [OrgCreateUserAInitHijack1] : Request [{ "billingEmail" : "7CSdnRZg", "company" : "Ward, Ward and Ward", "createdBy" : "", "createdDate" : "", "description" : "7CSdnRZg", "id" : "", "inactive" : false, "location" : "7CSdnRZg", "modifiedBy" : "", "modifiedDate" : "", "name" : "7CSdnRZg", "orgPlan" : "TEAM", "orgType" : "ENTERPRISE", "version" : "" }] 2019-03-20 10:41:48 DEBUG [OrgCreateUserAInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:41:48 DEBUG [OrgCreateUserAInitHijack1] : Response [{ "timestamp" : "2019-03-20T10:41:48.375+0000", "status" : 403, "error" : "Forbidden", "message" : "Forbidden", "path" : "/api/v1/orgs" }] 2019-03-20 10:41:48 DEBUG [OrgCreateUserAInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NTA2Zjk0NWItZmJkNy00YTdhLWI2OGItZTBlZGM0ZTYyNTQ2; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:47 GMT]}] 2019-03-20 10:41:48 DEBUG [OrgCreateUserAInitHijack1] : StatusCode [403] 2019-03-20 10:41:48 DEBUG [OrgCreateUserAInitHijack1] : Time [498] 2019-03-20 10:41:48 DEBUG [OrgCreateUserAInitHijack1] : Size [121] 2019-03-20 10:41:48 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed] 2019-03-20 10:41:48 DEBUG [OrgCreateUserAInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NTA2Zjk0NWItZmJkNy00YTdhLWI2OGItZTBlZGM0ZTYyNTQ2; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:47 GMT]}] 2019-03-20 10:41:48 DEBUG [OrgCreateUserAInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NTA2Zjk0NWItZmJkNy00YTdhLWI2OGItZTBlZGM0ZTYyNTQ2; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:47 GMT]}] 2019-03-20 10:41:48 DEBUG [OrgCreateUserAInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NTA2Zjk0NWItZmJkNy00YTdhLWI2OGItZTBlZGM0ZTYyNTQ2; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:47 GMT]}] 2019-03-20 10:41:48 DEBUG [OrgCreateUserAInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NTA2Zjk0NWItZmJkNy00YTdhLWI2OGItZTBlZGM0ZTYyNTQ2; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:47 GMT]}] 2019-03-20 10:41:48 DEBUG [ApiV1SkillsPostSkilluserbDisallowHijack1] : URL [http://13.56.210.25/api/v1/skills] 2019-03-20 10:41:48 DEBUG [ApiV1SkillsPostSkilluserbDisallowHijack1] : Method [POST] 2019-03-20 10:41:48 DEBUG [ApiV1SkillsPostSkilluserbDisallowHijack1] : Request [{ "accessKey" : "4CcGtLAv", "createdBy" : "", "createdDate" : "", "description" : "4CcGtLAv", "host" : "4CcGtLAv", "id" : "", "inactive" : false, "key" : "4CcGtLAv", "modifiedBy" : "", "modifiedDate" : "", "name" : "4CcGtLAv", "opts" : [ { "id" : "", "label" : "4CcGtLAv", "mandatory" : false, "value" : "4CcGtLAv" } ], "org" : "", "prop1" : "4CcGtLAv", "prop2" : "4CcGtLAv", "prop3" : "4CcGtLAv", "prop4" : "4CcGtLAv", "prop5" : "4CcGtLAv", "secretKey" : "4CcGtLAv", "skillType" : "VERSION_CONTROL", "version" : "" }] 2019-03-20 10:41:48 DEBUG [ApiV1SkillsPostSkilluserbDisallowHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:41:48 DEBUG [ApiV1SkillsPostSkilluserbDisallowHijack1] : Response [{ "timestamp" : "2019-03-20T10:41:48.856+0000", "status" : 400, "error" : "Bad Request", "message" : "JSON parse error: Cannot construct instance ofcom.fxlabs.fxt.dto.base.NameDto
(although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value (''); nested exception is com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot construct instance ofcom.fxlabs.fxt.dto.base.NameDto
(although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value ('')\n at [Source: (PushbackInputStream); line: 19, column: 11] (through reference chain: com.fxlabs.fxt.dto.skills.Skill[\"org\"])", "path" : "/api/v1/skills" }] 2019-03-20 10:41:48 DEBUG [ApiV1SkillsPostSkilluserbDisallowHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZTQzNTJiNDYtYWRhNC00MTE5LWIzMDQtZGI2NmUwNzUyZjIy; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:47 GMT]}] 2019-03-20 10:41:48 DEBUG [ApiV1SkillsPostSkilluserbDisallowHijack1] : StatusCode [400] 2019-03-20 10:41:48 DEBUG [ApiV1SkillsPostSkilluserbDisallowHijack1] : Time [504] 2019-03-20 10:41:48 DEBUG [ApiV1SkillsPostSkilluserbDisallowHijack1] : Size [716] 2019-03-20 10:41:48 ERROR [ApiV1SkillsPostSkilluserbDisallowHijack1] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [400 == 401 OR 400 == 403] result [Failed] 2019-03-20 10:41:49 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : URL [http://13.56.210.25/api/v1/skills/] 2019-03-20 10:41:49 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : Method [DELETE] 2019-03-20 10:41:49 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : Request [null] 2019-03-20 10:41:49 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:41:49 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : Response [{ "timestamp" : "2019-03-20T10:41:49.484+0000", "status" : 405, "error" : "Method Not Allowed", "message" : "Request method 'DELETE' not supported", "path" : "/api/v1/skills/" }] 2019-03-20 10:41:49 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : Response-Headers [{Allow=[GET, POST, PUT], X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZjVhMWNhYWYtYjEzMy00MTZhLTk5ZjYtYmZkNzE0MmQ1NDMy; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:48 GMT]}] 2019-03-20 10:41:49 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : StatusCode [405] 2019-03-20 10:41:49 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : Time [604] 2019-03-20 10:41:49 DEBUG [ApiV1SkillsIdDeleteSkillhijack1] : Size [161] 2019-03-20 10:41:49 ERROR [null] : Assertion [@StatusCode == 200] resolved-to [405 == 200] result [Failed] 2019-03-20 10:41:50 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : URL [http://13.56.210.25/api/v1/orgs/] 2019-03-20 10:41:50 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Method [DELETE] 2019-03-20 10:41:50 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Request [null] 2019-03-20 10:41:50 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:41:50 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Response [{ "timestamp" : "2019-03-20T10:41:50.089+0000", "status" : 405, "error" : "Method Not Allowed", "message" : "Request method 'DELETE' not supported", "path" : "/api/v1/orgs/" }] 2019-03-20 10:41:50 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Response-Headers [{Allow=[GET, POST], X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NjdkYWM5NGMtZTYxMS00MzljLWI5NTYtNDFmZjg0YjlmNjM2; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:49 GMT]}] 2019-03-20 10:41:50 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : StatusCode [405] 2019-03-20 10:41:50 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Time [603] 2019-03-20 10:41:50 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Size [159] 2019-03-20 10:41:50 ERROR [null] : Assertion [@StatusCode == 200] resolved-to [405 == 200] result [Failed]--- FX Bot ---