asriz7777
commented
5 years ago Project : FXABAC TEST
Template : ApiV1UsersAddusertoorgPostOrgusersuserbDisallowHijack1
Run Id : 8a808011699a990101699ab3901a2277
Job : Default
Env : Default
Category : Hijack_Level1
Tags : [FX Top 10 - API Vulnerability, Data_Access_Control]
Severity : Major
Region : FXLabs/US_WEST_1
Result : fail
Status Code : 400
Headers : {X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MGFiN2ZlMTQtM2YyMi00MTk3LTg3NTQtNTBjMGY1NTRiYWVi; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:46 GMT]}
Endpoint : http://13.56.210.25/api/v1/users/addUserToOrg
Request :
{
"createdBy" : "",
"createdDate" : "",
"forceResetPwd" : false,
"id" : "",
"inactive" : false,
"modifiedBy" : "",
"modifiedDate" : "",
"org" : "",
"orgRole" : "WRITE",
"status" : "ACTIVE",
"userType" : "DEFAULT",
"users" : "",
"version" : ""
}
Response :
{
"timestamp" : "2019-03-20T10:44:47.100+0000",
"status" : 400,
"error" : "Bad Request",
"message" : "JSON parse error: Cannot construct instance of com.fxlabs.fxt.dto.base.NameDto (although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value (''); nested exception is com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot construct instance of com.fxlabs.fxt.dto.base.NameDto (although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value ('')\n at [Source: (PushbackInputStream); line: 9, column: 11] (through reference chain: com.fxlabs.fxt.dto.users.OrgUsers[\"org\"])",
"path" : "/api/v1/users/addUserToOrg"
}
Logs :
2019-03-20 10:44:42 DEBUG [UsersCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/users/enterprise-sign-up]
2019-03-20 10:44:42 DEBUG [UsersCreateUserBInitHijack1] : Method [POST]
2019-03-20 10:44:42 DEBUG [UsersCreateUserBInitHijack1] : Request [{
"accountNonExpired" : false,
"accountNonLocked" : false,
"company" : "Altenwerth and Sons",
"createdBy" : "",
"createdDate" : "",
"credentialsNonExpired" : false,
"email" : "bernadette.hirthe@hotmail.com",
"enabled" : false,
"id" : "",
"inactive" : false,
"jobTitle" : "National Designer",
"location" : "Y9surNIf",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "Y9surNIf",
"password" : "Y9surNIf",
"username" : "owen.morissette",
"version" : ""
}]
2019-03-20 10:44:42 DEBUG [UsersCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:44:42 DEBUG [UsersCreateUserBInitHijack1] : Response [{
"timestamp" : "2019-03-20T10:44:42.227+0000",
"status" : 403,
"error" : "Forbidden",
"message" : "Forbidden",
"path" : "/api/v1/users/enterprise-sign-up"
}]
2019-03-20 10:44:42 DEBUG [UsersCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZmVmMGM0MmYtMmZjZS00NzJmLWE3OWMtZTM0YjQyZDRlMmRj; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:41 GMT]}]
2019-03-20 10:44:42 DEBUG [UsersCreateUserBInitHijack1] : StatusCode [403]
2019-03-20 10:44:42 DEBUG [UsersCreateUserBInitHijack1] : Time [909]
2019-03-20 10:44:42 DEBUG [UsersCreateUserBInitHijack1] : Size [141]
2019-03-20 10:44:42 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed]
2019-03-20 10:44:42 DEBUG [UsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZmVmMGM0MmYtMmZjZS00NzJmLWE3OWMtZTM0YjQyZDRlMmRj; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:41 GMT]}]
2019-03-20 10:44:42 DEBUG [UsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZmVmMGM0MmYtMmZjZS00NzJmLWE3OWMtZTM0YjQyZDRlMmRj; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:41 GMT]}]
2019-03-20 10:44:42 DEBUG [UsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZmVmMGM0MmYtMmZjZS00NzJmLWE3OWMtZTM0YjQyZDRlMmRj; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:41 GMT]}]
2019-03-20 10:44:42 DEBUG [UsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZmVmMGM0MmYtMmZjZS00NzJmLWE3OWMtZTM0YjQyZDRlMmRj; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:41 GMT]}]
2019-03-20 10:44:43 DEBUG [OrgCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/orgs]
2019-03-20 10:44:43 DEBUG [OrgCreateUserBInitHijack1] : Method [POST]
2019-03-20 10:44:43 DEBUG [OrgCreateUserBInitHijack1] : Request [{
"billingEmail" : "U1yPRvqp",
"company" : "Harvey, Harvey and Harvey",
"createdBy" : "",
"createdDate" : "",
"description" : "U1yPRvqp",
"id" : "",
"inactive" : false,
"location" : "U1yPRvqp",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "U1yPRvqp",
"orgPlan" : "TEAM",
"orgType" : "ENTERPRISE",
"version" : ""
}]
2019-03-20 10:44:43 DEBUG [OrgCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:44:43 DEBUG [OrgCreateUserBInitHijack1] : Response [{
"timestamp" : "2019-03-20T10:44:43.081+0000",
"status" : 403,
"error" : "Forbidden",
"message" : "Forbidden",
"path" : "/api/v1/orgs"
}]
2019-03-20 10:44:43 DEBUG [OrgCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NTU2OTkyZmEtNGE1ZC00ZmVjLTlhYTMtNDMxZjYxYjg1ZTcw; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:42 GMT]}]
2019-03-20 10:44:43 DEBUG [OrgCreateUserBInitHijack1] : StatusCode [403]
2019-03-20 10:44:43 DEBUG [OrgCreateUserBInitHijack1] : Time [803]
2019-03-20 10:44:43 DEBUG [OrgCreateUserBInitHijack1] : Size [121]
2019-03-20 10:44:43 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed]
2019-03-20 10:44:43 DEBUG [OrgCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NTU2OTkyZmEtNGE1ZC00ZmVjLTlhYTMtNDMxZjYxYjg1ZTcw; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:42 GMT]}]
2019-03-20 10:44:43 DEBUG [OrgCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NTU2OTkyZmEtNGE1ZC00ZmVjLTlhYTMtNDMxZjYxYjg1ZTcw; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:42 GMT]}]
2019-03-20 10:44:43 DEBUG [OrgCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NTU2OTkyZmEtNGE1ZC00ZmVjLTlhYTMtNDMxZjYxYjg1ZTcw; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:42 GMT]}]
2019-03-20 10:44:43 DEBUG [OrgCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NTU2OTkyZmEtNGE1ZC00ZmVjLTlhYTMtNDMxZjYxYjg1ZTcw; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:42 GMT]}]
2019-03-20 10:44:43 DEBUG [OrgUsersCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/users/addUserToOrg]
2019-03-20 10:44:43 DEBUG [OrgUsersCreateUserBInitHijack1] : Method [POST]
2019-03-20 10:44:43 DEBUG [OrgUsersCreateUserBInitHijack1] : Request [{
"createdBy" : "",
"createdDate" : "",
"forceResetPwd" : false,
"id" : "",
"inactive" : false,
"modifiedBy" : "",
"modifiedDate" : "",
"org" : "",
"orgRole" : "ADMIN",
"status" : "INACTIVE",
"userType" : "MANAGED",
"users" : "",
"version" : ""
}]
2019-03-20 10:44:43 DEBUG [OrgUsersCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:44:43 DEBUG [OrgUsersCreateUserBInitHijack1] : Response [{
"timestamp" : "2019-03-20T10:44:43.805+0000",
"status" : 400,
"error" : "Bad Request",
"message" : "JSON parse error: Cannot construct instance of com.fxlabs.fxt.dto.base.NameDto (although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value (''); nested exception is com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot construct instance of com.fxlabs.fxt.dto.base.NameDto (although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value ('')\n at [Source: (PushbackInputStream); line: 9, column: 11] (through reference chain: com.fxlabs.fxt.dto.users.OrgUsers[\"org\"])",
"path" : "/api/v1/users/addUserToOrg"
}]
2019-03-20 10:44:43 DEBUG [OrgUsersCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZDZiMTE2ZmItOTM5NC00OTI3LTk0YmEtZTI1ODI2MjhlOGFh; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:43 GMT]}]
2019-03-20 10:44:43 DEBUG [OrgUsersCreateUserBInitHijack1] : StatusCode [400]
2019-03-20 10:44:43 DEBUG [OrgUsersCreateUserBInitHijack1] : Time [720]
2019-03-20 10:44:43 DEBUG [OrgUsersCreateUserBInitHijack1] : Size [729]
2019-03-20 10:44:43 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [400 == 200 OR 400 == 201] result [Failed]
2019-03-20 10:44:43 DEBUG [OrgUsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZDZiMTE2ZmItOTM5NC00OTI3LTk0YmEtZTI1ODI2MjhlOGFh; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:43 GMT]}]
2019-03-20 10:44:43 DEBUG [OrgUsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZDZiMTE2ZmItOTM5NC00OTI3LTk0YmEtZTI1ODI2MjhlOGFh; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:43 GMT]}]
2019-03-20 10:44:43 DEBUG [OrgUsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZDZiMTE2ZmItOTM5NC00OTI3LTk0YmEtZTI1ODI2MjhlOGFh; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:43 GMT]}]
2019-03-20 10:44:43 DEBUG [OrgUsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZDZiMTE2ZmItOTM5NC00OTI3LTk0YmEtZTI1ODI2MjhlOGFh; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:43 GMT]}]
2019-03-20 10:44:44 DEBUG [OrgCreateUserAInitHijack1] : URL [http://13.56.210.25/api/v1/orgs]
2019-03-20 10:44:44 DEBUG [OrgCreateUserAInitHijack1] : Method [POST]
2019-03-20 10:44:44 DEBUG [OrgCreateUserAInitHijack1] : Request [{
"billingEmail" : "NtDjg1lL",
"company" : "Prohaska-Prohaska",
"createdBy" : "",
"createdDate" : "",
"description" : "NtDjg1lL",
"id" : "",
"inactive" : false,
"location" : "NtDjg1lL",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "NtDjg1lL",
"orgPlan" : "TEAM",
"orgType" : "ENTERPRISE",
"version" : ""
}]
2019-03-20 10:44:44 DEBUG [OrgCreateUserAInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:44:44 DEBUG [OrgCreateUserAInitHijack1] : Response [{
"timestamp" : "2019-03-20T10:44:44.890+0000",
"status" : 403,
"error" : "Forbidden",
"message" : "Forbidden",
"path" : "/api/v1/orgs"
}]
2019-03-20 10:44:44 DEBUG [OrgCreateUserAInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NTIwMWQxMDgtOWYyNy00YjQ1LWIxMDAtMGU4NDVhNmI4ZDFj; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:44 GMT]}]
2019-03-20 10:44:44 DEBUG [OrgCreateUserAInitHijack1] : StatusCode [403]
2019-03-20 10:44:44 DEBUG [OrgCreateUserAInitHijack1] : Time [1034]
2019-03-20 10:44:44 DEBUG [OrgCreateUserAInitHijack1] : Size [121]
2019-03-20 10:44:44 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed]
2019-03-20 10:44:44 DEBUG [OrgCreateUserAInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NTIwMWQxMDgtOWYyNy00YjQ1LWIxMDAtMGU4NDVhNmI4ZDFj; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:44 GMT]}]
2019-03-20 10:44:44 DEBUG [OrgCreateUserAInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NTIwMWQxMDgtOWYyNy00YjQ1LWIxMDAtMGU4NDVhNmI4ZDFj; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:44 GMT]}]
2019-03-20 10:44:44 DEBUG [OrgCreateUserAInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NTIwMWQxMDgtOWYyNy00YjQ1LWIxMDAtMGU4NDVhNmI4ZDFj; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:44 GMT]}]
2019-03-20 10:44:44 DEBUG [OrgCreateUserAInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NTIwMWQxMDgtOWYyNy00YjQ1LWIxMDAtMGU4NDVhNmI4ZDFj; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:44 GMT]}]
2019-03-20 10:44:46 DEBUG [UsersCreateUserAInitHijack1] : URL [http://13.56.210.25/api/v1/users/enterprise-sign-up]
2019-03-20 10:44:46 DEBUG [UsersCreateUserAInitHijack1] : Method [POST]
2019-03-20 10:44:46 DEBUG [UsersCreateUserAInitHijack1] : Request [{
"accountNonExpired" : false,
"accountNonLocked" : false,
"company" : "Treutel and Sons",
"createdBy" : "",
"createdDate" : "",
"credentialsNonExpired" : false,
"email" : "bryana.johnson@hotmail.com",
"enabled" : false,
"id" : "",
"inactive" : false,
"jobTitle" : "Sales Agent",
"location" : "zWApavXr",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "zWApavXr",
"password" : "zWApavXr",
"username" : "colin.larson",
"version" : ""
}]
2019-03-20 10:44:46 DEBUG [UsersCreateUserAInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:44:46 DEBUG [UsersCreateUserAInitHijack1] : Response [{
"timestamp" : "2019-03-20T10:44:46.291+0000",
"status" : 403,
"error" : "Forbidden",
"message" : "Forbidden",
"path" : "/api/v1/users/enterprise-sign-up"
}]
2019-03-20 10:44:46 DEBUG [UsersCreateUserAInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NjYyY2Y5ZDUtNzhjNC00ZTYzLWI2ZWEtODFlNDYxNzNkNGYy; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:45 GMT]}]
2019-03-20 10:44:46 DEBUG [UsersCreateUserAInitHijack1] : StatusCode [403]
2019-03-20 10:44:46 DEBUG [UsersCreateUserAInitHijack1] : Time [1080]
2019-03-20 10:44:46 DEBUG [UsersCreateUserAInitHijack1] : Size [141]
2019-03-20 10:44:46 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed]
2019-03-20 10:44:46 DEBUG [UsersCreateUserAInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NjYyY2Y5ZDUtNzhjNC00ZTYzLWI2ZWEtODFlNDYxNzNkNGYy; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:45 GMT]}]
2019-03-20 10:44:46 DEBUG [UsersCreateUserAInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NjYyY2Y5ZDUtNzhjNC00ZTYzLWI2ZWEtODFlNDYxNzNkNGYy; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:45 GMT]}]
2019-03-20 10:44:46 DEBUG [UsersCreateUserAInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NjYyY2Y5ZDUtNzhjNC00ZTYzLWI2ZWEtODFlNDYxNzNkNGYy; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:45 GMT]}]
2019-03-20 10:44:46 DEBUG [UsersCreateUserAInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NjYyY2Y5ZDUtNzhjNC00ZTYzLWI2ZWEtODFlNDYxNzNkNGYy; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:45 GMT]}]
2019-03-20 10:44:47 DEBUG [ApiV1UsersAddusertoorgPostOrgusersuserbDisallowHijack1] : URL [http://13.56.210.25/api/v1/users/addUserToOrg]
2019-03-20 10:44:47 DEBUG [ApiV1UsersAddusertoorgPostOrgusersuserbDisallowHijack1] : Method [POST]
2019-03-20 10:44:47 DEBUG [ApiV1UsersAddusertoorgPostOrgusersuserbDisallowHijack1] : Request [{
"createdBy" : "",
"createdDate" : "",
"forceResetPwd" : false,
"id" : "",
"inactive" : false,
"modifiedBy" : "",
"modifiedDate" : "",
"org" : "",
"orgRole" : "WRITE",
"status" : "ACTIVE",
"userType" : "DEFAULT",
"users" : "",
"version" : ""
}]
2019-03-20 10:44:47 DEBUG [ApiV1UsersAddusertoorgPostOrgusersuserbDisallowHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:44:47 DEBUG [ApiV1UsersAddusertoorgPostOrgusersuserbDisallowHijack1] : Response [{
"timestamp" : "2019-03-20T10:44:47.100+0000",
"status" : 400,
"error" : "Bad Request",
"message" : "JSON parse error: Cannot construct instance of com.fxlabs.fxt.dto.base.NameDto (although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value (''); nested exception is com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot construct instance of com.fxlabs.fxt.dto.base.NameDto (although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value ('')\n at [Source: (PushbackInputStream); line: 9, column: 11] (through reference chain: com.fxlabs.fxt.dto.users.OrgUsers[\"org\"])",
"path" : "/api/v1/users/addUserToOrg"
}]
2019-03-20 10:44:47 DEBUG [ApiV1UsersAddusertoorgPostOrgusersuserbDisallowHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MGFiN2ZlMTQtM2YyMi00MTk3LTg3NTQtNTBjMGY1NTRiYWVi; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:46 GMT]}]
2019-03-20 10:44:47 DEBUG [ApiV1UsersAddusertoorgPostOrgusersuserbDisallowHijack1] : StatusCode [400]
2019-03-20 10:44:47 DEBUG [ApiV1UsersAddusertoorgPostOrgusersuserbDisallowHijack1] : Time [808]
2019-03-20 10:44:47 DEBUG [ApiV1UsersAddusertoorgPostOrgusersuserbDisallowHijack1] : Size [729]
2019-03-20 10:44:47 ERROR [ApiV1UsersAddusertoorgPostOrgusersuserbDisallowHijack1] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [400 == 401 OR 400 == 403] result [Failed]
2019-03-20 10:44:48 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : URL [http://13.56.210.25/api/v1/orgs/]
2019-03-20 10:44:48 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Method [DELETE]
2019-03-20 10:44:48 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Request [null]
2019-03-20 10:44:48 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:44:48 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Response [{
"timestamp" : "2019-03-20T10:44:48.246+0000",
"status" : 405,
"error" : "Method Not Allowed",
"message" : "Request method 'DELETE' not supported",
"path" : "/api/v1/orgs/"
}]
2019-03-20 10:44:48 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Response-Headers [{Allow=[GET, POST], X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MTBkZmM0MDEtMDBkOC00ODVmLWFkOWYtYjUzYWFhNWE5MWU3; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:47 GMT]}]
2019-03-20 10:44:48 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : StatusCode [405]
2019-03-20 10:44:48 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Time [1145]
2019-03-20 10:44:48 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Size [159]
2019-03-20 10:44:48 ERROR [null] : Assertion [@StatusCode == 200] resolved-to [405 == 200] result [Failed]
--- FX Bot ---
Project : FXABAC TEST
Template : ApiV1UsersAddusertoorgPostOrgusersuserbDisallowHijack1
Run Id : 8a808011699a990101699ab0f9761b20
Job : Default
Env : Default
Category : Hijack_Level1
Tags : [FX Top 10 - API Vulnerability, Data_Access_Control]
Severity : Major
Region : FXLabs/US_WEST_1
Result : fail
Status Code : 400
Headers : {X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NGRmOTk4NWEtMDE5NC00MGIxLTkxNWQtMDU1ZmEwNzdmMzcz; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:49 GMT]}
Endpoint : http://13.56.210.25/api/v1/users/addUserToOrg
Request :
{ "createdBy" : "", "createdDate" : "", "forceResetPwd" : false, "id" : "", "inactive" : false, "modifiedBy" : "", "modifiedDate" : "", "org" : "", "orgRole" : "WRITE", "status" : "ACTIVE", "userType" : "DEFAULT", "users" : "", "version" : "" }
Response :
{ "timestamp" : "2019-03-20T10:41:50.960+0000", "status" : 400, "error" : "Bad Request", "message" : "JSON parse error: Cannot construct instance of
com.fxlabs.fxt.dto.base.NameDto(although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value (''); nested exception is com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot construct instance ofcom.fxlabs.fxt.dto.base.NameDto(although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value ('')\n at [Source: (PushbackInputStream); line: 9, column: 11] (through reference chain: com.fxlabs.fxt.dto.users.OrgUsers[\"org\"])", "path" : "/api/v1/users/addUserToOrg" }Logs :
2019-03-20 10:41:48 DEBUG [UsersCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/users/enterprise-sign-up] 2019-03-20 10:41:48 DEBUG [UsersCreateUserBInitHijack1] : Method [POST] 2019-03-20 10:41:48 DEBUG [UsersCreateUserBInitHijack1] : Request [{ "accountNonExpired" : false, "accountNonLocked" : false, "company" : "Ledner, Ledner and Ledner", "createdBy" : "", "createdDate" : "", "credentialsNonExpired" : false, "email" : "sallie.sipes@yahoo.com", "enabled" : false, "id" : "", "inactive" : false, "jobTitle" : "Dynamic Strategist", "location" : "0fxfRZX8", "modifiedBy" : "", "modifiedDate" : "", "name" : "0fxfRZX8", "password" : "0fxfRZX8", "username" : "reina.mcdermott", "version" : "" }] 2019-03-20 10:41:48 DEBUG [UsersCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:41:48 DEBUG [UsersCreateUserBInitHijack1] : Response [{ "timestamp" : "2019-03-20T10:41:48.094+0000", "status" : 403, "error" : "Forbidden", "message" : "Forbidden", "path" : "/api/v1/users/enterprise-sign-up" }] 2019-03-20 10:41:48 DEBUG [UsersCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MjQ1YjhlN2UtZDAzZi00YjM1LTkyZjAtNWM2YzcwNzYyODI0; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:47 GMT]}] 2019-03-20 10:41:48 DEBUG [UsersCreateUserBInitHijack1] : StatusCode [403] 2019-03-20 10:41:48 DEBUG [UsersCreateUserBInitHijack1] : Time [678] 2019-03-20 10:41:48 DEBUG [UsersCreateUserBInitHijack1] : Size [141] 2019-03-20 10:41:48 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed] 2019-03-20 10:41:48 DEBUG [UsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MjQ1YjhlN2UtZDAzZi00YjM1LTkyZjAtNWM2YzcwNzYyODI0; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:47 GMT]}] 2019-03-20 10:41:48 DEBUG [UsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MjQ1YjhlN2UtZDAzZi00YjM1LTkyZjAtNWM2YzcwNzYyODI0; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:47 GMT]}] 2019-03-20 10:41:48 DEBUG [UsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MjQ1YjhlN2UtZDAzZi00YjM1LTkyZjAtNWM2YzcwNzYyODI0; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:47 GMT]}] 2019-03-20 10:41:48 DEBUG [UsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MjQ1YjhlN2UtZDAzZi00YjM1LTkyZjAtNWM2YzcwNzYyODI0; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:47 GMT]}] 2019-03-20 10:41:48 DEBUG [OrgCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/orgs] 2019-03-20 10:41:48 DEBUG [OrgCreateUserBInitHijack1] : Method [POST] 2019-03-20 10:41:48 DEBUG [OrgCreateUserBInitHijack1] : Request [{ "billingEmail" : "TJJY82al", "company" : "Sanford-Sanford", "createdBy" : "", "createdDate" : "", "description" : "TJJY82al", "id" : "", "inactive" : false, "location" : "TJJY82al", "modifiedBy" : "", "modifiedDate" : "", "name" : "TJJY82al", "orgPlan" : "TEAM", "orgType" : "ENTERPRISE", "version" : "" }] 2019-03-20 10:41:48 DEBUG [OrgCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:41:48 DEBUG [OrgCreateUserBInitHijack1] : Response [{ "timestamp" : "2019-03-20T10:41:48.726+0000", "status" : 403, "error" : "Forbidden", "message" : "Forbidden", "path" : "/api/v1/orgs" }] 2019-03-20 10:41:48 DEBUG [OrgCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NmY3NDAxNWItMmI1Ni00N2M2LTlhMjEtZDk1ZTU0Y2Y3NWM0; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:47 GMT]}] 2019-03-20 10:41:48 DEBUG [OrgCreateUserBInitHijack1] : StatusCode [403] 2019-03-20 10:41:48 DEBUG [OrgCreateUserBInitHijack1] : Time [515] 2019-03-20 10:41:48 DEBUG [OrgCreateUserBInitHijack1] : Size [121] 2019-03-20 10:41:48 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed] 2019-03-20 10:41:48 DEBUG [OrgCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NmY3NDAxNWItMmI1Ni00N2M2LTlhMjEtZDk1ZTU0Y2Y3NWM0; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:47 GMT]}] 2019-03-20 10:41:48 DEBUG [OrgCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NmY3NDAxNWItMmI1Ni00N2M2LTlhMjEtZDk1ZTU0Y2Y3NWM0; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:47 GMT]}] 2019-03-20 10:41:48 DEBUG [OrgCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NmY3NDAxNWItMmI1Ni00N2M2LTlhMjEtZDk1ZTU0Y2Y3NWM0; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:47 GMT]}] 2019-03-20 10:41:48 DEBUG [OrgCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NmY3NDAxNWItMmI1Ni00N2M2LTlhMjEtZDk1ZTU0Y2Y3NWM0; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:47 GMT]}] 2019-03-20 10:41:49 DEBUG [OrgUsersCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/users/addUserToOrg] 2019-03-20 10:41:49 DEBUG [OrgUsersCreateUserBInitHijack1] : Method [POST] 2019-03-20 10:41:49 DEBUG [OrgUsersCreateUserBInitHijack1] : Request [{ "createdBy" : "", "createdDate" : "", "forceResetPwd" : false, "id" : "", "inactive" : false, "modifiedBy" : "", "modifiedDate" : "", "org" : "", "orgRole" : "ADMIN", "status" : "INACTIVE", "userType" : "MANAGED", "users" : "", "version" : "" }] 2019-03-20 10:41:49 DEBUG [OrgUsersCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:41:49 DEBUG [OrgUsersCreateUserBInitHijack1] : Response [{ "timestamp" : "2019-03-20T10:41:49.325+0000", "status" : 400, "error" : "Bad Request", "message" : "JSON parse error: Cannot construct instance of
com.fxlabs.fxt.dto.base.NameDto(although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value (''); nested exception is com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot construct instance ofcom.fxlabs.fxt.dto.base.NameDto(although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value ('')\n at [Source: (PushbackInputStream); line: 9, column: 11] (through reference chain: com.fxlabs.fxt.dto.users.OrgUsers[\"org\"])", "path" : "/api/v1/users/addUserToOrg" }] 2019-03-20 10:41:49 DEBUG [OrgUsersCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MTE2ZGM5MWItNThhNy00OTY0LWFiMzEtNTNjZjVmNWUwMzg5; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:48 GMT]}] 2019-03-20 10:41:49 DEBUG [OrgUsersCreateUserBInitHijack1] : StatusCode [400] 2019-03-20 10:41:49 DEBUG [OrgUsersCreateUserBInitHijack1] : Time [595] 2019-03-20 10:41:49 DEBUG [OrgUsersCreateUserBInitHijack1] : Size [729] 2019-03-20 10:41:49 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [400 == 200 OR 400 == 201] result [Failed] 2019-03-20 10:41:49 DEBUG [OrgUsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MTE2ZGM5MWItNThhNy00OTY0LWFiMzEtNTNjZjVmNWUwMzg5; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:48 GMT]}] 2019-03-20 10:41:49 DEBUG [OrgUsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MTE2ZGM5MWItNThhNy00OTY0LWFiMzEtNTNjZjVmNWUwMzg5; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:48 GMT]}] 2019-03-20 10:41:49 DEBUG [OrgUsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MTE2ZGM5MWItNThhNy00OTY0LWFiMzEtNTNjZjVmNWUwMzg5; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:48 GMT]}] 2019-03-20 10:41:49 DEBUG [OrgUsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MTE2ZGM5MWItNThhNy00OTY0LWFiMzEtNTNjZjVmNWUwMzg5; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:48 GMT]}] 2019-03-20 10:41:49 DEBUG [OrgCreateUserAInitHijack1] : URL [http://13.56.210.25/api/v1/orgs] 2019-03-20 10:41:49 DEBUG [OrgCreateUserAInitHijack1] : Method [POST] 2019-03-20 10:41:49 DEBUG [OrgCreateUserAInitHijack1] : Request [{ "billingEmail" : "exkdECcN", "company" : "Hartmann, Hartmann and Hartmann", "createdBy" : "", "createdDate" : "", "description" : "exkdECcN", "id" : "", "inactive" : false, "location" : "exkdECcN", "modifiedBy" : "", "modifiedDate" : "", "name" : "exkdECcN", "orgPlan" : "TEAM", "orgType" : "ENTERPRISE", "version" : "" }] 2019-03-20 10:41:49 DEBUG [OrgCreateUserAInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:41:49 DEBUG [OrgCreateUserAInitHijack1] : Response [{ "timestamp" : "2019-03-20T10:41:49.758+0000", "status" : 403, "error" : "Forbidden", "message" : "Forbidden", "path" : "/api/v1/orgs" }] 2019-03-20 10:41:49 DEBUG [OrgCreateUserAInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NjczZDM2MGEtMjE0ZC00ZmQwLThmZWUtZjdjNjRhNzQ4MDk0; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:48 GMT]}] 2019-03-20 10:41:49 DEBUG [OrgCreateUserAInitHijack1] : StatusCode [403] 2019-03-20 10:41:49 DEBUG [OrgCreateUserAInitHijack1] : Time [373] 2019-03-20 10:41:49 DEBUG [OrgCreateUserAInitHijack1] : Size [121] 2019-03-20 10:41:49 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed] 2019-03-20 10:41:49 DEBUG [OrgCreateUserAInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NjczZDM2MGEtMjE0ZC00ZmQwLThmZWUtZjdjNjRhNzQ4MDk0; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:48 GMT]}] 2019-03-20 10:41:49 DEBUG [OrgCreateUserAInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NjczZDM2MGEtMjE0ZC00ZmQwLThmZWUtZjdjNjRhNzQ4MDk0; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:48 GMT]}] 2019-03-20 10:41:49 DEBUG [OrgCreateUserAInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NjczZDM2MGEtMjE0ZC00ZmQwLThmZWUtZjdjNjRhNzQ4MDk0; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:48 GMT]}] 2019-03-20 10:41:49 DEBUG [OrgCreateUserAInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NjczZDM2MGEtMjE0ZC00ZmQwLThmZWUtZjdjNjRhNzQ4MDk0; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:48 GMT]}] 2019-03-20 10:41:50 DEBUG [UsersCreateUserAInitHijack1] : URL [http://13.56.210.25/api/v1/users/enterprise-sign-up] 2019-03-20 10:41:50 DEBUG [UsersCreateUserAInitHijack1] : Method [POST] 2019-03-20 10:41:50 DEBUG [UsersCreateUserAInitHijack1] : Request [{ "accountNonExpired" : false, "accountNonLocked" : false, "company" : "Feest Inc", "createdBy" : "", "createdDate" : "", "credentialsNonExpired" : false, "email" : "chelsie.pollich@yahoo.com", "enabled" : false, "id" : "", "inactive" : false, "jobTitle" : "Dynamic Supervisor", "location" : "btFnvzz5", "modifiedBy" : "", "modifiedDate" : "", "name" : "btFnvzz5", "password" : "btFnvzz5", "username" : "domenick.murphy", "version" : "" }] 2019-03-20 10:41:50 DEBUG [UsersCreateUserAInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:41:50 DEBUG [UsersCreateUserAInitHijack1] : Response [{ "timestamp" : "2019-03-20T10:41:50.380+0000", "status" : 403, "error" : "Forbidden", "message" : "Forbidden", "path" : "/api/v1/users/enterprise-sign-up" }] 2019-03-20 10:41:50 DEBUG [UsersCreateUserAInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZThkZjIyN2YtMTZkZS00NDY3LWE2MjUtN2Q5ZTQ1OTBlY2Vi; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:49 GMT]}] 2019-03-20 10:41:50 DEBUG [UsersCreateUserAInitHijack1] : StatusCode [403] 2019-03-20 10:41:50 DEBUG [UsersCreateUserAInitHijack1] : Time [360] 2019-03-20 10:41:50 DEBUG [UsersCreateUserAInitHijack1] : Size [141] 2019-03-20 10:41:50 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed] 2019-03-20 10:41:50 DEBUG [UsersCreateUserAInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZThkZjIyN2YtMTZkZS00NDY3LWE2MjUtN2Q5ZTQ1OTBlY2Vi; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:49 GMT]}] 2019-03-20 10:41:50 DEBUG [UsersCreateUserAInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZThkZjIyN2YtMTZkZS00NDY3LWE2MjUtN2Q5ZTQ1OTBlY2Vi; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:49 GMT]}] 2019-03-20 10:41:50 DEBUG [UsersCreateUserAInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZThkZjIyN2YtMTZkZS00NDY3LWE2MjUtN2Q5ZTQ1OTBlY2Vi; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:49 GMT]}] 2019-03-20 10:41:50 DEBUG [UsersCreateUserAInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZThkZjIyN2YtMTZkZS00NDY3LWE2MjUtN2Q5ZTQ1OTBlY2Vi; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:49 GMT]}] 2019-03-20 10:41:50 DEBUG [ApiV1UsersAddusertoorgPostOrgusersuserbDisallowHijack1] : URL [http://13.56.210.25/api/v1/users/addUserToOrg] 2019-03-20 10:41:50 DEBUG [ApiV1UsersAddusertoorgPostOrgusersuserbDisallowHijack1] : Method [POST] 2019-03-20 10:41:50 DEBUG [ApiV1UsersAddusertoorgPostOrgusersuserbDisallowHijack1] : Request [{ "createdBy" : "", "createdDate" : "", "forceResetPwd" : false, "id" : "", "inactive" : false, "modifiedBy" : "", "modifiedDate" : "", "org" : "", "orgRole" : "WRITE", "status" : "ACTIVE", "userType" : "DEFAULT", "users" : "", "version" : "" }] 2019-03-20 10:41:50 DEBUG [ApiV1UsersAddusertoorgPostOrgusersuserbDisallowHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:41:50 DEBUG [ApiV1UsersAddusertoorgPostOrgusersuserbDisallowHijack1] : Response [{ "timestamp" : "2019-03-20T10:41:50.960+0000", "status" : 400, "error" : "Bad Request", "message" : "JSON parse error: Cannot construct instance ofcom.fxlabs.fxt.dto.base.NameDto(although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value (''); nested exception is com.fasterxml.jackson.databind.exc.MismatchedInputException: Cannot construct instance ofcom.fxlabs.fxt.dto.base.NameDto(although at least one Creator exists): no String-argument constructor/factory method to deserialize from String value ('')\n at [Source: (PushbackInputStream); line: 9, column: 11] (through reference chain: com.fxlabs.fxt.dto.users.OrgUsers[\"org\"])", "path" : "/api/v1/users/addUserToOrg" }] 2019-03-20 10:41:50 DEBUG [ApiV1UsersAddusertoorgPostOrgusersuserbDisallowHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NGRmOTk4NWEtMDE5NC00MGIxLTkxNWQtMDU1ZmEwNzdmMzcz; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:49 GMT]}] 2019-03-20 10:41:50 DEBUG [ApiV1UsersAddusertoorgPostOrgusersuserbDisallowHijack1] : StatusCode [400] 2019-03-20 10:41:50 DEBUG [ApiV1UsersAddusertoorgPostOrgusersuserbDisallowHijack1] : Time [571] 2019-03-20 10:41:50 DEBUG [ApiV1UsersAddusertoorgPostOrgusersuserbDisallowHijack1] : Size [729] 2019-03-20 10:41:50 ERROR [ApiV1UsersAddusertoorgPostOrgusersuserbDisallowHijack1] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [400 == 401 OR 400 == 403] result [Failed] 2019-03-20 10:41:51 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : URL [http://13.56.210.25/api/v1/orgs/] 2019-03-20 10:41:51 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Method [DELETE] 2019-03-20 10:41:51 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Request [null] 2019-03-20 10:41:51 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:41:51 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Response [{ "timestamp" : "2019-03-20T10:41:51.470+0000", "status" : 405, "error" : "Method Not Allowed", "message" : "Request method 'DELETE' not supported", "path" : "/api/v1/orgs/" }] 2019-03-20 10:41:51 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Response-Headers [{Allow=[GET, POST], X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YzhiM2E5OWEtOTVlMC00YTEyLTk5Y2MtMTQzYjExZjE0YjNm; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:51 GMT]}] 2019-03-20 10:41:51 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : StatusCode [405] 2019-03-20 10:41:51 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Time [520] 2019-03-20 10:41:51 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Size [159] 2019-03-20 10:41:51 ERROR [null] : Assertion [@StatusCode == 200] resolved-to [405 == 200] result [Failed]--- FX Bot ---