Open asriz7777 opened 5 years ago
Project : FXABAC TEST
Template : ApiV1UsersEnterpriseSignUpPostUsersuserbDisallowHijack1
Run Id : 8a808011699a990101699ab3901a2277
Job : Default
Env : Default
Category : Hijack_Level1
Tags : [FX Top 10 - API Vulnerability, Data_Access_Control]
Severity : Major
Region : FXLabs/US_WEST_1
Result : fail
Status Code : 403
Headers : {X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MDNkYjllMTUtYzc1Ni00ODEwLTllYzAtMjI5NjA2NjYwNTk4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:49 GMT]}
Endpoint : http://13.56.210.25/api/v1/users/enterprise-sign-up
Request :
{
"accountNonExpired" : false,
"accountNonLocked" : false,
"company" : "Terry, Terry and Terry",
"createdBy" : "",
"createdDate" : "",
"credentialsNonExpired" : false,
"email" : "jaycee.mills@hotmail.com",
"enabled" : false,
"id" : "",
"inactive" : false,
"jobTitle" : "Forward Strategist",
"location" : "FkPETmCB",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "FkPETmCB",
"password" : "FkPETmCB",
"privileges" : [ "FkPETmCB" ],
"username" : "ashley.beahan",
"version" : ""
}
Response :
{
"timestamp" : "2019-03-20T10:44:49.620+0000",
"status" : 403,
"error" : "Forbidden",
"message" : "Forbidden",
"path" : "/api/v1/users/enterprise-sign-up"
}
Logs :
2019-03-20 10:44:48 DEBUG [UsersCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/users/enterprise-sign-up]
2019-03-20 10:44:48 DEBUG [UsersCreateUserBInitHijack1] : Method [POST]
2019-03-20 10:44:48 DEBUG [UsersCreateUserBInitHijack1] : Request [{
"accountNonExpired" : false,
"accountNonLocked" : false,
"company" : "Labadie LLC",
"createdBy" : "",
"createdDate" : "",
"credentialsNonExpired" : false,
"email" : "providenci.macgyver@hotmail.com",
"enabled" : false,
"id" : "",
"inactive" : false,
"jobTitle" : "Regional Hospitality Analyst",
"location" : "JYoLAn2d",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "JYoLAn2d",
"password" : "JYoLAn2d",
"username" : "gia.bradtke",
"version" : ""
}]
2019-03-20 10:44:48 DEBUG [UsersCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:44:48 DEBUG [UsersCreateUserBInitHijack1] : Response [{
"timestamp" : "2019-03-20T10:44:48.088+0000",
"status" : 403,
"error" : "Forbidden",
"message" : "Forbidden",
"path" : "/api/v1/users/enterprise-sign-up"
}]
2019-03-20 10:44:48 DEBUG [UsersCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NTk4MzkyZTItNGRlMS00NDQ0LTkzOWUtZjY0YmY3ZWE5Mjhj; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:47 GMT]}]
2019-03-20 10:44:48 DEBUG [UsersCreateUserBInitHijack1] : StatusCode [403]
2019-03-20 10:44:48 DEBUG [UsersCreateUserBInitHijack1] : Time [1145]
2019-03-20 10:44:48 DEBUG [UsersCreateUserBInitHijack1] : Size [141]
2019-03-20 10:44:48 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed]
2019-03-20 10:44:48 DEBUG [UsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NTk4MzkyZTItNGRlMS00NDQ0LTkzOWUtZjY0YmY3ZWE5Mjhj; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:47 GMT]}]
2019-03-20 10:44:48 DEBUG [UsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NTk4MzkyZTItNGRlMS00NDQ0LTkzOWUtZjY0YmY3ZWE5Mjhj; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:47 GMT]}]
2019-03-20 10:44:48 DEBUG [UsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NTk4MzkyZTItNGRlMS00NDQ0LTkzOWUtZjY0YmY3ZWE5Mjhj; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:47 GMT]}]
2019-03-20 10:44:48 DEBUG [UsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NTk4MzkyZTItNGRlMS00NDQ0LTkzOWUtZjY0YmY3ZWE5Mjhj; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:47 GMT]}]
2019-03-20 10:44:49 DEBUG [ApiV1UsersEnterpriseSignUpPostUsersuserbDisallowHijack1] : URL [http://13.56.210.25/api/v1/users/enterprise-sign-up]
2019-03-20 10:44:49 DEBUG [ApiV1UsersEnterpriseSignUpPostUsersuserbDisallowHijack1] : Method [POST]
2019-03-20 10:44:49 DEBUG [ApiV1UsersEnterpriseSignUpPostUsersuserbDisallowHijack1] : Request [{
"accountNonExpired" : false,
"accountNonLocked" : false,
"company" : "Terry, Terry and Terry",
"createdBy" : "",
"createdDate" : "",
"credentialsNonExpired" : false,
"email" : "jaycee.mills@hotmail.com",
"enabled" : false,
"id" : "",
"inactive" : false,
"jobTitle" : "Forward Strategist",
"location" : "FkPETmCB",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "FkPETmCB",
"password" : "FkPETmCB",
"privileges" : [ "FkPETmCB" ],
"username" : "ashley.beahan",
"version" : ""
}]
2019-03-20 10:44:49 DEBUG [ApiV1UsersEnterpriseSignUpPostUsersuserbDisallowHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:44:49 DEBUG [ApiV1UsersEnterpriseSignUpPostUsersuserbDisallowHijack1] : Response [{
"timestamp" : "2019-03-20T10:44:49.620+0000",
"status" : 403,
"error" : "Forbidden",
"message" : "Forbidden",
"path" : "/api/v1/users/enterprise-sign-up"
}]
2019-03-20 10:44:49 DEBUG [ApiV1UsersEnterpriseSignUpPostUsersuserbDisallowHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MDNkYjllMTUtYzc1Ni00ODEwLTllYzAtMjI5NjA2NjYwNTk4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:44:49 GMT]}]
2019-03-20 10:44:49 DEBUG [ApiV1UsersEnterpriseSignUpPostUsersuserbDisallowHijack1] : StatusCode [403]
2019-03-20 10:44:49 DEBUG [ApiV1UsersEnterpriseSignUpPostUsersuserbDisallowHijack1] : Time [1220]
2019-03-20 10:44:49 DEBUG [ApiV1UsersEnterpriseSignUpPostUsersuserbDisallowHijack1] : Size [141]
2019-03-20 10:44:49 INFO [ApiV1UsersEnterpriseSignUpPostUsersuserbDisallowHijack1] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [403 == 401 OR 403 == 403] result [Passed]
--- FX Bot ---
Project : FXABAC TEST
Template : ApiV1UsersEnterpriseSignUpPostUsersuserbDisallowHijack1
Run Id : 8a808011699a990101699ab3901a2277
Job : Default
Env : Default
Category : Hijack_Level1
Tags : [FX Top 10 - API Vulnerability, Data_Access_Control]
Severity : Major
Region : FXLabs/US_WEST_1
Result : fail
Status Code : 403
Headers : {X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NGQ5YzJkMjMtODBmZS00N2U1LWE5MDQtYTI3MDI2YTBhZmQ3; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:56 GMT]}
Endpoint : http://13.56.210.25/api/v1/users/enterprise-sign-up
Request :
{
"accountNonExpired" : false,
"accountNonLocked" : false,
"company" : "Swift Inc",
"createdBy" : "",
"createdDate" : "",
"credentialsNonExpired" : false,
"email" : "myrtie.stracke@gmail.com",
"enabled" : false,
"id" : "",
"inactive" : false,
"jobTitle" : "Legacy Farming Orchestrator",
"location" : "zpz64RQl",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "zpz64RQl",
"password" : "zpz64RQl",
"privileges" : [ "zpz64RQl" ],
"username" : "drew.schamberger",
"version" : ""
}
Response :
{
"timestamp" : "2019-03-20T10:45:57.043+0000",
"status" : 403,
"error" : "Forbidden",
"message" : "Forbidden",
"path" : "/api/v1/users/enterprise-sign-up"
}
Logs :
2019-03-20 10:45:54 DEBUG [UsersCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/users/enterprise-sign-up]
2019-03-20 10:45:54 DEBUG [UsersCreateUserBInitHijack1] : Method [POST]
2019-03-20 10:45:54 DEBUG [UsersCreateUserBInitHijack1] : Request [{
"accountNonExpired" : false,
"accountNonLocked" : false,
"company" : "Kohler and Sons",
"createdBy" : "",
"createdDate" : "",
"credentialsNonExpired" : false,
"email" : "bette.schamberger@yahoo.com",
"enabled" : false,
"id" : "",
"inactive" : false,
"jobTitle" : "Regional Consulting Manager",
"location" : "35lf905G",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "35lf905G",
"password" : "35lf905G",
"username" : "immanuel.klein",
"version" : ""
}]
2019-03-20 10:45:54 DEBUG [UsersCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:45:54 DEBUG [UsersCreateUserBInitHijack1] : Response [{
"timestamp" : "2019-03-20T10:45:54.914+0000",
"status" : 403,
"error" : "Forbidden",
"message" : "Forbidden",
"path" : "/api/v1/users/enterprise-sign-up"
}]
2019-03-20 10:45:54 DEBUG [UsersCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YjI1OGZiNGYtMjQyYy00NWE4LThjNWUtMjc4MTE2NzRmNTkx; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:54 GMT]}]
2019-03-20 10:45:54 DEBUG [UsersCreateUserBInitHijack1] : StatusCode [403]
2019-03-20 10:45:54 DEBUG [UsersCreateUserBInitHijack1] : Time [1913]
2019-03-20 10:45:54 DEBUG [UsersCreateUserBInitHijack1] : Size [141]
2019-03-20 10:45:54 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed]
2019-03-20 10:45:54 DEBUG [UsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YjI1OGZiNGYtMjQyYy00NWE4LThjNWUtMjc4MTE2NzRmNTkx; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:54 GMT]}]
2019-03-20 10:45:54 DEBUG [UsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YjI1OGZiNGYtMjQyYy00NWE4LThjNWUtMjc4MTE2NzRmNTkx; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:54 GMT]}]
2019-03-20 10:45:54 DEBUG [UsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YjI1OGZiNGYtMjQyYy00NWE4LThjNWUtMjc4MTE2NzRmNTkx; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:54 GMT]}]
2019-03-20 10:45:54 DEBUG [UsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YjI1OGZiNGYtMjQyYy00NWE4LThjNWUtMjc4MTE2NzRmNTkx; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:54 GMT]}]
2019-03-20 10:45:57 DEBUG [ApiV1UsersEnterpriseSignUpPostUsersuserbDisallowHijack1] : URL [http://13.56.210.25/api/v1/users/enterprise-sign-up]
2019-03-20 10:45:57 DEBUG [ApiV1UsersEnterpriseSignUpPostUsersuserbDisallowHijack1] : Method [POST]
2019-03-20 10:45:57 DEBUG [ApiV1UsersEnterpriseSignUpPostUsersuserbDisallowHijack1] : Request [{
"accountNonExpired" : false,
"accountNonLocked" : false,
"company" : "Swift Inc",
"createdBy" : "",
"createdDate" : "",
"credentialsNonExpired" : false,
"email" : "myrtie.stracke@gmail.com",
"enabled" : false,
"id" : "",
"inactive" : false,
"jobTitle" : "Legacy Farming Orchestrator",
"location" : "zpz64RQl",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "zpz64RQl",
"password" : "zpz64RQl",
"privileges" : [ "zpz64RQl" ],
"username" : "drew.schamberger",
"version" : ""
}]
2019-03-20 10:45:57 DEBUG [ApiV1UsersEnterpriseSignUpPostUsersuserbDisallowHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:45:57 DEBUG [ApiV1UsersEnterpriseSignUpPostUsersuserbDisallowHijack1] : Response [{
"timestamp" : "2019-03-20T10:45:57.043+0000",
"status" : 403,
"error" : "Forbidden",
"message" : "Forbidden",
"path" : "/api/v1/users/enterprise-sign-up"
}]
2019-03-20 10:45:57 DEBUG [ApiV1UsersEnterpriseSignUpPostUsersuserbDisallowHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NGQ5YzJkMjMtODBmZS00N2U1LWE5MDQtYTI3MDI2YTBhZmQ3; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:56 GMT]}]
2019-03-20 10:45:57 DEBUG [ApiV1UsersEnterpriseSignUpPostUsersuserbDisallowHijack1] : StatusCode [403]
2019-03-20 10:45:57 DEBUG [ApiV1UsersEnterpriseSignUpPostUsersuserbDisallowHijack1] : Time [1895]
2019-03-20 10:45:57 DEBUG [ApiV1UsersEnterpriseSignUpPostUsersuserbDisallowHijack1] : Size [141]
2019-03-20 10:45:57 INFO [ApiV1UsersEnterpriseSignUpPostUsersuserbDisallowHijack1] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [403 == 401 OR 403 == 403] result [Passed]
--- FX Bot ---
Project : FXABAC TEST
Template : ApiV1UsersEnterpriseSignUpPostUsersuserbDisallowHijack1
Run Id : 8a808011699a990101699ab3901a2277
Job : Default
Env : Default
Category : Hijack_Level1
Tags : [FX Top 10 - API Vulnerability, Data_Access_Control]
Severity : Major
Region : FXLabs/US_WEST_1
Result : fail
Status Code : 403
Headers : {X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YjQ0MDY2ZjEtNTg4MS00Y2UxLWJiNWQtOWI0YzdjY2VkN2Ez; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:46:59 GMT]}
Endpoint : http://13.56.210.25/api/v1/users/enterprise-sign-up
Request :
{
"accountNonExpired" : false,
"accountNonLocked" : false,
"company" : "Cole-Cole",
"createdBy" : "",
"createdDate" : "",
"credentialsNonExpired" : false,
"email" : "modesta.roob@gmail.com",
"enabled" : false,
"id" : "",
"inactive" : false,
"jobTitle" : "Product Specialist",
"location" : "4okhPwda",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "4okhPwda",
"password" : "4okhPwda",
"privileges" : [ "4okhPwda" ],
"username" : "gwendolyn.kulas",
"version" : ""
}
Response :
{
"timestamp" : "2019-03-20T10:47:00.211+0000",
"status" : 403,
"error" : "Forbidden",
"message" : "Forbidden",
"path" : "/api/v1/users/enterprise-sign-up"
}
Logs :
2019-03-20 10:46:58 DEBUG [UsersCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/users/enterprise-sign-up]
2019-03-20 10:46:58 DEBUG [UsersCreateUserBInitHijack1] : Method [POST]
2019-03-20 10:46:58 DEBUG [UsersCreateUserBInitHijack1] : Request [{
"accountNonExpired" : false,
"accountNonLocked" : false,
"company" : "Ward, Ward and Ward",
"createdBy" : "",
"createdDate" : "",
"credentialsNonExpired" : false,
"email" : "stone.walker@gmail.com",
"enabled" : false,
"id" : "",
"inactive" : false,
"jobTitle" : "Chief Advertising Administrator",
"location" : "lItn10Zf",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "lItn10Zf",
"password" : "lItn10Zf",
"username" : "kay.dicki",
"version" : ""
}]
2019-03-20 10:46:58 DEBUG [UsersCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:46:58 DEBUG [UsersCreateUserBInitHijack1] : Response [{
"timestamp" : "2019-03-20T10:46:58.375+0000",
"status" : 403,
"error" : "Forbidden",
"message" : "Forbidden",
"path" : "/api/v1/users/enterprise-sign-up"
}]
2019-03-20 10:46:58 DEBUG [UsersCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=Y2RiNDc3NzYtZmVmYy00ZjJjLTk5ZDUtN2U2MzY5YWNkNmQ0; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:46:58 GMT]}]
2019-03-20 10:46:58 DEBUG [UsersCreateUserBInitHijack1] : StatusCode [403]
2019-03-20 10:46:58 DEBUG [UsersCreateUserBInitHijack1] : Time [1597]
2019-03-20 10:46:58 DEBUG [UsersCreateUserBInitHijack1] : Size [141]
2019-03-20 10:46:58 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed]
2019-03-20 10:46:58 DEBUG [UsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=Y2RiNDc3NzYtZmVmYy00ZjJjLTk5ZDUtN2U2MzY5YWNkNmQ0; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:46:58 GMT]}]
2019-03-20 10:46:58 DEBUG [UsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=Y2RiNDc3NzYtZmVmYy00ZjJjLTk5ZDUtN2U2MzY5YWNkNmQ0; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:46:58 GMT]}]
2019-03-20 10:46:58 DEBUG [UsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=Y2RiNDc3NzYtZmVmYy00ZjJjLTk5ZDUtN2U2MzY5YWNkNmQ0; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:46:58 GMT]}]
2019-03-20 10:46:58 DEBUG [UsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=Y2RiNDc3NzYtZmVmYy00ZjJjLTk5ZDUtN2U2MzY5YWNkNmQ0; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:46:58 GMT]}]
2019-03-20 10:47:00 DEBUG [ApiV1UsersEnterpriseSignUpPostUsersuserbDisallowHijack1] : URL [http://13.56.210.25/api/v1/users/enterprise-sign-up]
2019-03-20 10:47:00 DEBUG [ApiV1UsersEnterpriseSignUpPostUsersuserbDisallowHijack1] : Method [POST]
2019-03-20 10:47:00 DEBUG [ApiV1UsersEnterpriseSignUpPostUsersuserbDisallowHijack1] : Request [{
"accountNonExpired" : false,
"accountNonLocked" : false,
"company" : "Cole-Cole",
"createdBy" : "",
"createdDate" : "",
"credentialsNonExpired" : false,
"email" : "modesta.roob@gmail.com",
"enabled" : false,
"id" : "",
"inactive" : false,
"jobTitle" : "Product Specialist",
"location" : "4okhPwda",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "4okhPwda",
"password" : "4okhPwda",
"privileges" : [ "4okhPwda" ],
"username" : "gwendolyn.kulas",
"version" : ""
}]
2019-03-20 10:47:00 DEBUG [ApiV1UsersEnterpriseSignUpPostUsersuserbDisallowHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:47:00 DEBUG [ApiV1UsersEnterpriseSignUpPostUsersuserbDisallowHijack1] : Response [{
"timestamp" : "2019-03-20T10:47:00.211+0000",
"status" : 403,
"error" : "Forbidden",
"message" : "Forbidden",
"path" : "/api/v1/users/enterprise-sign-up"
}]
2019-03-20 10:47:00 DEBUG [ApiV1UsersEnterpriseSignUpPostUsersuserbDisallowHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YjQ0MDY2ZjEtNTg4MS00Y2UxLWJiNWQtOWI0YzdjY2VkN2Ez; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:46:59 GMT]}]
2019-03-20 10:47:00 DEBUG [ApiV1UsersEnterpriseSignUpPostUsersuserbDisallowHijack1] : StatusCode [403]
2019-03-20 10:47:00 DEBUG [ApiV1UsersEnterpriseSignUpPostUsersuserbDisallowHijack1] : Time [1631]
2019-03-20 10:47:00 DEBUG [ApiV1UsersEnterpriseSignUpPostUsersuserbDisallowHijack1] : Size [141]
2019-03-20 10:47:00 INFO [ApiV1UsersEnterpriseSignUpPostUsersuserbDisallowHijack1] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [403 == 401 OR 403 == 403] result [Passed]
--- FX Bot ---
Project : FXABAC TEST
Template : ApiV1UsersEnterpriseSignUpPostUsersuserbDisallowHijack1
Run Id : 8a808011699a990101699ab0f9761b20
Job : Default
Env : Default
Category : Hijack_Level1
Tags : [FX Top 10 - API Vulnerability, Data_Access_Control]
Severity : Major
Region : FXLabs/US_WEST_1
Result : fail
Status Code : 403
Headers : {X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MmUyYWY0ZGItYTBjNi00YzAxLWJkMjYtYTc5MDIzN2Y1OWNj; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:52 GMT]}
Endpoint : http://13.56.210.25/api/v1/users/enterprise-sign-up
Request :
{ "accountNonExpired" : false, "accountNonLocked" : false, "company" : "Ernser-Ernser", "createdBy" : "", "createdDate" : "", "credentialsNonExpired" : false, "email" : "amie.parisian@gmail.com", "enabled" : false, "id" : "", "inactive" : false, "jobTitle" : "International Sales Coordinator", "location" : "9ipiMWMg", "modifiedBy" : "", "modifiedDate" : "", "name" : "9ipiMWMg", "password" : "9ipiMWMg", "privileges" : [ "9ipiMWMg" ], "username" : "theresia.bauch", "version" : "" }
Response :
{ "timestamp" : "2019-03-20T10:41:52.249+0000", "status" : 403, "error" : "Forbidden", "message" : "Forbidden", "path" : "/api/v1/users/enterprise-sign-up" }
Logs :
2019-03-20 10:41:51 DEBUG [UsersCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/users/enterprise-sign-up] 2019-03-20 10:41:51 DEBUG [UsersCreateUserBInitHijack1] : Method [POST] 2019-03-20 10:41:51 DEBUG [UsersCreateUserBInitHijack1] : Request [{ "accountNonExpired" : false, "accountNonLocked" : false, "company" : "Kirlin, Kirlin and Kirlin", "createdBy" : "", "createdDate" : "", "credentialsNonExpired" : false, "email" : "marianna.berge@gmail.com", "enabled" : false, "id" : "", "inactive" : false, "jobTitle" : "Investor Accounting Technician", "location" : "T8dU7Kxk", "modifiedBy" : "", "modifiedDate" : "", "name" : "T8dU7Kxk", "password" : "T8dU7Kxk", "username" : "jeff.conn", "version" : "" }] 2019-03-20 10:41:51 DEBUG [UsersCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:41:51 DEBUG [UsersCreateUserBInitHijack1] : Response [{ "timestamp" : "2019-03-20T10:41:51.148+0000", "status" : 403, "error" : "Forbidden", "message" : "Forbidden", "path" : "/api/v1/users/enterprise-sign-up" }] 2019-03-20 10:41:51 DEBUG [UsersCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MzEwNmVkZGQtYWEwOS00MDQ4LWFjYmYtYzUzMTNkYjdkZTFk; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:51 GMT]}] 2019-03-20 10:41:51 DEBUG [UsersCreateUserBInitHijack1] : StatusCode [403] 2019-03-20 10:41:51 DEBUG [UsersCreateUserBInitHijack1] : Time [658] 2019-03-20 10:41:51 DEBUG [UsersCreateUserBInitHijack1] : Size [141] 2019-03-20 10:41:51 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed] 2019-03-20 10:41:51 DEBUG [UsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MzEwNmVkZGQtYWEwOS00MDQ4LWFjYmYtYzUzMTNkYjdkZTFk; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:51 GMT]}] 2019-03-20 10:41:51 DEBUG [UsersCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MzEwNmVkZGQtYWEwOS00MDQ4LWFjYmYtYzUzMTNkYjdkZTFk; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:51 GMT]}] 2019-03-20 10:41:51 DEBUG [UsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MzEwNmVkZGQtYWEwOS00MDQ4LWFjYmYtYzUzMTNkYjdkZTFk; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:51 GMT]}] 2019-03-20 10:41:51 DEBUG [UsersCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MzEwNmVkZGQtYWEwOS00MDQ4LWFjYmYtYzUzMTNkYjdkZTFk; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:51 GMT]}] 2019-03-20 10:41:52 DEBUG [ApiV1UsersEnterpriseSignUpPostUsersuserbDisallowHijack1] : URL [http://13.56.210.25/api/v1/users/enterprise-sign-up] 2019-03-20 10:41:52 DEBUG [ApiV1UsersEnterpriseSignUpPostUsersuserbDisallowHijack1] : Method [POST] 2019-03-20 10:41:52 DEBUG [ApiV1UsersEnterpriseSignUpPostUsersuserbDisallowHijack1] : Request [{ "accountNonExpired" : false, "accountNonLocked" : false, "company" : "Ernser-Ernser", "createdBy" : "", "createdDate" : "", "credentialsNonExpired" : false, "email" : "amie.parisian@gmail.com", "enabled" : false, "id" : "", "inactive" : false, "jobTitle" : "International Sales Coordinator", "location" : "9ipiMWMg", "modifiedBy" : "", "modifiedDate" : "", "name" : "9ipiMWMg", "password" : "9ipiMWMg", "privileges" : [ "9ipiMWMg" ], "username" : "theresia.bauch", "version" : "" }] 2019-03-20 10:41:52 DEBUG [ApiV1UsersEnterpriseSignUpPostUsersuserbDisallowHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:41:52 DEBUG [ApiV1UsersEnterpriseSignUpPostUsersuserbDisallowHijack1] : Response [{ "timestamp" : "2019-03-20T10:41:52.249+0000", "status" : 403, "error" : "Forbidden", "message" : "Forbidden", "path" : "/api/v1/users/enterprise-sign-up" }] 2019-03-20 10:41:52 DEBUG [ApiV1UsersEnterpriseSignUpPostUsersuserbDisallowHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MmUyYWY0ZGItYTBjNi00YzAxLWJkMjYtYTc5MDIzN2Y1OWNj; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:52 GMT]}] 2019-03-20 10:41:52 DEBUG [ApiV1UsersEnterpriseSignUpPostUsersuserbDisallowHijack1] : StatusCode [403] 2019-03-20 10:41:52 DEBUG [ApiV1UsersEnterpriseSignUpPostUsersuserbDisallowHijack1] : Time [476] 2019-03-20 10:41:52 DEBUG [ApiV1UsersEnterpriseSignUpPostUsersuserbDisallowHijack1] : Size [141] 2019-03-20 10:41:52 INFO [ApiV1UsersEnterpriseSignUpPostUsersuserbDisallowHijack1] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [403 == 401 OR 403 == 403] result [Passed]
--- FX Bot ---