Open asriz7777 opened 5 years ago
Project : FXABAC TEST
Template : NullPutOrguserbDisallowHijack1
Run Id : 8a808011699a990101699ab3901a2277
Job : Default
Env : Default
Category : Hijack_Level1
Tags : [FX Top 10 - API Vulnerability, Data_Access_Control]
Severity : Major
Region : FXLabs/US_WEST_1
Result : fail
Status Code : 500
Headers : {}
Endpoint : http://13.56.210.25null
Request :
{
"billingEmail" : "elenora.hayes@gmail.com",
"company" : "Kertzmann LLC",
"createdBy" : "",
"createdDate" : "",
"description" : "vjYeKAgB",
"id" : "",
"inactive" : false,
"location" : "vjYeKAgB",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "vjYeKAgB",
"orgPlan" : "ENTERPRISE",
"orgType" : "PERSONAL",
"version" : ""
}
Response :
I/O error on PUT request for "http://13.56.210.25null": 13.56.210.25null: Name or service not known; nested exception is java.net.UnknownHostException: 13.56.210.25null: Name or service not known
Logs :
2019-03-20 10:45:01 DEBUG [OrgCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/orgs]
2019-03-20 10:45:01 DEBUG [OrgCreateUserBInitHijack1] : Method [POST]
2019-03-20 10:45:01 DEBUG [OrgCreateUserBInitHijack1] : Request [{
"billingEmail" : "AP5KVeAM",
"company" : "Block-Block",
"createdBy" : "",
"createdDate" : "",
"description" : "AP5KVeAM",
"id" : "",
"inactive" : false,
"location" : "AP5KVeAM",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "AP5KVeAM",
"orgPlan" : "TEAM",
"orgType" : "ENTERPRISE",
"version" : ""
}]
2019-03-20 10:45:01 DEBUG [OrgCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:45:01 DEBUG [OrgCreateUserBInitHijack1] : Response [{
"timestamp" : "2019-03-20T10:45:01.856+0000",
"status" : 403,
"error" : "Forbidden",
"message" : "Forbidden",
"path" : "/api/v1/orgs"
}]
2019-03-20 10:45:01 DEBUG [OrgCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZThkOGU3YmQtNGM1NC00YjdhLWE2ZGEtOTRlOTgyYTJhMmFl; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:00 GMT]}]
2019-03-20 10:45:01 DEBUG [OrgCreateUserBInitHijack1] : StatusCode [403]
2019-03-20 10:45:01 DEBUG [OrgCreateUserBInitHijack1] : Time [1363]
2019-03-20 10:45:01 DEBUG [OrgCreateUserBInitHijack1] : Size [121]
2019-03-20 10:45:01 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed]
2019-03-20 10:45:01 DEBUG [OrgCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZThkOGU3YmQtNGM1NC00YjdhLWE2ZGEtOTRlOTgyYTJhMmFl; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:00 GMT]}]
2019-03-20 10:45:01 DEBUG [OrgCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZThkOGU3YmQtNGM1NC00YjdhLWE2ZGEtOTRlOTgyYTJhMmFl; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:00 GMT]}]
2019-03-20 10:45:01 DEBUG [OrgCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZThkOGU3YmQtNGM1NC00YjdhLWE2ZGEtOTRlOTgyYTJhMmFl; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:00 GMT]}]
2019-03-20 10:45:01 DEBUG [OrgCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZThkOGU3YmQtNGM1NC00YjdhLWE2ZGEtOTRlOTgyYTJhMmFl; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:00 GMT]}]
2019-03-20 10:45:02 DEBUG [NullPutOrguserbDisallowHijack1] : URL [http://13.56.210.25null]
2019-03-20 10:45:02 DEBUG [NullPutOrguserbDisallowHijack1] : Method [PUT]
2019-03-20 10:45:02 DEBUG [NullPutOrguserbDisallowHijack1] : Request [{
"billingEmail" : "elenora.hayes@gmail.com",
"company" : "Kertzmann LLC",
"createdBy" : "",
"createdDate" : "",
"description" : "vjYeKAgB",
"id" : "",
"inactive" : false,
"location" : "vjYeKAgB",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "vjYeKAgB",
"orgPlan" : "ENTERPRISE",
"orgType" : "PERSONAL",
"version" : ""
}]
2019-03-20 10:45:02 DEBUG [NullPutOrguserbDisallowHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:45:02 DEBUG [NullPutOrguserbDisallowHijack1] : Response [I/O error on PUT request for "http://13.56.210.25null": 13.56.210.25null: Name or service not known; nested exception is java.net.UnknownHostException: 13.56.210.25null: Name or service not known]
2019-03-20 10:45:02 DEBUG [NullPutOrguserbDisallowHijack1] : Response-Headers [{}]
2019-03-20 10:45:02 DEBUG [NullPutOrguserbDisallowHijack1] : StatusCode [500]
2019-03-20 10:45:02 DEBUG [NullPutOrguserbDisallowHijack1] : Time [6]
2019-03-20 10:45:02 DEBUG [NullPutOrguserbDisallowHijack1] : Size [195]
2019-03-20 10:45:02 ERROR [NullPutOrguserbDisallowHijack1] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [500 == 401 OR 500 == 403] result [Failed]
2019-03-20 10:45:03 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : URL [http://13.56.210.25/api/v1/orgs/]
2019-03-20 10:45:03 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Method [DELETE]
2019-03-20 10:45:03 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Request [null]
2019-03-20 10:45:03 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:45:03 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Response [{
"timestamp" : "2019-03-20T10:45:03.888+0000",
"status" : 405,
"error" : "Method Not Allowed",
"message" : "Request method 'DELETE' not supported",
"path" : "/api/v1/orgs/"
}]
2019-03-20 10:45:03 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Response-Headers [{Allow=[GET, POST], X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ZWMyNjJmNDgtZjVjZi00MThjLWI2NjQtMDdiYzE5NzRmZjU3; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:02 GMT]}]
2019-03-20 10:45:03 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : StatusCode [405]
2019-03-20 10:45:03 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Time [1824]
2019-03-20 10:45:03 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Size [159]
2019-03-20 10:45:03 ERROR [null] : Assertion [@StatusCode == 200] resolved-to [405 == 200] result [Failed]
--- FX Bot ---
Project : FXABAC TEST
Template : NullPutOrguserbDisallowHijack1
Run Id : 8a808011699a990101699ab3901a2277
Job : Default
Env : Default
Category : Hijack_Level1
Tags : [FX Top 10 - API Vulnerability, Data_Access_Control]
Severity : Major
Region : FXLabs/US_WEST_1
Result : fail
Status Code : 500
Headers : {}
Endpoint : http://13.56.210.25null
Request :
{
"billingEmail" : "hunter.boehm@gmail.com",
"company" : "Deckow-Deckow",
"createdBy" : "",
"createdDate" : "",
"description" : "0CHiFcar",
"id" : "",
"inactive" : false,
"location" : "0CHiFcar",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "0CHiFcar",
"orgPlan" : "ENTERPRISE",
"orgType" : "PERSONAL",
"version" : ""
}
Response :
I/O error on PUT request for "http://13.56.210.25null": 13.56.210.25null: Name or service not known; nested exception is java.net.UnknownHostException: 13.56.210.25null: Name or service not known
Logs :
2019-03-20 10:45:46 DEBUG [OrgCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/orgs]
2019-03-20 10:45:46 DEBUG [OrgCreateUserBInitHijack1] : Method [POST]
2019-03-20 10:45:46 DEBUG [OrgCreateUserBInitHijack1] : Request [{
"billingEmail" : "lWSMSoZ6",
"company" : "Cronin, Cronin and Cronin",
"createdBy" : "",
"createdDate" : "",
"description" : "lWSMSoZ6",
"id" : "",
"inactive" : false,
"location" : "lWSMSoZ6",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "lWSMSoZ6",
"orgPlan" : "TEAM",
"orgType" : "ENTERPRISE",
"version" : ""
}]
2019-03-20 10:45:46 DEBUG [OrgCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:45:46 DEBUG [OrgCreateUserBInitHijack1] : Response [{
"timestamp" : "2019-03-20T10:45:46.242+0000",
"status" : 403,
"error" : "Forbidden",
"message" : "Forbidden",
"path" : "/api/v1/orgs"
}]
2019-03-20 10:45:46 DEBUG [OrgCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NDRkMWFlMmItMTNlNy00YjdlLTliYzUtNWM2YjFiNGY4MDQ4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:45 GMT]}]
2019-03-20 10:45:46 DEBUG [OrgCreateUserBInitHijack1] : StatusCode [403]
2019-03-20 10:45:46 DEBUG [OrgCreateUserBInitHijack1] : Time [1754]
2019-03-20 10:45:46 DEBUG [OrgCreateUserBInitHijack1] : Size [121]
2019-03-20 10:45:46 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed]
2019-03-20 10:45:46 DEBUG [OrgCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NDRkMWFlMmItMTNlNy00YjdlLTliYzUtNWM2YjFiNGY4MDQ4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:45 GMT]}]
2019-03-20 10:45:46 DEBUG [OrgCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NDRkMWFlMmItMTNlNy00YjdlLTliYzUtNWM2YjFiNGY4MDQ4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:45 GMT]}]
2019-03-20 10:45:46 DEBUG [OrgCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NDRkMWFlMmItMTNlNy00YjdlLTliYzUtNWM2YjFiNGY4MDQ4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:45 GMT]}]
2019-03-20 10:45:46 DEBUG [OrgCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NDRkMWFlMmItMTNlNy00YjdlLTliYzUtNWM2YjFiNGY4MDQ4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:45 GMT]}]
2019-03-20 10:45:46 DEBUG [NullPutOrguserbDisallowHijack1] : URL [http://13.56.210.25null]
2019-03-20 10:45:46 DEBUG [NullPutOrguserbDisallowHijack1] : Method [PUT]
2019-03-20 10:45:46 DEBUG [NullPutOrguserbDisallowHijack1] : Request [{
"billingEmail" : "hunter.boehm@gmail.com",
"company" : "Deckow-Deckow",
"createdBy" : "",
"createdDate" : "",
"description" : "0CHiFcar",
"id" : "",
"inactive" : false,
"location" : "0CHiFcar",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "0CHiFcar",
"orgPlan" : "ENTERPRISE",
"orgType" : "PERSONAL",
"version" : ""
}]
2019-03-20 10:45:46 DEBUG [NullPutOrguserbDisallowHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:45:46 DEBUG [NullPutOrguserbDisallowHijack1] : Response [I/O error on PUT request for "http://13.56.210.25null": 13.56.210.25null: Name or service not known; nested exception is java.net.UnknownHostException: 13.56.210.25null: Name or service not known]
2019-03-20 10:45:46 DEBUG [NullPutOrguserbDisallowHijack1] : Response-Headers [{}]
2019-03-20 10:45:46 DEBUG [NullPutOrguserbDisallowHijack1] : StatusCode [500]
2019-03-20 10:45:46 DEBUG [NullPutOrguserbDisallowHijack1] : Time [6]
2019-03-20 10:45:46 DEBUG [NullPutOrguserbDisallowHijack1] : Size [195]
2019-03-20 10:45:46 ERROR [NullPutOrguserbDisallowHijack1] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [500 == 401 OR 500 == 403] result [Failed]
2019-03-20 10:45:48 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : URL [http://13.56.210.25/api/v1/orgs/]
2019-03-20 10:45:48 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Method [DELETE]
2019-03-20 10:45:48 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Request [null]
2019-03-20 10:45:48 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:45:48 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Response [{
"timestamp" : "2019-03-20T10:45:48.069+0000",
"status" : 405,
"error" : "Method Not Allowed",
"message" : "Request method 'DELETE' not supported",
"path" : "/api/v1/orgs/"
}]
2019-03-20 10:45:48 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Response-Headers [{Allow=[GET, POST], X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=ODEzMjQ3YWMtMjk5Ny00NWE5LTg5YTItZDJmMzMzMmNiZmE1; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:45:47 GMT]}]
2019-03-20 10:45:48 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : StatusCode [405]
2019-03-20 10:45:48 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Time [1707]
2019-03-20 10:45:48 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Size [159]
2019-03-20 10:45:48 ERROR [null] : Assertion [@StatusCode == 200] resolved-to [405 == 200] result [Failed]
--- FX Bot ---
Project : FXABAC TEST
Template : NullPutOrguserbDisallowHijack1
Run Id : 8a808011699a990101699ab3901a2277
Job : Default
Env : Default
Category : Hijack_Level1
Tags : [FX Top 10 - API Vulnerability, Data_Access_Control]
Severity : Major
Region : FXLabs/US_WEST_1
Result : fail
Status Code : 500
Headers : {}
Endpoint : http://13.56.210.25null
Request :
{
"billingEmail" : "alice.mclaughlin@hotmail.com",
"company" : "Johns-Johns",
"createdBy" : "",
"createdDate" : "",
"description" : "weTUwP7v",
"id" : "",
"inactive" : false,
"location" : "weTUwP7v",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "weTUwP7v",
"orgPlan" : "ENTERPRISE",
"orgType" : "PERSONAL",
"version" : ""
}
Response :
I/O error on PUT request for "http://13.56.210.25null": 13.56.210.25null: Name or service not known; nested exception is java.net.UnknownHostException: 13.56.210.25null: Name or service not known
Logs :
2019-03-20 10:47:02 DEBUG [OrgCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/orgs]
2019-03-20 10:47:02 DEBUG [OrgCreateUserBInitHijack1] : Method [POST]
2019-03-20 10:47:02 DEBUG [OrgCreateUserBInitHijack1] : Request [{
"billingEmail" : "MOwiV56D",
"company" : "Hauck, Hauck and Hauck",
"createdBy" : "",
"createdDate" : "",
"description" : "MOwiV56D",
"id" : "",
"inactive" : false,
"location" : "MOwiV56D",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "MOwiV56D",
"orgPlan" : "TEAM",
"orgType" : "ENTERPRISE",
"version" : ""
}]
2019-03-20 10:47:02 DEBUG [OrgCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:47:02 DEBUG [OrgCreateUserBInitHijack1] : Response [{
"timestamp" : "2019-03-20T10:47:02.699+0000",
"status" : 403,
"error" : "Forbidden",
"message" : "Forbidden",
"path" : "/api/v1/orgs"
}]
2019-03-20 10:47:02 DEBUG [OrgCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MGJhYThjOTEtOTFmYS00NDMxLWFkODQtZTNjMjdmYzcyMDFk; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:47:02 GMT]}]
2019-03-20 10:47:02 DEBUG [OrgCreateUserBInitHijack1] : StatusCode [403]
2019-03-20 10:47:02 DEBUG [OrgCreateUserBInitHijack1] : Time [1461]
2019-03-20 10:47:02 DEBUG [OrgCreateUserBInitHijack1] : Size [121]
2019-03-20 10:47:02 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed]
2019-03-20 10:47:02 DEBUG [OrgCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MGJhYThjOTEtOTFmYS00NDMxLWFkODQtZTNjMjdmYzcyMDFk; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:47:02 GMT]}]
2019-03-20 10:47:02 DEBUG [OrgCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MGJhYThjOTEtOTFmYS00NDMxLWFkODQtZTNjMjdmYzcyMDFk; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:47:02 GMT]}]
2019-03-20 10:47:02 DEBUG [OrgCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MGJhYThjOTEtOTFmYS00NDMxLWFkODQtZTNjMjdmYzcyMDFk; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:47:02 GMT]}]
2019-03-20 10:47:02 DEBUG [OrgCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MGJhYThjOTEtOTFmYS00NDMxLWFkODQtZTNjMjdmYzcyMDFk; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:47:02 GMT]}]
2019-03-20 10:47:02 DEBUG [NullPutOrguserbDisallowHijack1] : URL [http://13.56.210.25null]
2019-03-20 10:47:02 DEBUG [NullPutOrguserbDisallowHijack1] : Method [PUT]
2019-03-20 10:47:02 DEBUG [NullPutOrguserbDisallowHijack1] : Request [{
"billingEmail" : "alice.mclaughlin@hotmail.com",
"company" : "Johns-Johns",
"createdBy" : "",
"createdDate" : "",
"description" : "weTUwP7v",
"id" : "",
"inactive" : false,
"location" : "weTUwP7v",
"modifiedBy" : "",
"modifiedDate" : "",
"name" : "weTUwP7v",
"orgPlan" : "ENTERPRISE",
"orgType" : "PERSONAL",
"version" : ""
}]
2019-03-20 10:47:02 DEBUG [NullPutOrguserbDisallowHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:47:02 DEBUG [NullPutOrguserbDisallowHijack1] : Response [I/O error on PUT request for "http://13.56.210.25null": 13.56.210.25null: Name or service not known; nested exception is java.net.UnknownHostException: 13.56.210.25null: Name or service not known]
2019-03-20 10:47:02 DEBUG [NullPutOrguserbDisallowHijack1] : Response-Headers [{}]
2019-03-20 10:47:02 DEBUG [NullPutOrguserbDisallowHijack1] : StatusCode [500]
2019-03-20 10:47:02 DEBUG [NullPutOrguserbDisallowHijack1] : Time [6]
2019-03-20 10:47:02 DEBUG [NullPutOrguserbDisallowHijack1] : Size [195]
2019-03-20 10:47:02 ERROR [NullPutOrguserbDisallowHijack1] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [500 == 401 OR 500 == 403] result [Failed]
2019-03-20 10:47:04 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : URL [http://13.56.210.25/api/v1/orgs/]
2019-03-20 10:47:04 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Method [DELETE]
2019-03-20 10:47:04 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Request [null]
2019-03-20 10:47:04 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}]
2019-03-20 10:47:04 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Response [{
"timestamp" : "2019-03-20T10:47:04.659+0000",
"status" : 405,
"error" : "Method Not Allowed",
"message" : "Request method 'DELETE' not supported",
"path" : "/api/v1/orgs/"
}]
2019-03-20 10:47:04 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Response-Headers [{Allow=[GET, POST], X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=YzcyZjc0YzktNjlhYS00Zjc2LWExN2YtNTIyMGZlZWY0NjI4; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:47:04 GMT]}]
2019-03-20 10:47:04 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : StatusCode [405]
2019-03-20 10:47:04 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Time [1776]
2019-03-20 10:47:04 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Size [159]
2019-03-20 10:47:04 ERROR [null] : Assertion [@StatusCode == 200] resolved-to [405 == 200] result [Failed]
--- FX Bot ---
Project : FXABAC TEST
Template : NullPutOrguserbDisallowHijack1
Run Id : 8a808011699a990101699ab0f9761b20
Job : Default
Env : Default
Category : Hijack_Level1
Tags : [FX Top 10 - API Vulnerability, Data_Access_Control]
Severity : Major
Region : FXLabs/US_WEST_1
Result : fail
Status Code : 500
Headers : {}
Endpoint : http://13.56.210.25null
Request :
{ "billingEmail" : "abner.hodkiewicz@gmail.com", "company" : "Bahringer, Bahringer and Bahringer", "createdBy" : "", "createdDate" : "", "description" : "s73kZmv3", "id" : "", "inactive" : false, "location" : "s73kZmv3", "modifiedBy" : "", "modifiedDate" : "", "name" : "s73kZmv3", "orgPlan" : "ENTERPRISE", "orgType" : "PERSONAL", "version" : "" }
Response :
I/O error on PUT request for "http://13.56.210.25null": 13.56.210.25null; nested exception is java.net.UnknownHostException: 13.56.210.25null
Logs :
2019-03-20 10:41:59 DEBUG [OrgCreateUserBInitHijack1] : URL [http://13.56.210.25/api/v1/orgs] 2019-03-20 10:41:59 DEBUG [OrgCreateUserBInitHijack1] : Method [POST] 2019-03-20 10:41:59 DEBUG [OrgCreateUserBInitHijack1] : Request [{ "billingEmail" : "GNMNfa54", "company" : "Terry Inc", "createdBy" : "", "createdDate" : "", "description" : "GNMNfa54", "id" : "", "inactive" : false, "location" : "GNMNfa54", "modifiedBy" : "", "modifiedDate" : "", "name" : "GNMNfa54", "orgPlan" : "TEAM", "orgType" : "ENTERPRISE", "version" : "" }] 2019-03-20 10:41:59 DEBUG [OrgCreateUserBInitHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:41:59 DEBUG [OrgCreateUserBInitHijack1] : Response [{ "timestamp" : "2019-03-20T10:41:59.490+0000", "status" : 403, "error" : "Forbidden", "message" : "Forbidden", "path" : "/api/v1/orgs" }] 2019-03-20 10:41:59 DEBUG [OrgCreateUserBInitHijack1] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NDU4Y2I2Y2MtNWU5MS00YTIyLWI1NzktNjMyZjIxZDU1NWQw; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:58 GMT]}] 2019-03-20 10:41:59 DEBUG [OrgCreateUserBInitHijack1] : StatusCode [403] 2019-03-20 10:41:59 DEBUG [OrgCreateUserBInitHijack1] : Time [351] 2019-03-20 10:41:59 DEBUG [OrgCreateUserBInitHijack1] : Size [121] 2019-03-20 10:41:59 ERROR [null] : Assertion [@StatusCode == 200 OR @StatusCode == 201] resolved-to [403 == 200 OR 403 == 201] result [Failed] 2019-03-20 10:41:59 DEBUG [OrgCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NDU4Y2I2Y2MtNWU5MS00YTIyLWI1NzktNjMyZjIxZDU1NWQw; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:58 GMT]}] 2019-03-20 10:41:59 DEBUG [OrgCreateUserBInitHijack1_Headers] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NDU4Y2I2Y2MtNWU5MS00YTIyLWI1NzktNjMyZjIxZDU1NWQw; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:58 GMT]}] 2019-03-20 10:41:59 DEBUG [OrgCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NDU4Y2I2Y2MtNWU5MS00YTIyLWI1NzktNjMyZjIxZDU1NWQw; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:58 GMT]}] 2019-03-20 10:41:59 DEBUG [OrgCreateUserBInitHijack1_Headers[2]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NDU4Y2I2Y2MtNWU5MS00YTIyLWI1NzktNjMyZjIxZDU1NWQw; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:58 GMT]}] 2019-03-20 10:41:59 DEBUG [NullPutOrguserbDisallowHijack1] : URL [http://13.56.210.25null] 2019-03-20 10:41:59 DEBUG [NullPutOrguserbDisallowHijack1] : Method [PUT] 2019-03-20 10:41:59 DEBUG [NullPutOrguserbDisallowHijack1] : Request [{ "billingEmail" : "abner.hodkiewicz@gmail.com", "company" : "Bahringer, Bahringer and Bahringer", "createdBy" : "", "createdDate" : "", "description" : "s73kZmv3", "id" : "", "inactive" : false, "location" : "s73kZmv3", "modifiedBy" : "", "modifiedDate" : "", "name" : "s73kZmv3", "orgPlan" : "ENTERPRISE", "orgType" : "PERSONAL", "version" : "" }] 2019-03-20 10:41:59 DEBUG [NullPutOrguserbDisallowHijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:41:59 DEBUG [NullPutOrguserbDisallowHijack1] : Response [I/O error on PUT request for "http://13.56.210.25null": 13.56.210.25null; nested exception is java.net.UnknownHostException: 13.56.210.25null] 2019-03-20 10:41:59 DEBUG [NullPutOrguserbDisallowHijack1] : Response-Headers [{}] 2019-03-20 10:41:59 DEBUG [NullPutOrguserbDisallowHijack1] : StatusCode [500] 2019-03-20 10:41:59 DEBUG [NullPutOrguserbDisallowHijack1] : Time [10] 2019-03-20 10:41:59 DEBUG [NullPutOrguserbDisallowHijack1] : Size [141] 2019-03-20 10:41:59 ERROR [NullPutOrguserbDisallowHijack1] : Assertion [@StatusCode == 401 OR @StatusCode == 403] resolved-to [500 == 401 OR 500 == 403] result [Failed] 2019-03-20 10:42:00 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : URL [http://13.56.210.25/api/v1/orgs/] 2019-03-20 10:42:00 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Method [DELETE] 2019-03-20 10:42:00 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Request [null] 2019-03-20 10:42:00 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic T1JHQi8vdXNlckJAdGVzdGxhYnMuaW86b3JnMTIzNCQ=]}] 2019-03-20 10:42:00 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Response [{ "timestamp" : "2019-03-20T10:42:00.026+0000", "status" : 405, "error" : "Method Not Allowed", "message" : "Request method 'DELETE' not supported", "path" : "/api/v1/orgs/" }] 2019-03-20 10:42:00 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Response-Headers [{Allow=[GET, POST], X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=MDczOGNkZTgtYjQ4Ni00OGU3LTgyYTctMGNiMGY5NDBjMWY2; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Wed, 20 Mar 2019 10:41:59 GMT]}] 2019-03-20 10:42:00 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : StatusCode [405] 2019-03-20 10:42:00 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Time [383] 2019-03-20 10:42:00 DEBUG [ApiV1OrgsIdDeleteOrghijack1] : Size [159] 2019-03-20 10:42:00 ERROR [null] : Assertion [@StatusCode == 200] resolved-to [405 == 200] result [Failed]
--- FX Bot ---