search

devopsenggineer / Sanity

0 stars 0 forks source link

t : V2AuthAwsRoleRoleGetAwsclientconfigurationUserbDisallowAbac #62

Open devopsenggineer opened 5 years ago

devopsenggineer commented 5 years ago

Project : t

Job : Default

Env : Default

Category : ABAC_Level1

Tags : [FX Top 10 - API Vulnerability, Data_Access_Control]

Severity : Major

Region : FXLabs/US_WEST_1

Result : fail

Status Code : 400

Headers : {Server=[nginx/1.12.1], Date=[Sat, 23 Feb 2019 05:33:02 GMT], Content-Type=[application/json;charset=ISO-8859-1], Content-Length=[49], Connection=[keep-alive]}

Endpoint : http://52.53.242.1/vault/v2/auth/aws/role/

Request :

Response :
{ "errors" : [ "Request method 'GET' not supported" ] }

Logs :
2019-02-23 05:33:02 DEBUG [AWSClientConfigurationCreateUserAInitAbac] : URL [http://52.53.242.1/vault/v2/auth/aws/config/client] 2019-02-23 05:33:02 DEBUG [AWSClientConfigurationCreateUserAInitAbac] : Method [POST] 2019-02-23 05:33:02 DEBUG [AWSClientConfigurationCreateUserAInitAbac] : Request [{ "access_key" : "37BY14lY", "secret_key" : "37BY14lY" }] 2019-02-23 05:33:02 DEBUG [AWSClientConfigurationCreateUserAInitAbac] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic dXNlckFAZnhsYWJzLmlvOnVzZXJB]}] 2019-02-23 05:33:02 DEBUG [AWSClientConfigurationCreateUserAInitAbac] : Response [{ "errors" : [ "Missing request header 'vault-token' for method parameter of type String" ] }] 2019-02-23 05:33:02 DEBUG [AWSClientConfigurationCreateUserAInitAbac] : Response-Headers [{Server=[nginx/1.12.1], Date=[Sat, 23 Feb 2019 05:33:02 GMT], Content-Type=[application/json;charset=ISO-8859-1], Content-Length=[87], Connection=[keep-alive]}] 2019-02-23 05:33:02 DEBUG [AWSClientConfigurationCreateUserAInitAbac] : StatusCode [400] 2019-02-23 05:33:02 DEBUG [AWSClientConfigurationCreateUserAInitAbac] : Time [115] 2019-02-23 05:33:02 DEBUG [AWSClientConfigurationCreateUserAInitAbac] : Size [87] 2019-02-23 05:33:02 ERROR [null] : Assertion [@StatusCode == 200 AND @Response.errors == false] resolved-to [400 == 200 AND ["Missing request header 'vault-token' for method parameter of type String"] == false] result [Failed] 2019-02-23 05:33:02 DEBUG [AWSClientConfigurationCreateUserAInitAbac_Headers] : Headers [{Server=[nginx/1.12.1], Date=[Sat, 23 Feb 2019 05:33:02 GMT], Content-Type=[application/json;charset=ISO-8859-1], Content-Length=[87], Connection=[keep-alive]}] 2019-02-23 05:33:02 DEBUG [AWSClientConfigurationCreateUserAInitAbac_Headers] : Headers [{Server=[nginx/1.12.1], Date=[Sat, 23 Feb 2019 05:33:02 GMT], Content-Type=[application/json;charset=ISO-8859-1], Content-Length=[87], Connection=[keep-alive]}] 2019-02-23 05:33:02 DEBUG [AWSClientConfigurationCreateUserAInitAbac_Headers[2]] : Headers [{Server=[nginx/1.12.1], Date=[Sat, 23 Feb 2019 05:33:02 GMT], Content-Type=[application/json;charset=ISO-8859-1], Content-Length=[87], Connection=[keep-alive]}] 2019-02-23 05:33:02 DEBUG [AWSClientConfigurationCreateUserAInitAbac_Headers[2]] : Headers [{Server=[nginx/1.12.1], Date=[Sat, 23 Feb 2019 05:33:02 GMT], Content-Type=[application/json;charset=ISO-8859-1], Content-Length=[87], Connection=[keep-alive]}] 2019-02-23 05:33:02 DEBUG [V2AuthAwsRoleRoleGetAwsclientconfigurationUserbDisallowAbac] : URL [http://52.53.242.1/vault/v2/auth/aws/role/] 2019-02-23 05:33:02 DEBUG [V2AuthAwsRoleRoleGetAwsclientconfigurationUserbDisallowAbac] : Method [GET] 2019-02-23 05:33:02 DEBUG [V2AuthAwsRoleRoleGetAwsclientconfigurationUserbDisallowAbac] : Request [] 2019-02-23 05:33:02 DEBUG [V2AuthAwsRoleRoleGetAwsclientconfigurationUserbDisallowAbac] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic dXNlckJAZnhsYWJzLmlvOnVzZXJC]}] 2019-02-23 05:33:02 DEBUG [V2AuthAwsRoleRoleGetAwsclientconfigurationUserbDisallowAbac] : Response [{ "errors" : [ "Request method 'GET' not supported" ] }] 2019-02-23 05:33:02 DEBUG [V2AuthAwsRoleRoleGetAwsclientconfigurationUserbDisallowAbac] : Response-Headers [{Server=[nginx/1.12.1], Date=[Sat, 23 Feb 2019 05:33:02 GMT], Content-Type=[application/json;charset=ISO-8859-1], Content-Length=[49], Connection=[keep-alive]}] 2019-02-23 05:33:02 DEBUG [V2AuthAwsRoleRoleGetAwsclientconfigurationUserbDisallowAbac] : StatusCode [400] 2019-02-23 05:33:02 DEBUG [V2AuthAwsRoleRoleGetAwsclientconfigurationUserbDisallowAbac] : Time [127] 2019-02-23 05:33:02 DEBUG [V2AuthAwsRoleRoleGetAwsclientconfigurationUserbDisallowAbac] : Size [49] 2019-02-23 05:33:02 ERROR [V2AuthAwsRoleRoleGetAwsclientconfigurationUserbDisallowAbac] : Assertion [@StatusCode == 401 OR @StatusCode == 403 OR @Response.errors == true] resolved-to [400 == 401 OR 400 == 403 OR ["Request method 'GET' not supported"] == true] result [Failed] 2019-02-23 05:33:02 DEBUG [V2AuthAwsRoleRoleDeleteAbstractAbac] : URL [http://52.53.242.1/vault/v2/auth/aws/role/] 2019-02-23 05:33:02 DEBUG [V2AuthAwsRoleRoleDeleteAbstractAbac] : Method [DELETE] 2019-02-23 05:33:02 DEBUG [V2AuthAwsRoleRoleDeleteAbstractAbac] : Request [null] 2019-02-23 05:33:02 DEBUG [V2AuthAwsRoleRoleDeleteAbstractAbac] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic dXNlckFAZnhsYWJzLmlvOnVzZXJB]}] 2019-02-23 05:33:02 DEBUG [V2AuthAwsRoleRoleDeleteAbstractAbac] : Response [{ "errors" : [ "Request method 'DELETE' not supported" ] }] 2019-02-23 05:33:02 DEBUG [V2AuthAwsRoleRoleDeleteAbstractAbac] : Response-Headers [{Server=[nginx/1.12.1], Date=[Sat, 23 Feb 2019 05:33:02 GMT], Content-Type=[application/json;charset=ISO-8859-1], Content-Length=[52], Connection=[keep-alive]}] 2019-02-23 05:33:02 DEBUG [V2AuthAwsRoleRoleDeleteAbstractAbac] : StatusCode [400] 2019-02-23 05:33:02 DEBUG [V2AuthAwsRoleRoleDeleteAbstractAbac] : Time [139] 2019-02-23 05:33:02 DEBUG [V2AuthAwsRoleRoleDeleteAbstractAbac] : Size [52] 2019-02-23 05:33:02 ERROR [null] : Assertion [@StatusCode == 200] resolved-to [400 == 200] result [Failed]

--- FX Bot ---

devopsenggineer commented 5 years ago

Project : t

Job : Default

Env : Default

Region : FXLabs/US_WEST_1

Result : fail

Status Code : 400

Headers : {Server=[nginx/1.12.1], Date=[Sat, 23 Feb 2019 11:25:52 GMT], Content-Type=[application/json;charset=ISO-8859-1], Content-Length=[49], Connection=[keep-alive]}

Endpoint : http://52.53.242.1/vault/v2/auth/aws/role/

Request :

Response :
{ "errors" : [ "Request method 'GET' not supported" ] }

Logs :
Assertion [@StatusCode == 401 OR @StatusCode == 403 OR @Response.errors == true] resolved-to [400 == 401 OR 400 == 403 OR ["Request method 'GET' not supported"] == true] result [Failed] --- FX Bot ---