t : V2AuthAwsLoginAuthtypePostAwsstsroleUsercDisallowAbac

Project : t

Job : Default

Env : Default

Category : ABAC_Level1

Tags : [FX Top 10 - API Vulnerability, Data_Access_Control]

Severity : Major

Region : FXLabs/US_WEST_1

Result : fail

Status Code : 500

Headers : {Server=[nginx/1.12.1], Date=[Sat, 23 Feb 2019 05:33:02 GMT], Content-Type=[application/json;charset=ISO-8859-1], Content-Length=[62], Connection=[keep-alive]}

Endpoint : http://52.53.242.1/vault/v2/auth/aws/login/

Request :
{ "account_id" : "", "sts_role" : "p978UJW9" }

Response :
{ "errors" : [ "Unexpected error :String index out of range: 50" ] }

Logs :
2019-02-23 05:33:02 DEBUG [AWSStsRoleCreateUserAInitAbac] : URL [http://52.53.242.1/vault/v2/auth/aws/config/sts] 2019-02-23 05:33:02 DEBUG [AWSStsRoleCreateUserAInitAbac] : Method [POST] 2019-02-23 05:33:02 DEBUG [AWSStsRoleCreateUserAInitAbac] : Request [{ "account_id" : "gjQribf7", "sts_role" : "gjQribf7" }] 2019-02-23 05:33:02 DEBUG [AWSStsRoleCreateUserAInitAbac] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic dXNlckFAZnhsYWJzLmlvOnVzZXJB]}] 2019-02-23 05:33:02 DEBUG [AWSStsRoleCreateUserAInitAbac] : Response [{ "errors" : [ "Missing request header 'vault-token' for method parameter of type String" ] }] 2019-02-23 05:33:02 DEBUG [AWSStsRoleCreateUserAInitAbac] : Response-Headers [{Server=[nginx/1.12.1], Date=[Sat, 23 Feb 2019 05:33:02 GMT], Content-Type=[application/json;charset=ISO-8859-1], Content-Length=[87], Connection=[keep-alive]}] 2019-02-23 05:33:02 DEBUG [AWSStsRoleCreateUserAInitAbac] : StatusCode [400] 2019-02-23 05:33:02 DEBUG [AWSStsRoleCreateUserAInitAbac] : Time [41] 2019-02-23 05:33:02 DEBUG [AWSStsRoleCreateUserAInitAbac] : Size [87] 2019-02-23 05:33:02 ERROR [null] : Assertion [@StatusCode == 200 AND @Response.errors == false] resolved-to [400 == 200 AND ["Missing request header 'vault-token' for method parameter of type String"] == false] result [Failed] 2019-02-23 05:33:02 DEBUG [AWSStsRoleCreateUserAInitAbac_Headers] : Headers [{Server=[nginx/1.12.1], Date=[Sat, 23 Feb 2019 05:33:02 GMT], Content-Type=[application/json;charset=ISO-8859-1], Content-Length=[87], Connection=[keep-alive]}] 2019-02-23 05:33:02 DEBUG [AWSStsRoleCreateUserAInitAbac_Headers] : Headers [{Server=[nginx/1.12.1], Date=[Sat, 23 Feb 2019 05:33:02 GMT], Content-Type=[application/json;charset=ISO-8859-1], Content-Length=[87], Connection=[keep-alive]}] 2019-02-23 05:33:02 DEBUG [AWSStsRoleCreateUserAInitAbac_Headers[2]] : Headers [{Server=[nginx/1.12.1], Date=[Sat, 23 Feb 2019 05:33:02 GMT], Content-Type=[application/json;charset=ISO-8859-1], Content-Length=[87], Connection=[keep-alive]}] 2019-02-23 05:33:02 DEBUG [AWSStsRoleCreateUserAInitAbac_Headers[2]] : Headers [{Server=[nginx/1.12.1], Date=[Sat, 23 Feb 2019 05:33:02 GMT], Content-Type=[application/json;charset=ISO-8859-1], Content-Length=[87], Connection=[keep-alive]}] 2019-02-23 05:33:02 DEBUG [V2AuthAwsLoginAuthtypePostAwsstsroleUsercDisallowAbac] : URL [http://52.53.242.1/vault/v2/auth/aws/login/] 2019-02-23 05:33:02 DEBUG [V2AuthAwsLoginAuthtypePostAwsstsroleUsercDisallowAbac] : Method [POST] 2019-02-23 05:33:02 DEBUG [V2AuthAwsLoginAuthtypePostAwsstsroleUsercDisallowAbac] : Request [{ "account_id" : "", "sts_role" : "p978UJW9" }] 2019-02-23 05:33:02 DEBUG [V2AuthAwsLoginAuthtypePostAwsstsroleUsercDisallowAbac] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic dXNlckNAZnhsYWJzLmlvOnVzZXJD]}] 2019-02-23 05:33:02 DEBUG [V2AuthAwsLoginAuthtypePostAwsstsroleUsercDisallowAbac] : Response [{ "errors" : [ "Unexpected error :String index out of range: 50" ] }] 2019-02-23 05:33:02 DEBUG [V2AuthAwsLoginAuthtypePostAwsstsroleUsercDisallowAbac] : Response-Headers [{Server=[nginx/1.12.1], Date=[Sat, 23 Feb 2019 05:33:02 GMT], Content-Type=[application/json;charset=ISO-8859-1], Content-Length=[62], Connection=[keep-alive]}] 2019-02-23 05:33:02 DEBUG [V2AuthAwsLoginAuthtypePostAwsstsroleUsercDisallowAbac] : StatusCode [500] 2019-02-23 05:33:02 DEBUG [V2AuthAwsLoginAuthtypePostAwsstsroleUsercDisallowAbac] : Time [44] 2019-02-23 05:33:02 DEBUG [V2AuthAwsLoginAuthtypePostAwsstsroleUsercDisallowAbac] : Size [62] 2019-02-23 05:33:02 ERROR [V2AuthAwsLoginAuthtypePostAwsstsroleUsercDisallowAbac] : Assertion [@StatusCode == 401 OR @StatusCode == 403 OR @Response.errors == true] resolved-to [500 == 401 OR 500 == 403 OR ["Unexpected error :String index out of range: 50"] == true] result [Failed] 2019-02-23 05:33:02 DEBUG [V2AuthAwsRoleRoleDeleteAbstractAbac] : URL [http://52.53.242.1/vault/v2/auth/aws/role/] 2019-02-23 05:33:02 DEBUG [V2AuthAwsRoleRoleDeleteAbstractAbac] : Method [DELETE] 2019-02-23 05:33:02 DEBUG [V2AuthAwsRoleRoleDeleteAbstractAbac] : Request [null] 2019-02-23 05:33:02 DEBUG [V2AuthAwsRoleRoleDeleteAbstractAbac] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic dXNlckFAZnhsYWJzLmlvOnVzZXJB]}] 2019-02-23 05:33:02 DEBUG [V2AuthAwsRoleRoleDeleteAbstractAbac] : Response [{ "errors" : [ "Request method 'DELETE' not supported" ] }] 2019-02-23 05:33:02 DEBUG [V2AuthAwsRoleRoleDeleteAbstractAbac] : Response-Headers [{Server=[nginx/1.12.1], Date=[Sat, 23 Feb 2019 05:33:02 GMT], Content-Type=[application/json;charset=ISO-8859-1], Content-Length=[52], Connection=[keep-alive]}] 2019-02-23 05:33:02 DEBUG [V2AuthAwsRoleRoleDeleteAbstractAbac] : StatusCode [400] 2019-02-23 05:33:02 DEBUG [V2AuthAwsRoleRoleDeleteAbstractAbac] : Time [52] 2019-02-23 05:33:02 DEBUG [V2AuthAwsRoleRoleDeleteAbstractAbac] : Size [52] 2019-02-23 05:33:02 ERROR [null] : Assertion [@StatusCode == 200] resolved-to [400 == 200] result [Failed]

--- FX Bot ---

devopsenggineer / Sanity

t : V2AuthAwsLoginAuthtypePostAwsstsroleUsercDisallowAbac #79