intesar
commented
4 years ago Message : This issue is manually closed from FX control plane.
Title: ABAC_Level2 Vulnerability on GET:/api/v1/orgs/{id}/users Project: NetBanking API Description: Risk: ABAC_Level2 Severity: Major API Endpoint: http://95.217.118.53:8080/api/v1/orgs/2c928084730547e80173b58c2d4465f8/users?page=0&pageSize=20 Environment: Master Playbook: ApiV1OrgsIdUsersGetUseraCreateOrgorgplanenterpriseUserbDisallowAbact2 Researcher: UserB
QUICK TIPS
Suggestion: Effort Estimate: Wire Logs: 06:18:49 [D] [ OOECUAI2] : URL [http://95.217.118.53:8080/api/v1/orgs] 06:18:49 [D] [ OOECUAI2] : Method [POST] 06:18:49 [D] [ OOECUAI2] : Auth [UserA] 06:18:49 [D] [ OOECUAI2] : Request [{ "billingEmail" : "jany.jast@yahoo.com", "company" : "Jacobson, Jacobson and Jacobson", "createdBy" : "", "createdDate" : "", "description" : "UWeLAaWN", "id" : "", "inactive" : false, "location" : "UWeLAaWN", "modifiedBy" : "", "modifiedDate" : "", "name" : "UWeLAaWN", "orgPlan" : "ENTERPRISE", "orgType" : "ENTERPRISE", "version" : "" }] 06:18:49 [D] [ OOECUAI2] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[**]}] 06:18:49 [D] [ OOECUAI2] : Response [{ "requestId" : "None", "requestTime" : "2020-08-03T18:18:49.541+0000", "errors" : false, "messages" : [ ], "data" : { "id" : "2c928084730547e80173b58c2d4465f8", "createdBy" : "2c928085730548680173054c9f720003", "createdDate" : "2020-08-03T18:18:49.540+0000", "modifiedBy" : "2c928085730548680173054c9f720003", "modifiedDate" : "2020-08-03T18:18:49.540+0000", "version" : null, "inactive" : false, "name" : "5Xcby8AD", "description" : "5Xcby8AD", "orgType" : "ENTERPRISE", "billingEmail" : "isobel.carroll@hotmail.com", "company" : "Little LLC", "location" : "5Xcby8AD", "orgPlan" : "ENTERPRISE" }, "totalPages" : 0, "totalElements" : 0 }] 06:18:49 [D] [ OOECUAI2] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=OWUxOWZlOGEtNmJmZi00ZjhjLTlmYjQtZGM2OTE3MTY0NTky; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Mon, 03 Aug 2020 18:18:49 GMT]}] 06:18:49 [D] [ OOECUAI2] : StatusCode [200] 06:18:49 [D] [ OOECUAI2] : Time [186] 06:18:49 [D] [ OOECUAI2] : Size [572] 06:18:49 [D] [OOECUAIAHeaders] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=OWUxOWZlOGEtNmJmZi00ZjhjLTlmYjQtZGM2OTE3MTY0NTky; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Mon, 03 Aug 2020 18:18:49 GMT]}] 06:18:49 [D] [OOECUAIAHeaders] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=OWUxOWZlOGEtNmJmZi00ZjhjLTlmYjQtZGM2OTE3MTY0NTky; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Mon, 03 Aug 2020 18:18:49 GMT]}] 06:18:49 [D] [ OOECUAIA]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=OWUxOWZlOGEtNmJmZi00ZjhjLTlmYjQtZGM2OTE3MTY0NTky; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Mon, 03 Aug 2020 18:18:49 GMT]}] 06:18:49 [D] [ OOECUAIA]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=OWUxOWZlOGEtNmJmZi00ZjhjLTlmYjQtZGM2OTE3MTY0NTky; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Mon, 03 Aug 2020 18:18:49 GMT]}] 06:18:49 [D] [AVOIUGUCOUD2] : URL [http://95.217.118.53:8080/api/v1/orgs/2c928084730547e80173b58c2d4465f8/users?page=0&pageSize=20] 06:18:49 [D] [AVOIUGUCOUD2] : Method [GET] 06:18:49 [D] [AVOIUGUCOUD2] : Auth [UserB] 06:18:49 [D] [AVOIUGUCOUD2] : Request [] 06:18:49 [D] [AVOIUGUCOUD2] : Request-Headers [{Accept=[application/json], Content-Type=[application/json], Authorization=[**]}] 06:18:49 [D] [AVOIUGUCOUD2] : Response [{ "requestId" : "None", "requestTime" : "2020-08-03T18:18:49.722+0000", "errors" : false, "messages" : [ ], "data" : [ { "id" : "2c928084730547e80173b58c2d4565f9", "createdBy" : "2c928085730548680173054c9f720003", "createdDate" : "2020-08-03T18:18:49.541+0000", "modifiedBy" : "2c928085730548680173054c9f720003", "modifiedDate" : "2020-08-03T18:18:49.541+0000", "version" : null, "inactive" : false, "org" : { "id" : "2c928084730547e80173b58c2d4465f8", "createdBy" : "2c928085730548680173054c9f720003", "createdDate" : "2020-08-03T18:18:49.540+0000", "modifiedBy" : "2c928085730548680173054c9f720003", "modifiedDate" : "2020-08-03T18:18:49.540+0000", "version" : null, "inactive" : false, "name" : "5Xcby8AD" }, "users" : { "id" : "2c928085730548680173054c9f720003", "createdBy" : "anonymousUser", "createdDate" : "2020-06-30T12:56:14.448+0000", "modifiedBy" : "anonymousUser", "modifiedDate" : "2020-06-30T12:56:14.448+0000", "version" : null, "inactive" : false, "name" : null, "email" : "user1@netbanking.io", "username" : "user1", "company" : null, "location" : null, "jobTitle" : null }, "orgRole" : "ADMIN", "status" : "ACTIVE" } ], "totalPages" : 1, "totalElements" : 1 }] 06:18:49 [D] [AVOIUGUCOUD2] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NjIyNmJjNTYtZjQyMC00MWRiLWFiZDYtY2EzYjc0MGM2MmU2; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Mon, 03 Aug 2020 18:18:49 GMT]}] 06:18:49 [D] [AVOIUGUCOUD2] : StatusCode [200] 06:18:49 [D] [AVOIUGUCOUD2] : Time [180] 06:18:49 [D] [AVOIUGUCOUD2] : Size [1054] 06:18:49 [E] [AVOIUGUCOUD2] : Assertion [@StatusCode == 401 OR @StatusCode == 403 OR @Response.errors == true] resolved-to [200 == 401 OR 200 == 403 OR false == true] result [Failed] 06:18:49 [D] [ AVOIDOA2] : URL [http://95.217.118.53:8080/api/v1/orgs/2c928084730547e80173b58c2d4465f8] 06:18:49 [D] [ AVOIDOA2] : Method [DELETE] 06:18:49 [D] [ AVOIDOA2] : Request [null] 06:18:49 [D] [ AVOIDOA2] : Auth [UserA] 06:18:49 [D] [ AVOIDOA2] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic dXNlcjFAbmV0YmFua2luZy5pbzphZG1pbjEyMyQ=]}] 06:18:49 [D] [ AVOIDOA2] : Response [{ "requestId" : "None", "requestTime" : "2020-08-03T18:18:49.907+0000", "errors" : true, "messages" : [ { "type" : "ERROR", "key" : "", "value" : "Resource name or key already exists." } ], "data" : null, "totalPages" : 0, "totalElements" : 0 }] 06:18:49 [D] [ AVOIDOA2] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=M2QwMWE2YzAtY2E5Mi00MTRmLTkxOTYtZjIwOTA5MGYzMWQx; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Mon, 03 Aug 2020 18:18:49 GMT]}] 06:18:49 [D] [ AVOIDOA2] : StatusCode [200] 06:18:49 [D] [ AVOIDOA2] : Time [183] 06:18:49 [D] [ AVOIDOA2] : Size [210]
IMPORTANT LINKS
Vulnerability Details: https://cloud.fxlabs.io/#/app/projects/8a8081766fc3e2a1016fc421d6e55a13/recommendations/null/details
Project: https://cloud.fxlabs.io/#/app/projects/8a8081766fc3e2a1016fc421d6e55a13/jobs
Coverage: https://cloud.fxlabs.io/#/app/projects/8a8081766fc3e2a1016fc421d6e55a13/configuration
Code Sample: https://cloud.fxlabs.io/#/app/projects/8a8081766fc3e2a1016fc421d6e55a13/recommendations/null/codesamples
PS: Please contact support@apisec.ai for apisec access and login issues.
--- apisec Bot ---
Title: ABAC_Level2 Vulnerability on GET:/api/v1/orgs/{id}/users Project: NetBanking API Description: The ABAC exploit allows an attacker to read, modify, delete, add and perform actions on customer/un-authorized data. Risk: ABAC_Level2 Severity: Major API Endpoint: http://95.217.118.53:8080/api/v1/orgs/2c928084730547e80173b58c2d4465f8/users?page=0&pageSize=20 Environment: Master Playbook: ApiV1OrgsIdUsersGetUseraCreateOrgorgplanenterpriseUserbDisallowAbact2 Researcher: [apisec Bot]
QUICK TIPS
Suggestion: Add access-control checks on incoming requests against all data calls. Effort Estimate: 2.0 Wire Logs: 06:18:49 [D] [ OOECUAI2] : URL [http://95.217.118.53:8080/api/v1/orgs] 06:18:49 [D] [ OOECUAI2] : Method [POST] 06:18:49 [D] [ OOECUAI2] : Auth [UserA] 06:18:49 [D] [ OOECUAI2] : Request [{ "billingEmail" : "jany.jast@yahoo.com", "company" : "Jacobson, Jacobson and Jacobson", "createdBy" : "", "createdDate" : "", "description" : "UWeLAaWN", "id" : "", "inactive" : false, "location" : "UWeLAaWN", "modifiedBy" : "", "modifiedDate" : "", "name" : "UWeLAaWN", "orgPlan" : "ENTERPRISE", "orgType" : "ENTERPRISE", "version" : "" }] 06:18:49 [D] [ OOECUAI2] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[**]}] 06:18:49 [D] [ OOECUAI2] : Response [{ "requestId" : "None", "requestTime" : "2020-08-03T18:18:49.541+0000", "errors" : false, "messages" : [ ], "data" : { "id" : "2c928084730547e80173b58c2d4465f8", "createdBy" : "2c928085730548680173054c9f720003", "createdDate" : "2020-08-03T18:18:49.540+0000", "modifiedBy" : "2c928085730548680173054c9f720003", "modifiedDate" : "2020-08-03T18:18:49.540+0000", "version" : null, "inactive" : false, "name" : "5Xcby8AD", "description" : "5Xcby8AD", "orgType" : "ENTERPRISE", "billingEmail" : "isobel.carroll@hotmail.com", "company" : "Little LLC", "location" : "5Xcby8AD", "orgPlan" : "ENTERPRISE" }, "totalPages" : 0, "totalElements" : 0 }] 06:18:49 [D] [ OOECUAI2] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=OWUxOWZlOGEtNmJmZi00ZjhjLTlmYjQtZGM2OTE3MTY0NTky; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Mon, 03 Aug 2020 18:18:49 GMT]}] 06:18:49 [D] [ OOECUAI2] : StatusCode [200] 06:18:49 [D] [ OOECUAI2] : Time [186] 06:18:49 [D] [ OOECUAI2] : Size [572] 06:18:49 [D] [OOECUAIAHeaders] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=OWUxOWZlOGEtNmJmZi00ZjhjLTlmYjQtZGM2OTE3MTY0NTky; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Mon, 03 Aug 2020 18:18:49 GMT]}] 06:18:49 [D] [OOECUAIAHeaders] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=OWUxOWZlOGEtNmJmZi00ZjhjLTlmYjQtZGM2OTE3MTY0NTky; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Mon, 03 Aug 2020 18:18:49 GMT]}] 06:18:49 [D] [ OOECUAIA]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=OWUxOWZlOGEtNmJmZi00ZjhjLTlmYjQtZGM2OTE3MTY0NTky; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Mon, 03 Aug 2020 18:18:49 GMT]}] 06:18:49 [D] [ OOECUAIA]] : Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=OWUxOWZlOGEtNmJmZi00ZjhjLTlmYjQtZGM2OTE3MTY0NTky; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Mon, 03 Aug 2020 18:18:49 GMT]}] 06:18:49 [D] [AVOIUGUCOUD2] : URL [http://95.217.118.53:8080/api/v1/orgs/2c928084730547e80173b58c2d4465f8/users?page=0&pageSize=20] 06:18:49 [D] [AVOIUGUCOUD2] : Method [GET] 06:18:49 [D] [AVOIUGUCOUD2] : Auth [UserB] 06:18:49 [D] [AVOIUGUCOUD2] : Request [] 06:18:49 [D] [AVOIUGUCOUD2] : Request-Headers [{Accept=[application/json], Content-Type=[application/json], Authorization=[**]}] 06:18:49 [D] [AVOIUGUCOUD2] : Response [{ "requestId" : "None", "requestTime" : "2020-08-03T18:18:49.722+0000", "errors" : false, "messages" : [ ], "data" : [ { "id" : "2c928084730547e80173b58c2d4565f9", "createdBy" : "2c928085730548680173054c9f720003", "createdDate" : "2020-08-03T18:18:49.541+0000", "modifiedBy" : "2c928085730548680173054c9f720003", "modifiedDate" : "2020-08-03T18:18:49.541+0000", "version" : null, "inactive" : false, "org" : { "id" : "2c928084730547e80173b58c2d4465f8", "createdBy" : "2c928085730548680173054c9f720003", "createdDate" : "2020-08-03T18:18:49.540+0000", "modifiedBy" : "2c928085730548680173054c9f720003", "modifiedDate" : "2020-08-03T18:18:49.540+0000", "version" : null, "inactive" : false, "name" : "5Xcby8AD" }, "users" : { "id" : "2c928085730548680173054c9f720003", "createdBy" : "anonymousUser", "createdDate" : "2020-06-30T12:56:14.448+0000", "modifiedBy" : "anonymousUser", "modifiedDate" : "2020-06-30T12:56:14.448+0000", "version" : null, "inactive" : false, "name" : null, "email" : "user1@netbanking.io", "username" : "user1", "company" : null, "location" : null, "jobTitle" : null }, "orgRole" : "ADMIN", "status" : "ACTIVE" } ], "totalPages" : 1, "totalElements" : 1 }] 06:18:49 [D] [AVOIUGUCOUD2] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=NjIyNmJjNTYtZjQyMC00MWRiLWFiZDYtY2EzYjc0MGM2MmU2; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Mon, 03 Aug 2020 18:18:49 GMT]}] 06:18:49 [D] [AVOIUGUCOUD2] : StatusCode [200] 06:18:49 [D] [AVOIUGUCOUD2] : Time [180] 06:18:49 [D] [AVOIUGUCOUD2] : Size [1054] 06:18:49 [E] [AVOIUGUCOUD2] : Assertion [@StatusCode == 401 OR @StatusCode == 403 OR @Response.errors == true] resolved-to [200 == 401 OR 200 == 403 OR false == true] result [Failed] 06:18:49 [D] [ AVOIDOA2] : URL [http://95.217.118.53:8080/api/v1/orgs/2c928084730547e80173b58c2d4465f8] 06:18:49 [D] [ AVOIDOA2] : Method [DELETE] 06:18:49 [D] [ AVOIDOA2] : Request [null] 06:18:49 [D] [ AVOIDOA2] : Auth [UserA] 06:18:49 [D] [ AVOIDOA2] : Request-Headers [{Content-Type=[application/json], Accept=[application/json], Authorization=[Basic dXNlcjFAbmV0YmFua2luZy5pbzphZG1pbjEyMyQ=]}] 06:18:49 [D] [ AVOIDOA2] : Response [{ "requestId" : "None", "requestTime" : "2020-08-03T18:18:49.907+0000", "errors" : true, "messages" : [ { "type" : "ERROR", "key" : "", "value" : "Resource name or key already exists." } ], "data" : null, "totalPages" : 0, "totalElements" : 0 }] 06:18:49 [D] [ AVOIDOA2] : Response-Headers [{X-Content-Type-Options=[nosniff], X-XSS-Protection=[1; mode=block], Cache-Control=[no-cache, no-store, max-age=0, must-revalidate], Pragma=[no-cache], Expires=[0], X-Frame-Options=[DENY], Set-Cookie=[SESSION=M2QwMWE2YzAtY2E5Mi00MTRmLTkxOTYtZjIwOTA5MGYzMWQx; Path=/; HttpOnly], Content-Type=[application/json;charset=UTF-8], Transfer-Encoding=[chunked], Date=[Mon, 03 Aug 2020 18:18:49 GMT]}] 06:18:49 [D] [ AVOIDOA2] : StatusCode [200] 06:18:49 [D] [ AVOIDOA2] : Time [183] 06:18:49 [D] [ AVOIDOA2] : Size [210]
IMPORTANT LINKS
Vulnerability Details: https://cloud.fxlabs.io/#/app/projects/8a8081766fc3e2a1016fc421d6e55a13/recommendations/8a808138739e3ae40173b58c4cd90e0b/details
Project: https://cloud.fxlabs.io/#/app/projects/8a8081766fc3e2a1016fc421d6e55a13/jobs
Environment: https://cloud.fxlabs.io/#/app/projects/8a8081766fc3e2a1016fc421d6e55a13/environments/8a8081766fc3e2a1016fc421d7155a15/edit
Scan Dashboard: https://cloud.fxlabs.io/#/app/projects/8a8081766fc3e2a1016fc421d6e55a13/jobs/8a8081766fc3e2a1016fc4230f426628/runs/8a808138739e3ae40173b58c08510d65
Playbook: https://cloud.fxlabs.io/#/app/projects/8a8081766fc3e2a1016fc421d6e55a13/template/ApiV1OrgsIdUsersGetUseraCreateOrgorgplanenterpriseUserbDisallowAbact2
Coverage: https://cloud.fxlabs.io/#/app/projects/8a8081766fc3e2a1016fc421d6e55a13/configuration
Code Sample: https://cloud.fxlabs.io/#/app/projects/8a8081766fc3e2a1016fc421d6e55a13/recommendations/8a808138739e3ae40173b58c4cd90e0b/codesamples
PS: Please contact support@apisec.ai for apisec access and login issues.
--- apisec Bot ---